For many machines, running blocklistd helps tremendously. But what happens when blocklistd won't help because npf can't be used?Why can't you use npf?
I'm sure you remember this thread: https://mail-index.netbsd.org/tech-net/2024/10/18/msg008895.htmlWhile PR kern/57208 was fixed and no longer happens, there were other, different panics after that fix.
I haven't been able to reproduce this in any other environment, and so long as this machine is routing a public subnet, I'm reluctant to do more testing on it unless I'm sure that I can get to it quickly when it happens (virtually, via serial console) and that the information will help lead to a fix.
It may be that I decide to do this, anyway, because this situation is no fun. If I do, I'll try to get all the information you suggested in that thread.
Thanks! John