IPv6 Routing issue - can't figure it out

[Blue)(Fusion]

A few months back I had to re-install OPNSense on a repurposed Checkpoint box due to a weird upgrade bug. I restored from a backup and had to do a few tweaks and all was well. Since then, whenever I update or reboot my OPNsense box, it is hit or miss if IPv6 routing works from my LAN to the global internet. Oddly enough, if that happened a susequent reboot usually fixed it and I could never figure out why. Today I installed the latest 23.1 updates and now IPv6 is not routing from LAN to WAN at all after multiple reboots. Please put a pair of eyes on my setup and find the simple mistake I am over looking.

OPNSense routing table
Note: em0 is LAN to ICX6610 which routes all the VLANS, em1 is to cable modem (WAN)

Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 184.57.224.1 UGS em1
10.0.0.0/24 10.9.112.1 UGS ovpnc1
10.9.112.0/24 10.9.112.1 UGS ovpnc1
10.9.112.1 link#13 UH ovpnc1
10.9.112.12 link#13 UHS lo0
10.23.0.0/16 10.23.9.1 UGS em0
10.23.9.0/30 link#1 U em0
10.23.9.2 link#1 UHS lo0
10.99.1.0/24 10.99.1.2 UGS ovpns2
10.99.1.1 link#14 UHS lo0
10.99.1.2 link#14 UH ovpns2
127.0.0.1 link#10 UH lo0
184.57.224.0/19 link#2 U em1
184.57.234.85 link#2 UHS lo0

Internet6:
Destination Gateway Flags Netif Expire
default fe80::201:5cff:fe77:6c46%em1 UG em1
::1 link#10 UHS lo0
2603:6010:7300:2c00::/56 fe80::768e:f8ff:fee7:b4b0%em0 UGS em0
2605:a000:dfc0:10:94df:8250:5ff6:1556 link#2 UHS lo0
fdc6:3919:4106:2300::/56 fe80::768e:f8ff:fee7:b4b0%em0 UGS em0
fdc6:3919:4106:2309::/64 link#1 U em0
fdc6:3919:4106:2309::2 link#1 UHS lo0
fdc6:3919:4106:9901::/64 link#14 U ovpns2
fdc6:3919:4106:9901::1 link#14 UHS lo0
fe80::%em0/64 link#1 U em0
fe80::21c:7fff:fe36:cd32%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::21c:7fff:fe36:cd33%em1 link#2 UHS lo0
fe80::%lo0/64 link#10 U lo0
fe80::1%lo0 link#10 UHS lo0
fe80::%ovpns2/64 link#14 U ovpns2
fe80::21c:7fff:fe36:cd32%ovpns2 link#14 UHS lo0

em0 on OPNSense

em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
options=4902008<VLAN_MTU,WOL_MAGIC,NETMAP,NOMAP>
ether 00:1c:7f:36:cd:32
inet6 fe80::21c:7fff:fe36:cd32%em0 prefixlen 64 scopeid 0x1
inet6 fdc6:3919:4106:2309::2 prefixlen 64
inet 10.23.9.2 netmask 0xfffffffc broadcast 10.23.9.3
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

ICX6610 routing table
Note: 1/1/48 is uplink from OPNSense

SSH@sw1#show ipv6 route
IPv6 Routing Table - 18 entries:
Type Codes - B:BGP C:Connected I:ISIS L:Local O:OSPF R:RIP S:Static
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - d:DHCPv6
Type IPv6 Prefix Next Hop Router Interface Dis/Metric Uptime
S ::/0 fe80::21c:7fff:fe36:cd32
e 1/1/48 1/1 38m24s
C 2603:6010:7300:2c00::/64
:: ve 2300 0/0 75d14h
C 2603:6010:7300:2c01::/64
:: ve 2301 0/0 75d10h
C 2603:6010:7300:2c09::/64
:: e 1/1/48 0/0 38m25s
C 2603:6010:7300:2c10::/64
:: ve 2310 0/0 75d14h
C 2603:6010:7300:2c15::/64
:: ve 2315 0/0 75d14h
C 2603:6010:7300:2c40::/64
:: ve 2340 0/0 75d14h
C 2603:6010:7300:2c50::/64
:: ve 2350 0/0 75d14h
C 2603:6010:7300:2c60::/64
:: ve 2360 0/0 75d14h
C fdc6:3919:4106:2300::/64
:: ve 2300 0/0 75d14h
C fdc6:3919:4106:2301::/64
:: ve 2301 0/0 75d10h
C fdc6:3919:4106:2305::/64
:: ve 2305 0/0 75d14h
C fdc6:3919:4106:2309::/64
:: e 1/1/48 0/0 38m25s
C fdc6:3919:4106:2310::/64
:: ve 2310 0/0 75d14h
C fdc6:3919:4106:2315::/64
:: ve 2315 0/0 75d14h
C fdc6:3919:4106:2340::/64
:: ve 2340 0/0 75d14h
C fdc6:3919:4106:2350::/64
:: ve 2350 0/0 75d14h
C fdc6:3919:4106:2360::/64
:: ve 2360 0/0 75d14h
SSH@sw1#show ip route
Total number of IP routes: 12
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 0.0.0.0/0 10.23.9.2 e 1/1/48 1/1 S 38m29s
2 10.23.0.0/24 DIRECT ve 2300 0/0 D 75d14h
3 10.23.1.0/24 DIRECT ve 2301 0/0 D 75d10h
4 10.23.5.0/24 DIRECT ve 2305 0/0 D 75d14h
5 10.23.9.0/30 DIRECT e 1/1/48 0/0 D 38m29s
6 10.23.10.0/24 DIRECT ve 2310 0/0 D 75d14h
7 10.23.15.0/24 DIRECT ve 2315 0/0 D 75d14h
8 10.23.20.0/24 DIRECT ve 2320 0/0 D 75d14h
9 10.23.30.0/24 DIRECT ve 2330 0/0 D 75d14h
10 10.23.40.0/24 DIRECT ve 2340 0/0 D 75d14h
11 10.23.50.0/24 DIRECT ve 2350 0/0 D 75d14h
12 10.23.60.0/24 DIRECT ve 2360 0/0 D 75d14h

