I have upgraded to latest rolling release of VyOS 1.4, which broke my IPv6 setup. I have done some troubleshooting, and it appears firewall rules don't match some packets.
Firewall config:
# show firewall ipv6-name VPSToLocal6 default-action drop rule 5 { action accept description "Allow ICMPv6" protocol ipv6-icmp state { new enable } } rule 10 { action accept description "Allow est/rel traffic" state { established enable related enable } }
Op mode:
$ show firewall ipv6-name VPSToLocal6 Ruleset Information --------------------------------- IPv6 Firewall "VPSToLocal6" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- --------------------------------------- 5 accept ipv6-icmp 0 0 ct state { new } meta l4proto ipv6-icmp 10 accept all 0 0 ct state { established, related } default drop all 1504 156208
As far as I understand, if I ping via IPv6 address, firewall should match the ICMPv6 packet with rule 5 and allow it through. This does not happen, and all ICMPv6 packets are matched by the default rule (drop).