From owner-freebsd-pf@FreeBSD.ORG  Sat Nov 22 14:26:02 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2FA81A15
 for <freebsd-pf@freebsd.org>; Sat, 22 Nov 2014 14:26:02 +0000 (UTC)
Received: from mario.brtsvcs.net (mario.brtsvcs.net [199.48.128.182])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0386081E
 for <freebsd-pf@freebsd.org>; Sat, 22 Nov 2014 14:26:01 +0000 (UTC)
Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net
 [71.59.211.166])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mario.brtsvcs.net (Postfix) with ESMTPSA id 9F63D2C160F;
 Sat, 22 Nov 2014 14:25:53 +0000 (UTC)
Received: from [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29] (ivy.libssl.so
 [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by chombo.houseloki.net (Postfix) with ESMTPSA id 4DF1B1076;
 Sat, 22 Nov 2014 06:25:51 -0800 (PST)
Message-ID: <54709CEE.2090800@bluerosetech.com>
Date: Sat, 22 Nov 2014 06:25:50 -0800
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
Reply-To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Robin Geuze <robing@transip.nl>, 
 Niklaas Baudet von Gersdorff <niklaas@kulturflatrate.net>
Subject: Re: Configuring PF with Jails only having IPv6
References: <AM3PR02MB03919B240CBCB1009066B47BAA740@AM3PR02MB0391.eurprd02.prod.outlook.com>
In-Reply-To: <AM3PR02MB03919B240CBCB1009066B47BAA740@AM3PR02MB0391.eurprd02.prod.outlook.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 14:26:02 -0000

On 11/22/2014 4:55 AM, Robin Geuze wrote:
> IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6
> version of arp. Based on your packet dump it seems your server is
> trying to figure out the mac address for the router for ipv6 but is
> disallowed by your pf rules. "pass in quick icmp6 from any to any"
> and "pass out quick icmp6 from any to any" should fix your problem.

Or just "pass quick icmp6 from any to any".

You should limit the types, though.  See RFC 4890.  In short, allow 
types 1, 2, 3, 4, 128, 129, 135, and 136 universally.  If you use router 
advertisements, add types 133 and 134.