And this is where your packet gets dropped, due to the M_BCAST flag:
Just to make sure: the destination IP address of the ICMP echo reply is not a broadcast address on IP level, right? According to the networks and netmasks, it's a plain unicast address (not any network's broadcast address, the network address with all netmask bits set)?
Correct, it's a regular IP unicast address.
If you accidentally picked a subnet's broadcast address there, the packet would be correctly dropped instead of getting forwarded. But if only the ethernet mac address is broadcast, I think it should get forwarded.
I agree, especially since it works fine on a local interface. Not forwarding it on an IP level is inconsistent.
