Was setting up a port forward and IPv6 passthrough for my NTP server and came across a issue trying to setup the IPv6 part.
When creating the alias, I accidently created a type 'Host(s)' alias instead of a type 'Dynamic IPv6 Host' alias. I didn't realize what I did because the type 'Host(s)' alias did not give an error when I used the second half of the IPv6 GUA address for the machine. When testing, Opnsense was blocking the incoming connections with 'Default Deny/State Violation Rule'. Upon checking the rule and alias, it was then I realized I had that alias type set as 'Host(s)' instead of 'Dynamic IPv6 Host'. So I simply changed the type to 'Dynamic IPv6 Host', and tested again, only for Opnsense to continue to block the incoming connection. I couldn't figure out why as everything, the rule and alias, should be correct now. I thought maybe it was something with the rule and spent the next hour+ editing it, deleting it, manually recreating it, and even cloning the working IPv6 pass rule I already had in place for another service. It wasn't untill I deleted the Alias and recreated it from the start with the correct type 'Dynamic IPv6 Host' set, that the rule then started to work and the connections could pass through the firewall.
Currently running:
OPNsense 26.1.4-amd64
FreeBSD 14.3-RELEASE-p9
TL/DR - If you attempt to create a Alias for a dynamic IPv6 host, but you choose type 'Host(s)' and save, you cannot simply change the type after to correct it. You must delete the Alias, and recreate it again with the correct type.
No clue why that happens but it sounds like something the project people would appreciate a bug report for on GH.
My first thought was that maybe because the alias retains the same name, then it looks the same on the back end (in /tmp/rules.debug) because aliases show up as "$name" references in the pf rules there. So nothing triggered a reload.
But I'm speaking out of my rear end... that's an uninformed guess.