Like a month ago we got a complain from a user that our website was unreachable over IPv6. We have 2x Native Ipv6 transits. The user had bought IPv6 from an ISP thay uses tunneling to deliver it to the organization. After some packet traces we found out that the problem was in PF and that it doesn't seem to handle fragmented IPv6 packets.
Sure enough, from the man page of pf.conf: "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally." The problem is that some of Swedens largest ISPs uses tunneling for IPv6 to their customers so we can't just say, ditch em. Terredo seems to work fine. Is there a workaround or plans to implement support for this is pf? We have multiple firewalls and the others have no problems with ipv6 + fragmented packets. //Jonas
