Maybe try some rules like this in your /etc/config/firewall file?
config rule
option name 'Allow-GUEST-DHCP6'
option family 'ipv6'
list proto 'udp'
option src 'guest'
option dest_port '547'
option target 'ACCEPT'
config rule
option name 'Allow-GUEST-ICMP-Input'
option src 'guest'
option proto 'icmp'
option target 'ACCEPT'
option family 'ipv6'
Obviously tailor the src to your actual interface names, but basically allow those two types of traffic from each of your lan/guest/iot zones to your openwrt device.
I would think you would want to put your WAN6* interfaces back into your WAN zone for security, though.
success! All I basically needed was to put all the WAN6* interfaces on the wan firewall zone. The link-local gateway does work on my lan subnet, but isn't returning pings for some unknown reason I can't figure out yet
When pinging the gateway LL address, make sure you include % + the interface by which you intend to reach that LL gateway. For example, when pinging my LL gateway I have to append %en0 to the gateway's address, where en0 is my MacBook's WiFi interface that connects me to my gateway:
❯ ping6 fe80::92e2:baff:fexx:yyzz%en0
PING6(56=40+8+8 bytes) fe80::cf4:7aff:45c7:2690%en0 --> fe80::92e2:baff:fexx:yyzz%en0
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=0 hlim=64 time=43.681 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=1 hlim=64 time=103.636 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=2 hlim=64 time=1.738 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=3 hlim=64 time=1.751 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=4 hlim=64 time=1.515 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=5 hlim=64 time=8.265 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=6 hlim=64 time=1.761 ms
...
Alternately, if your ping6 command includes the -I option, you can use it instead:
❯ ping6 -I en0 fe80::92e2:baff:fexx:yyzz
PING6(56=40+8+8 bytes) fe80::cf4:7aff:45c7:2690%en0 --> fe80::92e2:baff:fexx:yyzz
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=0 hlim=64 time=1.572 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=1 hlim=64 time=1.825 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=2 hlim=64 time=2.402 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=3 hlim=64 time=2.746 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=4 hlim=64 time=2.132 ms
16 bytes from fe80::92e2:baff:fexx:yyzz%en0, icmp_seq=5 hlim=64 time=2.907 ms
...
Don't feel dumb! When I don't get into the lower levels of IPv6 often I forget about that aspect of the link-local address.
So glad it's working for you! Are there any outstanding issues with this that you are still working through or have we just reached a fully working solution?