diff --git a/net/tstun/wrap.go b/net/tstun/wrap.go
index 756e68a0e..5de7bd215 100644
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -135,9 +135,16 @@ type Wrapper struct {
 	PreFilterIn FilterFunc
 	// PostFilterIn is the inbound filter function that runs after the main filter.
 	PostFilterIn FilterFunc
-	// PreFilterOut is the outbound filter function that runs before the main filter
-	// and therefore sees the packets that may be later dropped by it.
-	PreFilterOut FilterFunc
+	// PreFilterFromTunToNetstack is a filter function that runs before the main filter
+	// for packets from the local system. This filter is populated by netstack to hook
+	// packets that should be handled by netstack. If set, this filter runs before
+	// PreFilterFromTunToEngine.
+	PreFilterFromTunToNetstack FilterFunc
+	// PreFilterFromTunToEngine is a filter function that runs before the main filter
+	// for packets from the local system. This filter is populated by wgengine to hook
+	// packets which it handles internally. If both this and PreFilterFromTunToNetstack
+	// filter functions are non-nil, this filter runs second.
+	PreFilterFromTunToEngine FilterFunc
 	// PostFilterOut is the outbound filter function that runs after the main filter.
 	PostFilterOut FilterFunc
 
@@ -451,9 +458,16 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
 		return filter.DropSilently
 	}
 
-	if t.PreFilterOut != nil {
-		if res := t.PreFilterOut(p, t); res.IsDrop() {
-			// Handled by userspaceEngine.handleLocalPackets (quad-100 DNS primarily).
+	if t.PreFilterFromTunToNetstack != nil {
+		if res := t.PreFilterFromTunToNetstack(p, t); res.IsDrop() {
+			// Handled by netstack.Impl.handleLocalPackets (quad-100 DNS primarily)
+			return res
+		}
+	}
+	if t.PreFilterFromTunToEngine != nil {
+		if res := t.PreFilterFromTunToEngine(p, t); res.IsDrop() {
+			// Handled by userspaceEngine.handleLocalPackets (primarily handles
+			// quad-100 if netstack is not installed).
 			return res
 		}
 	}
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index 06d4f5b6b..d7f67d4d3 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -362,7 +362,7 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
 	if conf.RespondToPing {
 		e.tundev.PostFilterIn = echoRespondToAll
 	}
-	e.tundev.PreFilterOut = e.handleLocalPackets
+	e.tundev.PreFilterFromTunToEngine = e.handleLocalPackets
 
 	if envknob.BoolDefaultTrue("TS_DEBUG_CONNECT_FAILURES") {
 		if e.tundev.PreFilterIn != nil {