Remove
option src_port '53'
from the DNS rule.
Is that for hijacking DNS queries in IPv6? You'll also need to masquerade, otherwise the hosts might disregard the answer coming from a different source.
Here are my firewall rules for IPv6 on guest:
config rule <- you have this one already.
option target 'ACCEPT'
option proto 'udp'
option family 'ipv6'
option src 'guest'
option src_port '546'
option dest_port '547'
option name 'Allow-guest-DHCP-IPv6'
config rule <- you can omit this since you already have a rule to allow DNS to the router.
option target 'ACCEPT'
option src 'guest'
option family 'ipv6'
option dest_port '53'
option proto 'udp'
option dest 'lan'
option name 'Allow-guest-NS-IPv6'
list dest_ip 'fd00:bbbb::c78'
config rule
option src 'guest'
option name 'Allow-guest-ICMP6'
option family 'ipv6'
option limit '1000/sec'
option target 'ACCEPT'
list proto 'icmp'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'port-unreachable'
list icmp_type 'protocol-unreachable'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
option limit_burst '100'