Setting up ipv6 with dhcp6

I've been using OpenWrt for several years on my WNDR3800 router. It's time to enable ipv6 finally.
Using the LuCI gui, I created a "WAN6" interface as a DHCP6 client (I'm using RCN in Boston, I should have ipv6), let it update the network and firewall, and rebooted, but I still get ping failure with "permission denied". I'm guessing I need to configure something further, but not sure what.

root@OpenWrt:~# ping -c 5 ipv6.google.com -6
PING ipv6.google.com (2607:f8b0:4006:81a::200e): 56 data bytes
ping: sendto: Permission denied

I do have a valid ipv6 ddr on eth1:

root@OpenWrt:~# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 20:4E:7F:74:44:42
          inet addr:209.6.xx.yy  Bcast:209.6.xx.255  Mask:255.255.248.0
          inet6 addr: fe80::224e:7fff:xxxx:yyyy/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:83091 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57592 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22614412 (21.5 MiB)  TX bytes:15222725 (14.5 MiB)
          Interrupt:5

Here's my /etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.1'
        option dns '8.8.8.8 8.8.4.4 208.59.247.45'
        option _orig_ifname 'eth0.1 wlan0 wlan1'
        option _orig_bridge 'true'
        option ifname 'eth0.1 eth0.2 eth0.3'

config interface 'wan'
        option ifname 'eth1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto 'dhcp'

config switch
        option name 'rtl8366s'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'

config switch_vlan
        option device 'rtl8366s'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_port
        option device 'rtl8366s'
        option port '1'
        option led '6'

config switch_port
        option device 'rtl8366s'
        option port '2'
        option led '9'

config switch_port
        option device 'rtl8366s'
        option port '5'
        option led '2'

config interface 'WAN6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

Here's my /etc/config/firewall:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan WAN6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_port '22'
        option src_dport '222'
        option name 'SSH to minipc (internal)'
        option dest_ip '192.168.0.142'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8000'
        option dest_ip '192.168.0.192'
        option dest_port '80'
        option name 'IP camera1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_port '4040'
        option name 'Madsonic on FreeNAS jail'
        option src_dport '4040'
        option dest_ip '192.168.0.10'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '33890'
        option dest_ip '192.168.0.124'
        option dest_port '3389'
        option name 'Tower1 RDP'

As a starting point I'd check with your ISP whether they support IPv6 and, if so, what prefix length they allocate to end users.

I was pretty sure RCN would support ipv6 by now... but I just asked them and they do not. Wow. Oh well. Maybe I need to look into some kind of gateway/tunnel -- is "6to4" like this a good way to go? Or is it best to just give up for now?

I would look at 6in4, rather than 6to4. The easiest way to get going is to use www.tunnelbroker.net. Just be aware that, as a free service, it may not be as fast as your current internet.