I have a FreeBSD machine (12.0-CURRENT) acting as a router for both
ipv4 and ipv6 traffic. The external interface (ue0) accepts router
advertisements and advertisements are sent out the internal interface
(ue1) using rtadvd. All hosts are receiving addresses properly.
The problem is attempting to SSH to the device with the following rule
pass in on $ext_if from any to $host_a port = ssh keep state
block log all
Ingress traffic is observed on ue0 with tcpdump, but is never sent out ue1
to $host_a. No log is generated to pflogd.
A modification of that rule permits traffic to $host_a:
pass in on $ext_if from any to any port = ssh keep state
Why doesn't the first example work? Here's a sample of the ingress
traffic. Only two packets captured here, but both are from the tcpdump
process running on ue0.