I'm not sure what I missed here so I would appreciate it if someone would hit me with a clue bat.
My OpenBSD firewall is acting as a DHCPv6-PD client and successfully getting IP information: My outside interface: vlan9: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500 lladdr 00:1e:37:d6:00:ad priority: 0 vlan: 9 parent interface: em0 groups: vlan egress status: active inet 73.12.6.33 netmask 0xfffffe00 broadcast 73.12.7.255 inet6 fe80::21e:37ff:fed6:ad%vlan9 prefixlen 64 scopeid 0x6 inet6 2001:558:6036:5a:2cb5:eab1:8726:104c prefixlen 128 pltime 344957 vltime 344957 My inside interface: vlan10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1e:37:d6:00:ad priority: 0 vlan: 10 parent interface: em0 groups: vlan status: active inet 10.64.14.1 netmask 0xffffff00 broadcast 10.64.14.255 inet6 fe80::21e:37ff:fed6:ad%vlan10 prefixlen 64 scopeid 0x5 inet6 2601:5ce:101:5350:21e:37ff:fed6:ad prefixlen 64 I can reach things from the OpenBSD box itself: # ping6 www.google.com PING6(72=40+8+24 bytes) 2601:5ce:101:5350:21e:37ff:fed6:ad --> 2607:f8b0:4004:809::1010 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=0 hlim=56 time=17.318 ms 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=1 hlim=56 time=17.933 ms 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=2 hlim=56 time=16.289 ms 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=3 hlim=56 time=16.240 ms ^C --- www.google.com ping6 statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 16.240/16.945/17.933/0.714 ms I have IPv6 forwarding enabled: # sysctl -a | grep forwarding net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 net.inet6.ip6.forwarding=1 net.inet6.ip6.mforwarding=0 My PF ruleset: # pfctl -s all FILTER RULES: pass in on vlan9 inet from any to 73.12.6.0/23 flags S/SA pass out on vlan9 inet from 73.12.6.0/23 to any flags S/SA pass out on vlan9 inet from 10.64.14.0/24 to any flags S/SA nat-to 73.12.6.33 pass in quick inet6 all flags S/SA pass out quick inet6 all flags S/SA pass quick inet6 proto ipv6-icmp all I have rtadv turned on and my client machine gets IPv6: Ethernet adapter Ethernet: Connection-specific DNS Suffix . : corbe.net Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection Physical Address. . . . . . . . . : 74-D0-2B-27-BE-B3 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:5ce:101:5350:28af:3026:cf75:988c(Preferred) Temporary IPv6 Address. . . . . . : 2601:5ce:101:5350:1dd6:cc0e:98b:50a9(Preferred) Link-local IPv6 Address . . . . . : fe80::28af:3026:cf75:988c%7(Preferred) IPv4 Address. . . . . . . . . . . : 10.64.14.13(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Tuesday, October 27, 2015 10:48:18 PM Lease Expires . . . . . . . . . . : Wednesday, October 28, 2015 10:48:19 AM Default Gateway . . . . . . . . . : fe80::21e:37ff:fed6:ad%7 10.64.14.1 DHCP Server . . . . . . . . . . . : 10.64.14.1 DHCPv6 IAID . . . . . . . . . . . : 91541547 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-C1-F8-6C-74-D0-2B-27-BE-B3 DNS Servers . . . . . . . . . . . : 8.8.8.8 4.2.2.2 NetBIOS over Tcpip. . . . . . . . : Enabled IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 7 276 ::/0 fe80::21e:37ff:fed6:ad 1 306 ::1/128 On-link 2 306 2001::/32 On-link 2 306 2001:0:5ef5:79fb:ca8:3fdf:f5bf:f1f2/128 On-link 7 276 2601:5ce:101:5350::/64 On-link 7 276 2601:5ce:101:5350:1dd6:cc0e:98b:50a9/128 On-link 7 276 2601:5ce:101:5350:28af:3026:cf75:988c/128 On-link 7 276 fe80::/64 On-link 2 306 fe80::/64 On-link 2 306 fe80::ca8:3fdf:f5bf:f1f2/128 On-link 7 276 fe80::28af:3026:cf75:988c/128 On-link 1 306 ff00::/8 On-link 7 276 ff00::/8 On-link 2 306 ff00::/8 On-link =========================================================================== Persistent Routes: None But I can't ping out or do anything on the client: C:\Users\dcorbe>ping ipv6.cybernode.com Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data: Control-C ^C C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30 hops 1 Destination host unreachable. Trace complete.