ext_vlan="vlan1000"
int_vlan="vlan2000"

ext_net = "{ 2001:470:dca9:ff00::/64 }"
int_net = "{ 2001:470:dca9:ff10::/64 }"

set skip on lo0
set debug urgent
set block-policy drop
set loginterface $ext_vlan
set state-policy if-bound
set limit states 100000

scrub in fragment reassemble

block log

antispoof log quick for { $ext_vlan $int_vlan }
block in log quick from urpf-failed

pass out on $ext_vlan from { $ext_vlan $int_vlan:network } to !$ext_vlan modulate state
pass out on $int_vlan from $int_vlan to { $int_vlan:network fe80::/64 ff02::/16 } modulate state

pass in on $ext_vlan from $ext_vlan:network to { !self !$int_vlan:network } modulate state
pass in on $int_vlan from $int_vlan:network to { !self } modulate state

pass in on $ext_vlan inet6 proto icmp6 from { $ext_vlan:network fe80::/64 } to { $ext_vlan } icmp6-type echoreq keep state
pass in on $int_vlan inet6 proto icmp6 from { $int_vlan:network fe80::/64 } to { $ext_vlan $int_vlan } icmp6-type echoreq keep state

pass in inet6 proto icmp6 icmp6-type { neighbrsol neighbradv routersol routeradv } keep state