I am running an openSUSE 11.2 server that is also my ipv4 NAT router for my LAN. After setting up an ipv6 tunnel, I can get to and from the server via ipv6 without any problem. I set up the LAN interface to use my routed /64 and set up a workstation on the LAN for the same ipv6 subnet. The workstation can access the server via ipv6 and can even ping the server's tunnel endpoint address. However, when SuSEfirewall2 is enabled on the server, nothing gets routed over the tunnel. If I shut down the firewall, the workstation can access ipv6 hosts through the tunnel just fine so the routing seems correct. I have tried many different parameters in the config file to no avail. Running without the firewall enabled is NOT an option as then my LAN ipv4 access will stop.
On the LAN client I get:
# ping6 ftp.ipv6.heanet.ie
PING ftp.ipv6.heanet.ie(ftp.heanet.ie) 56 data bytes
From 2001:470:1f07:a4f::1 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:470:1f07:a4f::1 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:470:1f07:a4f::1 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:470:1f07:a4f::1 icmp_seq=4 Destination unreachable: Address unreachable
From 2001:470:1f07:a4f::1 icmp_seq=5 Destination unreachable: Address unreachable
From 2001:470:1f07:a4f::1 icmp_seq=6 Destination unreachable: Address unreachable
and on the server in /var/log/firewall I get:
Jan 5 07:03:48 curly kernel: [66436.462641] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=sit1 SRC=2001:0470:1f07:0a4f:0000:0000:0000:0044 DST=2001:0470:0000:0063:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=35998 DPT=80 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A0007C9810000000001030306)
Jan 5 07:05:25 curly kernel: [66533.565799] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=sit1 SRC=2001:0470:1f07:0a4f:0000:0000:0000:0044 DST=2001:0770:0018:aa40:0000:0000:c101:c140 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=55825 SEQ=1
Jan 5 07:05:26 curly kernel: [66534.568206] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=sit1 SRC=2001:0470:1f07:0a4f:0000:0000:0000:0044 DST=2001:0770:0018:aa40:0000:0000:c101:c140 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=55825 SEQ=2
Jan 5 07:05:27 curly kernel: [66535.568225] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=sit1 SRC=2001:0470:1f07:0a4f:0000:0000:0000:0044 DST=2001:0770:0018:aa40:0000:0000:c101:c140 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=55825 SEQ=3
I assume some sort of custom firewall rule needs to be set up or there is some config parameter I missed, but I have no idea what the proper syntax would be. Any help appreciated.

Thanks,
Mike