IPv6 address for ICX6610 to OPNSense link

SSH@sw1#show ipv6 int eth 1/1/48
Interface Eth 1/1/48 is up, line protocol is up
IPv6 is enabled, link-local address is fe80::768e:f8ff:fee7:b4b0 [Preferred]
Global unicast address(es):
fdc6:3919:4106:2309::1 [Preferred], subnet is fdc6:3919:4106:2309::/64
2603:6010:7300:2c09::1 [Preferred], subnet is 2603:6010:7300:2c09::/64

Other notes:

• IPv4 and IPv6 work fine between all VLANs
• IPv4 and IPv6 work fine in both directions between any LAN device and OPNSense LAN UIP
• The ISP provided /56 subnet is 2603:6010:7300:2c00::/56
• I'm using a ULA subnet of fdc6:3919:4106:2300::/56 (from a ULA subnet of fdc6:3919:4106::/48
• I can access remote VPN clients and they can access my local ULAs via their ULAs (fdc6:3919:4106:9901::/64) that are connected to an OPNSense OpenVPN server
• All IPv6 traffic is allowed via the LAN firewall table in OPNSense
• OPNSense can reach any GLA WAN IPv6 address just fine.

Here's a traceroute6 to google.com which doesn't make it past the OPNSense router and another traceroute6 to my nameserver on the LAN. The ifconfig is included (it's my laptop).

blue@lappytoppy ~ % ifconfig wlp3s0
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 10.23.10.11 netmask 255.255.255.0 broadcast 10.23.10.255
inet6 fe80::4ea4:8d0c:e790:be2f prefixlen 64 scopeid 0x20<link>
inet6 fdc6:3919:4106:2310:6b66:2739:3527:eafd prefixlen 64 scopeid 0x0<global>
inet6 2603:6010:7300:2c10:59dd:61aa:2573:7141 prefixlen 64 scopeid 0x0<global>
ether fc:f8:ae:7b:c1:13 txqueuelen 1000 (Ethernet)
RX packets 242447 bytes 299107936 (285.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 75055 bytes 14803825 (14.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

blue@lappytoppy ~ % traceroute6 google.com -m10
traceroute to google.com (2607:f8b0:4004:c1b::66), 10 hops max, 80 byte packets
1 2603-6010-7300-2c10-0000-0000-0000-0001.res6.spectrum.com (2603:6010:7300:2c10::1) 8.221 m
s 8.145 ms 8.102 ms
2 fdc6:3919:4106:2309::2 (fdc6:3919:4106:2309::2) 2.635 ms 2.641 ms 2.617 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
blue@lappytoppy~ % traceroute6 ns1
traceroute to ns1 (fdc6:3919:4106:2301::2), 30 hops max, 80 byte packets
1 fdc6:3919:4106:2310::1 (fdc6:3919:4106:2310::1) 7.225 ms 7.180 ms 7.158 ms
2 fdc6:3919:4106:2301::2 (fdc6:3919:4106:2301::2) 7.138 ms 7.119 ms 7.102 ms

 

[Blue)(Fusion]

Quick update with no proper solution:

I rebooted the OPNSense server about 6 times in total now and on the 6th reboot, IPv6 routing to WAN is working again. I don't see anything different but here's the currently working OPNSense routing table:

Internet6:
Destination                       Gateway                       Flags     Netif Expire
default fe80::201:5cff:fe77:6c46%em1 UG em1
::1 link#9 UHS lo0
2603:6010:7300:2c00::/56 fe80::768e:f8ff:fee7:b4b0%em0 UGS em0
2605:a000:dfc0:10:94df:8250:5ff6:1556 link#2 UHS lo0
fdc6:3919:4106:2300::/56 fe80::768e:f8ff:fee7:b4b0%em0 UGS em0
fdc6:3919:4106:2309::/64 link#1 U em0
fdc6:3919:4106:2309::2 link#1 UHS lo0
fdc6:3919:4106:9901::/64 link#14 U ovpns2
fdc6:3919:4106:9901::1 link#14 UHS lo0
fe80::%em0/64 link#1 U em0
fe80::21c:7fff:fe36:cd32%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::21c:7fff:fe36:cd33%em1 link#2 UHS lo0
fe80::%lo0/64 link#9 U lo0
fe80::1%lo0 link#9 UHS lo0
fe80::%ovpns2/64 link#14 U ovpns2
fe80::21c:7fff:fe36:cd32%ovpns2 link#14 UHS lo0

No configuration changes were made.