After much debugging, it was found that large packets (over 4k) were silently dropped by the in-kernel NAT used by ipfw and ng_ipfw. This is not documented on the man page for ipfw or ng_ipfw Suggested resolution: * Update the two man pages to document the limitation * Suggest on those man pages that, if large packets are potentially to be NAT-ed, reassembled or from "jumbo frames", natd be used rather than in-kernel NAT As revealed by Andrey V. Elsukov on freebsd-net and freebsd-ipfw on 2018-06-13: "The kernel version of libalias uses m_megapullup() function to make single contiguous buffer. m_megapullup() uses m_get2() function to allocate mbuf of appropriate size. If size of packet greater than 4k it will fail. So, if you use MTU greater than 4k or if after fragments reassembly you get a packet with length greater than 4k, ipfw_nat() function will drop this packet." Examining the code in /usr/src/sys/netinet/libalias/alias.c #ifdef _KERNEL /* * m_megapullup() - this function is a big hack. * Thankfully, it's only used in ng_nat and ipfw+nat.
Relates to kernel issue #229006
As https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229006 is resolved in all "supported" versions, closing this as no longer needed