FreeBSD 10.3 and Internet access for a separate local machine (IPFW setup)

Colleagues, hello. The task is to release only certain computers to the network. Rebuilt the kernel with the following parameters:

options         IPFIREWALL 
options         IPFIREWALL_VERBOSE 
options         IPFIREWALL_VERBOSE_LIMIT=220 
options         IPDIVERT 
options         IPFIREWALL_DEFAULT_TO_ACCEPT 
options         DUMMYNET 
options         IPFIREWALL_NAT 
options         LIBALIAS 
options         MROUTING 

ifconfig 
em0:    inet 10.2.54.189 смотрит в сторону провайдера 
em1:    inet 192.168.168.199 смотрит в сторону локалки 

In /etc/rc.conf, I wrote:

gateway_enable="YES" 
hostname="svin" 
firewall_nat_enable="YES" 
natd_enable="YES" 
natd_flags="" 
sshd_enable="YES" 
firewall_enable="YES" 
firewall_type="open" 
inetd_enable="YES" 
clear_tmp_enable="YES" 
keymap="us.iso" 
linux_enable="YES" 
imspector_enable="YES" 

In /etc/rc. local, I threw

/sbin/natd -f /etc/natd.conf -a 10.2.54.189 -p 8668 
/sbin/ipfw add 50 divert 8668 ip4 from 192.168.168.198 to any via em0 

I try to ping 8.8.8.8 from 192.168.168.198 - I get nothing. I fix on em1 ICMP from 192.168.168.198, as well as on em0 I record requests and responses from 10.2.54.189 to 8.8.8.8

If I prescribe: ipfw add 50 divert 8668 ip4 from any to any via em0 Then everything is pinged. What did I screw up? I don't need to release all of them, but only certain ones.

Note: exactly the same configuration on FreeBSD 8. it works perfectly and releases a certain computer to the network, but it requires FreeBSD 10.3. It is not clear why what worked on 8-ke does not work on 10, I tried to configure it on a clean FreeBSD 8 - everything worked. And on the 10th, only any to any works, and only one PC can not be released.