Please help to set up IPv6 firewall

My ISP is providing dual-stack. I am connecting to internet via ISP's optic router (GPON).
Router assigns internal IPv4 adresses to subnet and delegates a IPv6 subnet of /64.
I do not trust ISP's equipment and separate it's network from my devices using
Asus RT-N16 router under OpenWRT 18.06.2

To summarize:
[ISP infrastructure]
[ISP router]
[16 ports gigabit switch]
(my home subnet)

ISP router has it's web-interface but it is rather informative than administrative
(dispite access user is named 'admin')
It's info can be summarized as follows:

It received these adresses from ISP infrastructure: default route via

Local network is configured as with ISP's router ip .254

Now to the OpenWRT part.
IPv4 part is working like a charm, my home subnet is, NATed by OpenWRT.

RT-N16 is delegated with a /64 prefix and assigns these addresses:
2a00:1370:811b:af67:xxxx:xxxx:xxxx:367d/128 to eth0.1 (wan6) interface
2a00:1370:811b:af67::1/64 to br-lan interface

I've configured wan6 interface and dhcp options as SLAAC alone, using this guide:

I'm running a bunch of Archlinux machines on home subnet, they all assign
adresses like 2a00:1370:811b:af67:xxxx:xxxx:xxxx:xxxx/64

But I can't access IPv6 resources from any machine in my subnet (including
OpenWRT router). ping -6 does not work, even from router.

machines on subnet can not ping router, no pings from router to local machines either.

Surprisingly, machines can ping6 each other using global IPv6 adresses. They are all connected to 16-port gigabit switch.

I think problem is somewhere in firewall/ip6tables, but can't figure out how to fix it.

Here are my configs:

I don't understand why an IPv6 from your lan prefix is used on the wan6 interface when you aren't using RA/NDP relays. Using a lan address on the wan6 interface doesn't make sense. Has the ISP router delegated the same /64 prefix which it is using on its lan interface?

I do not understand either. This configuration is picked up automatically.
Sadly, ISP router does not report prefix lengths.
I've checked my neighbor's config. He is using a similar setup (his own router between lan and ISP), but has IPv6 on his home router disabled.
His ISP router reports this:

IPv6 Address       2a00:1370:801f:zzzz:xxxx:8fff:xxxx:f2fe
IPv6 Local Address fe80:0000:0000:0000:xxxx:8fff:xxxx:f2fe
IPv6 Gateway       fe80:0000:0000:0000:yyyy:dbff:yyyy:7800

My ISP router reports this:

IPv6 Address       2a00:1370:801b:zzzz:xxxx:0cff:xxxx:1ea9
IPv6 Local Address fe80:0000:0000:0000:xxxx:0cff:xxxx:1ea9
IPv6 Gateway       fe80:0000:0000:0000:yyyy:dbff:yyyy:4000

ISP routers do not report masks or prefix lengths. I've added zeroes for readability.
I'll try to plug some of my boxes to ISP router directly, not via OpenWRT. But this will take some time.

I've connected one of my boxes directly to ISP router.
It received these adresses (output form ip addr)

inet6 2a00:1370:811b:af67:xxxx:xxxx:xxxx:4884/128 scope global dynamic noprefixroute
inet6 2a00:1370:811b:af67:yyyy:yyyy:yyyy:bdb4/64 scope global dynamic mngtmpaddr noprefixroute

And IPv6 is working. I can ping tells I'm using that ...:4884/128 address.

The problem is definitely on the OpenWRT side.
I blame default firewall rules.

Default firewall rules are not to blame in my opinion. Your router of your ISP doesn't delegate a prefix to the RT, so you need to relay instead of being server. Check within the same tutorial page you used.