OK I may be completely off the mark here. But I seem to remember something about potential problems with fragment reassembly on IPv6. Just for kicks, does the problem still manifest if you comment scrub all max-mss 1200 fragment reassemble Again, I may be off the mark here, as I don't exactly remember where/when I read about it. But just thought I'd throw it out there in case it helped.
Actually, yes, this is true, and in most other places I use pf I have the rule:
pass quick inet6 proto ipv6-frag all keep state in pf.conf. But this time I forgot. However I just tried adding that though, and it hasnt helped. All IPv4 traffic as well as IPv6 gets dropped when it starts dropping stuff, so I dont think this is Ipv6 related. Good memory though, I had forgotten that ;-) -pete.
