OpenWRT + Pihole + Cloudflare DNS over TLS & ipv6 woes

Hello, so just put OpenWRT on my router to try and get my network set up the way I want it. This all started when I set up a pihole to block ads on the network, I had a hell of a time getting certain devices on my network to actually go through the pihole, all my problems seemed to surround some strange ipv6 DNS/DHCP server my cable modem was handing out. I thought I had fixed it by changing my linksys router to connect to ipv6 via passthrough, but all that did was nuke my ipv6 connection to the Internet.

I found out I could use openWRT on my router (I had used DD-WRT a few years ago), and figured surely I'd be able to fix it with that. But it just seemed to complicate things and now most of my devices bypass the pihole now in favor of that stupid ipv6 DNS the cable modem is handing out.

I've got my own SB6190 cable modem, and there are zero configuration settings for any DNS/DHCP server, but I know it's handing them out on the ipv6 side because when I lookup the DNS servers my devices get, they belong to my ISP.

I've tried quite a few things, at one point I was able to set up DNS over TLS with Cloudflare via dnsmasq + stubby, but the pihole was still left out. I eventually gave up on DNS over TLS, but no matter what I try I can't get my devices to stop connecting to other DNS servers.

I used Method 2 here: https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245 to set up my pihole, without changing any other settings I try pinging heartbeat.belkin.com (which I specifically blacklisted) and some devices still go through.

It all seems to be related to what I can only guess is my fundamental misunderstanding of how ipv6 works. ipv4 is pretty straightforward to me, router advertises my pihole IP, pihole blocks ads, forwards to the DNS servers specified on the WAN interface. When I have ipv6 disabled, it works perfectly, but that's not an option for me, I don't want to just turn something off because I don't understand it.

I've tried specifying the ipv6 address of the pihole and that didn't work, even specifying Cloudflare's ipv6 DNS doesn't work, my devices still get the ISP dns.

My only thought at this point would be to block all DNS requests on the router via iptables except those to my pihole. But I'm not sure how I would set that up.

Basically I need to have my devices go to the pihole first, and then have the pihole forward to Cloudflare, ideally over TLS, and without nuking ipv6 internet access. Anything else requested over port 53 gets blocked & forces my devices to use the pihole.

If anyone has set something up similar or has any tips, let me know. If I'm successful I'd like to do a write-up for everyone's benefit. Also, if you have any resources on how to understand iptables & ipv6 I'd appreciate that as well.