Since you are using /60 mask in lan, then the mullvad interface and lan clients are in the same subnet.
Change the lan to ip6assign /64 and try it again.
Or leave it /60 and change the network prefix to fc00:bbbb:bbbb:bb10::1
No, all of them are in the same network.
You know, if it is too complicated just remove the ula_prefix and assign under lan ip6addr fc00:bbbb:bbbb:bb02::1/64 without ip6assign.
Thanks for hand-holding me through this and for all your patience. Much appreciated. I'm a bit bemused as to why IPv4 PBR 'just works', but IPv6 is so tricky. But I'm very grateful to you for getting me to this stage.
I may have missed a trick here. My ISP has given me a /48 PD Prefix. So, I guess I can use that to address clients on my LAN (e.g. /60) and then construct the VPN-PBR from that.
Seems to work: tcpdump shows packets from a client, but still - as per my previous post - no reply (still waiting for Mullvad to reply)
This won't work. The delegated prefix from your ISP is GUA and can only be used from the uplink of your ISP.
Mullvad should drop it because the source IP doesn't belong to them. Even if they don't, the reply will come back from ISP and the firewall of OpenWrt will drop it as invalid.
I was under the impression you were already assigned one. No wonder why it is not working then. You must nat on the mullvad interface and use a neutral ULA prefix for your hosts.
ah, sincere apologies: it wasn't my intention to give you that impression. I did suspect NAT but couldn't get it to work when I tried. I'll have another go now that I know how to force clients to ignore my ISP's PD.
and then specifying which prefixes get dished-out on which interfaces is enough to direct traffic over my VPN (thanks to NAT66, of course) or WAN.
Inevitably, my stubborness will probably cause me to try and get it working with PBR at some point; but for now, the outcome has been achieved even if the means weren't as I had planned.