Nothing is as easy as it seems. Sigh… 🙁
I was getting strange timeouts when accessing sites via tunneled IPv6 (OpenVPN). Turned out that the sender never got the ICMPv6-Redirect from the tunnel endpoint, i.e. OpenVPN-Server. The ICMPv6-Packet is sent from the link-local address of the gateway (fe80::some:thin:g/64), because it gets dropped in the FORWARD-Chain of the gateway if the policy is DROP.
Setting it to ACCEPT magically makes things work, but that’s equal to turning off the firewall. Allowing traffic from and to fe80::/8 doesn’t help, either. Never figured out why.
What now? The physdev-module comes to rescue! Despite its name it can match the (virtual) tap-interface of the OpenVPN-Server. Just add the following rules to the beginning of the FORWARD-Chain:
ip6tables -I FORWARD -m physdev --physdev-out tap0 -j ACCEPT ip6tables -I FORWARD -m physdev --physdev-in tap0 -j ACCEPT
and things run smoothly again 🙂