Spend some hours trying to figure out why our firewall was blocking ipv6 icmp traffic. Apparantly, ipv6 packets start out in state invalid and get valid after some sort of icmp traffic. If anyone can explain it to me, I'd love to hear the details. My guess is that in ipv4, state is somehow set to valid via ARP. Since ipv6 doesn't use ARP but icmp for neighbour detection, my guess is that you need to accept this before doing any state checking.