This issue might be related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192013 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428 , but I found it to be NOT pf specific. I've been testing pfSense 2.2 on Xen 4.1, and got the same issue as https://forum.pfsense.org/index.php?topic=85797.15 : routing traffic through the FreeBSD 10.1 machine that uses xn* interface hardly works and gives abysmal performance. Packets leaving the router contain an invalid checksum, and don't reach the target VM's tcp stack. A workaround (with at least 50% performance penalty) is to disable tx offloading on all router interfaces in dom0, i.e. calling ethtool -K vif{N}.{x} tx off The issue can be observed whether the pf firewall is active or not, so it appears to be a FreeBSD xen-netfront driver problem.
Problem still present with FreeBSD 10.2 p11 (used in OPNsense 16.1)
AFAICT, this is possibly a duplicate of PR 188261, can you please confirm that the issues you are seeing always happen when doing packet forwarding? Also, and in order to try to solve this, can you please post a very simple configuration that can be used to reproduce the issue?
#188261 apparently describes the same problem. How to reproduce: DomU #1 <-> DomU/Router <-> DomU #2 all on same Xen host. Accessing DomU#2 from DomU#1 (e.g. ssh) hardly works, until tx checksum is disabled. When a host that's not hosted on the same Xen machine is involved, everything works as expected. Tested with Xen4.1 and 4.4, DomU/Router FreeBSD 10.1 (pfSense) and 10.2 (opnSense).