Setting up a Wireguard router (with FreeBSD)

Good evening, guys and gals!

I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a 
VPN-gateway with Wireguard. Since I got fibre channel for my internet 
connection, I gained bandwidth but lost the public IPv4 address. So I 
can access my computer again from the net (and maybe run a service or 
two), I went to one of the 2⁶⁴ VPN providers and got a plan there - one 
that includes port-forwarding. :-)

I put FreeBSD on a smallish (128GB) SSD and it boots without a problem. 
I am running FreeBSD 14.

My problem probably isn't wireguard, but the routing concept of FreeBSD, 
which I do not seem to understand completely. Once I added

gateway_enable="YES"

to the rc.conf, the Pi passed on packets that came in from other 
computers on the same subnet to the internet. Meaning: If I set the Pi 
as the default route for another computer, said computer still has full 
access to the internet, mtr just shows an additional hop.

When I fire up the wg0 interface, everything seems fine at first. The Pi 
still has access to the web and mtr confirms that indeed the 
VPN-connection is being used (the hops are completely different). The 
routes seem to be set correctly. However, the computer that uses the Pi 
as its default route is now without access to the net. mtr on that 
machine show exactly one hop: the Pi.

I would have expected that this should work like this - even without me 
using one of the firewalls of FreeBSD. I get that I will _have_ to use 
pf or something else once I want the port(s) to be forwarded and maybe 
this isn't very secure, but I was taking this step by step - checking if 
the routing works unfiltered and then I wanted to add the filters.

Am I making a mistake in my reasoning? I know that what I want to do 
requires NAT, but does NAT require a firewall?

Do you have suggestions as to which firewall I should use?

Thanks for reading!

Best regards,
Chris