Firewalld blocks IPv6, ignores config

I ran into the same issue. After following the logic through the rules that firewalld puts in I found that the drop zone was blocking ipv6 icmp that is needed to find the ipv6 neighbors. There is a rule to allow all ipv6 icmp but firewalld puts it after the input zones which is where the drop rules go.

If you want to see this for yourself just look at the output from 'ip6tables -L -n -v'

So, a quick and dirty fix is to do this:

firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -j ACCEPT

Firewalld puts the direct rules before the other input rules so that will happen before the drop rules. If you want to block things like ping you would also use a direct rule but you would need it before the rule above.

You would do something like:

firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 --icmpv6-type 128 -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -p icmpv6 -j ACCEPT

The priorities will keep them in order.