Firewall blocking DHCPv6 requests

I have multiple VLANs configured on my home network. The "Admin" VLAN has full access to the OpenWRT router, while the "lan" VLAN has only necessary ports accessible for e.g. DHCP and DNS requests.

When my computer is on the "Admin" VLAN, it can get a DHCPv6 lease without any issue. When it is on the "lan" VLAN, all DHCPv6 requests time out. (DHCPv4 requests work fine.) I have to assume something is wrong with my firewall configuration, but exactly what that is eludes me.

Thanks for your help! (Everything below is config files)

Relevant sections of /etc/config/network:

config interface 'admin'
	option type 'bridge'
	option ifname 'eth1.10 tap0'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.11'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'wan'
	option ifname 'eth0.1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.1'
	option proto 'dhcpv6'
	option reqprefix 56

# WAN
config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5 0t'

# Admin
config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '1 3t 4t 6t'

# lan
config switch_vlan
	option device 'switch0'
	option vlan '11'
	option ports '2 3t 4t 6t'

Relevant sections of /etc/config/dhcp:

config dhcp 'admin'
	option interface 'admin'
	option start '100'
	option limit '100'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Relevant sections of /etc/config/firewall:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		admin
	list   network		'admin'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT
#	option conntrack	1

config zone
	option name		lan
	list   network		'lan'
#	option conntrack	'1'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		admin
	option dest		wan

config forwarding
	option src		admin
	option dest		lan

config forwarding
	option src		lan
	option dest		wan

config rule
	option name		Allow-lan-DHCP
	option src		'lan'
	option src_port		'67-68'
	option dest_port	'67-68'
	option proto		'udp'
	option family		'ipv4'
	option target		'ACCEPT'

config rule
	option name		Allow-lan-DHCPv6
	option src		'lan'
	option dest_port	'547'
	option proto		'udp'
	option family		'ipv6'
	option target		'ACCEPT'

config rule
	option name		Allow-lan-DNS
	option src		'lan'
	option dest_port	'53'
	option proto		'tcp udp'
	option target		'ACCEPT'

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
#	option src_ip		fc00::/6
#	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

This:

You haven't yet allowed ICMPv6 on lan. That's all I see thus far. ICMPv6 is required.

config rule
        option name 'LAN-Allow-ICMPv6-Input'
        option src 'lan'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'

Check what is allowed in wan interface in terms of IPv6 and allow at least the same.
Also the forwarding from wan to lan for IPv6 needs to be replicated for the other interfaces.

Here's one I edited from OpenWrt default - I just usually allow all ICMPv6 on local-facing VLANs:

config rule
        option name 'New_Allow-ICMPv6-Input'
        option src 'lan'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

@lleachii seems you were correct, I enabled logging for the lan firewall zone and it was ICMP packets getting rejected.

Surprisingly, family ipv6 does seem to be required in order to actually allow ICMPv6 traffic -- even though the default is supposed to be any and allow both.

I'm not sure what you mean here. You chaged your firewall input rule to reject.

If you mean RA (which needs ICMPv6), that is required. In fact, Androids do not use DHCPV6. DHCPv6 is the optional technique of them both.

Yeah, reading my message again it's pretty unclear. Sorry about that. What I meant was that at first I tried a rule to allow all ICMP traffic from lan, and omitted the family option so as to allow both ICMPv4 and ICMPv6 traffic. I found that this still blocked ICMPv6 for some reason, even though the documentation says that the default for family is any, i.e. both IPv4 and IPv6. I had to specify family ipv6 to get the rule to actually allow ICMPv6 packets through.