On 2017-08-16, Juan Guillermo Narvaez <[email protected]> wrote: > *match out on bge0 inet from 172.21.0.0/19 <http://172.21.0.0/19> to any > nat-to 200.91.35.55*
natting a whole /19 to a single address, especially with the default port range 50001-65535, isn't going to work well. I'd suggest at least using a dedicated IP (not used for services or locally sourced connections) with "port 1024:65535", if not multiple IPs. As already mentioned, check your state limit. Also check sysctl net.inet.ip.ifq, if there are drops you may need to increase the queue size.
