My IPv6 address uses EUI-64 fixed suffix, how do I allow the fixed suffix IP address in the firewall?
You use a negative netmask, you can also set a static IPv6 lease so that you do not have to work with the SLAAC address, but doing something like list dest_ip '::EUI-64 fixed/-64'
also works
Negative netmask: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples#dynamic_prefix_forwarding
My own IPv6 "forwarding" to my VPN router:
config rule
option name 'wg-server6-6'
list proto 'udp'
option src 'wan'
option dest 'lan'
option dest_port '51810'
option target 'ACCEPT'
option family 'ipv6'
list dest_ip '::6/-64'
The used static lease:
config host
option dns '1'
option name 'EA8500'
option mac 'C0:56:27:XX:XX:XX'
option ip '192.168.0.6'
option leasetime '6h'
option duid '00030001c052345455f'
option hostid '06'
Note IPV6 "forwarding" is just opening up the firewall for the port and destination address