Martti Kuparinen wrote:
15:49:19.114873 rule 46/0(match): block in on vlan200: (hlim 119, next-header: Fragment (44), length: 34) 2001:yyyy:yyyy:yyyy::e0fe > 2001:xxxx:xxxx:xxxx::3: frag (0x00004194:0|26) ICMP6, echo reply, length 26, seq 1which is this this rule pass out all flags S/SA keep state (if-bound)
Uh, wrong rule line, it's really a similar block in all rule...Now, we modified the client not to follow the draft so there's no fragment header within the IPv6 packet and now PF passes it through. So the fragment header makes PF confused somehow...
Martti