In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. In IPv6 there is no NAT. So theoretically everyone can access everything. Of course to prevent this you setup the firewall but i don't found a good concept as of now.
I'd like to address this post with a few observations and responses of my own.
First, it is a common misconception that NAT is a security mechanism. While it does limit direct inbound connections from reaching devices from across the Internet, it's not quite the same thing. It's better NOT to think of NAT as a security mechanism. That's the job of packet filtering and of deep packet inspection if you have equipment that performs such tasks (not Mikrotik, unfortunately). The real thing that protects your devices is connection tracking, and the IPv6 firewall in RouterOS performs this function just fine. If your forwarding filters only allow new connections in the outbound direction, then you're in the same situation as you would be with IPv4 NAT.
Now to the questions-
1) see above, but yes, you can trust the IPv6 firewall (as much as you can trust any other packet filtering, more or less)
2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. The idea that making your router "unpingable" increases your security is horribly outdated. Today's malware does not rely on ping scans to determine which IP addresses are alive in order to port scan them. They just port scan every IP address, and with modern botnets, I'm quite certain that many of them do snowshoe scanning (each host:protocol:port is scanned from a different node of the botnet so you never see any sequential hits on a set of ports from the same source). ICMPv6 is more crucial to IPv6 than ICMP was to IPv4 - it broke subtle things whenever you would drop ICMP and breaks even more in IPv6 - notably Path MTU Discovery. IPv6 does not support fragmentation by routers so path mtu discovery is vitally important in IPv6 - I've seen a post or two about which types can be filtered, but I don't really see much real benefit in blocking it anyway.
3) I would say that the Tunngle application would need to be IPv6 aware, but not the old games, which almost certainly use IPX. Tunngle (I'm assuming is pretty much the same as the old Kali client from back in the day) is essentially just EoIP, and the outer packets are the only things that would need to be able to use IPv6 to reach other IPv6 hosts. As for the "port forwarding" aspect, you obviously won't need to set up NAT pinholes, but you will need to allow the port in your firewall's forwarding chain - either to your PC's address, or to the LAN in general if you don't care.
As for the three IPv6 addresses on your computer, here's how those work:
FE80:: is link-local, meaning that it cannot be forarded through routers. Every network segment with IPv6 on it will have a link-local address. IPv6-aware hosts can talk to each other over the LAN using each-other's link-local address, even if you never assign any routable (global scope) IPv6 addresses. These are the same as 169.254.x.x IPv4 addresses.
The two global-scope addresses are going to be the EUI-64 address and the privacy address.If you look at the two addresses, I'm sure that you'll find that one of them has the last 4 groups in a pattern of xxxx:xxFF:FExx:xxxx - this is the EUI-64 address, and it's not randomly generated. The xxxx:xx xx:xxxx portion will be your MAC address (well, the second nibble will be slightly different, but that's getting off into the technical weeds). The other IPv6 address is your computer's privacy address.
When you surf the IPv6 internet, your computer will use the privacy address as its source IPv6 address. If you want to receive inbound connections from the Internet at your computer, you should give out the EUI-64 address, as that will not change - well, the second half of it won't. The first half changes if your ISP assigns dynamic prefixes.
Now, as this pertains to Tunngle, I took a peek at the Tunngle forums and it appears that not only does it not support IPv6 but that the developer doesn't consider it a priority, and many users report that Tunngle actually breaks their IPv6 connectivity when active - so be advised of that.