Traceroute fails to show firewall hop when using IPv6 policy routing and enabling IPSec

[Kishi85]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/src/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/src/issues?q=is%3Aissue

Describe the bug

Traceroute fails to show the firewall hop for an IPv6 destination with policy routing upon enabling any IPSec connection (therefore creating any SPD entry):

traceroute to fc01::1 (fc01::1), 30 hops max, 80 byte packets
 1  fd00:20::1  0.426 ms  0.335 ms  0.287 ms
 2  * * *
 3  fc01::1  1.092 ms  1.039 ms  0.930 ms

Upon disabling IPSec and ensuring there are no manual SPDs left the traceroute starts showing the firewall hop:

traceroute to fc01::1 (fc01::1), 30 hops max, 80 byte packets
 1  fd00:20::1  0.370 ms  0.277 ms  0.229 ms
 2  fd00:ffff::2  0.717 ms  0.492 ms  0.662 ms
 3  fc01::1  0.947 ms  0.880 ms  0.901 ms

Shared forwarding is used so that the firewall shows at all in the traceroute. Packet captures on OPNsense reflect was is seen on the traceroute with it's own hop ICMP response being missing whilst IPSec is up.

IPv4 is also working as expected and shows the firewall hop regardless of IPSec being up or not:

traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  10.0.20.1  0.276 ms * *
 2  10.0.255.2  0.386 ms  0.387 ms  0.354 ms
 3  192.168.1.1  0.970 ms  0.969 ms  0.861 ms

To Reproduce

Steps to reproduce the behavior:

1. Setup an IPv6 rule that passes traffic to the internet using policy routing (by selecting a gateway in the rule) on a specific IPv6 gateway(-group)
2. Run IPv6 traceroute to ensure the firewall hop is showing on traceroute (or mtr)
3. Enable IPSec and make sure at least one SPD is installed (any will do)
4. Check IPv6 traceroute again and see that the hop for the firewall is missing

Expected behavior

The firewall hop should show in IPv6 traceroute regardless of any IPSec connection being in use or not.

Describe alternatives you considered

Using default gateway switching the behaviour is as expected and IPv6 traceroutes show the firewall hop regardless of IPSec being enabled or not.

Screenshots

Not applicable

Relevant log files

Nothing in the logs indicating any error.

Additional context

Ping and traceroute to the firewall directly work as expected regardless of IPSec or not. It's only when the firewall is an intermediate hop and when traversing a PBR rule that the IPv6 traceroute fails to show the firewall hop once IPSec is enabled and any entry is in the SPD.

Environment

OPNsense 25.7.10 (amd64)
This was tested on a fresh install on a Proxmox Virtualmachine using OPNsense installation defaults and creating the minimal settings necessary to do PBR and IPSec as described as above.