IPv6 NDP not completing

Hi all,

I'm trying to get IPv6 set up on a firewall box running 6.4. I'm using dhcpcd to get an NA and several PDs, which appears to be working fine, but no normal v6 traffic can be sent or received. tcpdump on the egress interface (em3) shows lots of icmp6 neighbor solicits going back and forth, but no responses from either side:


$ ifconfig em3
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 0c:c4:7a:ad:2a:e7
        index 4 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet6 fe80::8dfc:5795:8ab7:e2b%em3 prefixlen 64 scopeid 0x4
        inet <omitted> netmask 0xffffe000 broadcast <omitted>
        inet6 2605:a601:fe07:c900::1 prefixlen 128 pltime 64553 vltime 86153


$ tcpdump -nlp -i em3 ip6
... neighbor sol repeating many times ...
22:46:53.876457 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
22:47:01.876688 fe80::2d0:f6ff:feea:4ff0 > 2605:a601:fe07:c900::1: icmp6: neighbor sol: who has 2605:a601:fe07:c900::1 [class 0xc0]
22:47:01.876778 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
22:47:01.877542 fe80::2d0:f6ff:feea:4ff0 > fe80::8dfc:5795:8ab7:e2b: icmp6: neighbor sol: who has fe80::8dfc:5795:8ab7:e2b [class 0xc0]
22:47:02.876594 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
22:47:03.876603 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
22:47:32.337233 fe80::8dfc:5795:8ab7:e2b.546 > ff02::1:2.547: dhcp6 release [hlim 1]
22:47:32.515413 fe80::2d0:f6ff:feea:4ff0.547 > fe80::8dfc:5795:8ab7:e2b.546: dhcp6 [class 0xc0]


I added "pass quick on em3 inet6" to the top of pf.conf to make sure the responses aren't being filtered.

The peer LL address is always marked incomplete:

$ ndp -na | grep em3
2605:a601:fe07:c900::1               0c:c4:7a:ad:2a:e7     em3 permanent R l
fe80::2d0:f6ff:feea:4ff0%em3         00:d0:f6:ea:51:96     em3 expired   I R
fe80::8dfc:5795:8ab7:e2b%em3         0c:c4:7a:ad:2a:e7     em3 permanent R l


Pinging any v6 address outside my network only results in one
fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0

per ping sent.

Routes:

$ route -n show -inet6 | grep em3
default fe80::2d0:f6ff:feea:4ff0%em3   UGS        0    53699     - 8 em3
2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7              UHLl       0     1752     - 1 em3
fe80::%em3/64 fe80::8dfc:5795:8ab7:e2b%em3   UCn        1        1     - 4 em3
fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96              UHLch      1   720183     - 3 em3
fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7              UHLl       0   110606     - 1 em3
ff01::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3   Um         0        3     - 4 em3
ff02::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3   Um         0   161322     - 4 em3


There is a managed switch between the firewall's egress and the ISP, but it's not doing any packet filtering. I'm currently out of ideas; any suggestions would be much appreciated.