IPv4 works fine everywhere.
IPv6 works from the clients (aka LAN), but fails from the router itself. E.g., connectivity audit resolves, but fails to ping
mirror.sfo12.us.leaseweb.net. Likewise, from the CLI:
# host google.com | grep -i ipv6
google.com has IPv6 address 2607:f8b0:4007:809::200e
# curl --connect-timeout 10 "http://[2607:f8b0:4007:809::200e]"
curl: (28) Connection timed out after 10045 milliseconds
IPv6 works fine from the router to clients. Only the WAN side is broken.
The router is connected to WebPass and gets a proper /56 - as evidenced by clients working fine.
I suspect I've overlooked an "allow" rule for "This Firewall" in addition to the "Automatically generated rules." Are there examples of relevant allow-rules somewhere I can compare to?
Per default, the firewall itself can do anything it pleases - i.e., if you did not block it.
Does your WAN have an IPv6 assigned (Interfaces->Overview)? You can get that via a single (/128) IA_NA address or, if you set "Request prefix only" and an otherwise unused prefix ID, via a /64 subnet of the /56 IA_PD prefix that the ISP gives you.
I assume an IPv6 route is in place, otherwise your clients would not be able to reach IPv6 targets.
OK, I will check all you mentioned, thank you! But at a glance, all seems compliant. I also assume that the outgoing traffic from inside OPNSense is not subject to the "Default deny / state violation rule".
I also found this ticket (https://github.com/opnsense/core/issues/6885), which sounds suspiciously similar. Will check it as well.
Thank you for checking it out!