Hi, There is no blocking showing up when I examine the pflog0, hence the confusion is what is blocking traffic when the firewall is enabled. I find it strange that the “ndp” output has two LLA for the same Mac address. The MAC address of the remote device 82:63:9c:36:23:a2 is listed twice. Is that actually correct. Only one of those LLA is reachable with “ping”.
The WAN link is a 4G link and the ISP only hands out a /64 address and it does not do Prefix Delegation. So I am not ruling out that my ISP is doing some strange things. When the firewall is disabled I can ping remote Ipv6 sites, I get an Ipv6 public address. When the firewall is enabled I cannot ping other sites and my Public IP address is Ipv4. Ndp output with firewall disabled. Neighbor Linklayer Address Netif Expire S Flags 2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82 em0 permanent R l fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l fe80::803a:feff:fe38:a754%em0 82:63:9c:36:23:a2 em0 37s R R fe80::e98a:6028:3c19:5fc%em0 82:63:9c:36:23:a2 em0 32s R R fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l fe80::1c32:1698:96d9:35fb%em1 38:f9:d3:e0:fa:db em1 20h53m3s S Antonino Sidoti > On 8 Mar 2021, at 8:11 pm, Stuart Henderson <s...@spacehopper.org > <mailto:s...@spacehopper.org>> wrote: > > On 2021-03-08, Antonino Sidoti <n...@sidoti.id.au <mailto:n...@sidoti.id.au>> > wrote: >> I am confused about how Neighbor Discovery is not working when the firewall >> is on. > > Check your blocked packets. You already have "log" on mpst block rules, > so look at either /var/log/pflog or live with tcpdump -e on the pflog0 > interface. >