If it’s not firewalling then maybe it’s to do with UDP checksum. It could be that the FreeBSD VM is sending DHCP packets with no checksum set, on the assumption they will be added by the physical NIC on egress.
On linux guests you can do:
ethtool --offload eth0 tx off
but I don’t know what the equivalent is for FreeBSD.
According to this old post, lxd had a workaround to update the checksums using mangle rules.
However, on a pure incus 6.0.2 system here, iptables -L -n -v -t mangle doesn’t show anything. On a system with ufw and libvirt as well, I see libvirt adds one for itself:
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
220 75251 CHECKSUM udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
but not one for incus. Therefore, maybe incus’ dnsmasq has its own workaround now. But still, it would be worth doing a tcpdump on the incusbr0 interface, and an strace on the dnsmasq process, to see if the DHCP discover packets are being received.