AI ANSWER: (lightly edited)

The Solution (Static Port)

To fix this without a permanent port forward, you must enable Static Port in pfSense's Outbound NAT. This doesn't open a hole to the world; it simply tells pfSense: "When this internal IP sends UDP traffic, do not rewrite the source port."

Navigate to Firewall > NAT > Outbound.

Switch to Hybrid Outbound NAT (if not already).

Add a rule at the top:

Interface: WAN

Protocol: UDP

Source: [Friend's WireGuard Internal IP/Port]

Destination: [Your Public IP]

Translation: Check Static Port.