16again wrote:Judging from capture, it's not a RST but an ACK package.
My guess it's probably caused by load-balancer at facebook site, and the webserver behind it, not teaming up nice on closed connection.
Something along those lines is probably a good guess. I've seen cases of Facebook replying back to some traffic with RFC 1918 source IPs on IPv4. The same or similar root cause with IPv6 would be a source IP coming back that doesn't match the destination IP of the request that went out, which wouldn't match the ER's state table and hence be dropped as shown.
Adding logging on your LAN IN rules that pass the v6 traffic, then seeing whether you actually initiated a connection outbound to the IP in question, would confirm or deny that.