I've been looking into this for many hours, and finally reached a point where I can't figure out any way to proceed.
I want to be able to ssh to my server from WAN, host a public website, and host semi-public game servers. My ISP has CGNAT, so I'm trying to set up IPv6 on my home network. I've read many threads, and I believe I have all the settings the way they should be. IPv4 works perfectly fine (as well as it can given CGNAT). However, with IPv6, I am unable to ping/traceroute WAN from LAN devices, and I am unable to ping/traceroute from LAN devices to WAN.
Specifically, my setup is WAN -> modem -> router WAN interface (ether1) -> router LAN interface (bridge) -> LAN devices (computers, WAP, etc.). The router (a hEX) obtains an address (xxxx:xxxx:106:dfff:ffff:ffff:ffff:ff3b) and a /60 prefix (xxxx:xxxx:236:fcb0::/60) from my ISP. My LAN devices get addresses from the prefix using SLAAC or DHCPv6 (I tried both, neither made any apparent difference), and the router also self-assigns the default xxxx:xxxx:236:fcb0::1/64 ip from the prefix. LAN devices can ping each other using both their link-local and SLAAC-assigned addresses. LAN devices can also ping the router using both of its IPs, xxxx:xxxx:236:fcb0::1 and xxxx:xxxx:106:dfff:ffff:ffff:ffff:ff3b. The router itself can successfully ping WAN (I always use 2001:4860:4860::8888 to test this).
What doesn't work is that LAN devices cannot ping anything beyond the router. Any ping or traceroute towards 2001:4860:4860::8888 reaches the router (I can see this with the packet sniffer), but then times out beyond that. When I traceroute any address on my network (including both of my router's addresses) using cloud tools like https://tools.keycdn.com/traceroute, it reaches the address xxxx:xxxx:106:dfff:ffff:ffff:ffff:ffcd, but anything beyond that times out. While that address is within the /64 of the router's assigned address, I do not believe that it actually is my router, since I see no activity on the packet sniffer or my firewall.
Speaking of my firewall, I copied some settings made by someone else, but it is explicitly allowing icmpv6. I can see a packet counter on the firewall incrementing as I ping from LAN to WAN, but it's not dropping anything and I don't see any increments when I ping from WAN to LAN.
It would seem that this is an ISP issue and my configuration is not at fault, but I can get IPv6 partially working with another router. I have a netgear R7000, and when I set its IPv6 to "DHCP" or "Auto Detect" it has the same issues. However, when I set it to "Auto Configure" then it gets two IP addresses, "Router's IPv6 Address On WAN: xxxx:xxxx:106:ff00:3e37:86ff:feb9:578a/50" and "Router's IPv6 Address On LAN xxxx:xxxx:236:fd20:3e37:86ff:feb9:5789/64". In this configuration it seems as if IPv6 works fine, and I can successfully ping/traceroute from LAN to WAN. I cannot go in the other direction, but I believe that is a firewall issue, and that's why I got a mikrotik router—to have a configurable IPv6 firewall.
Any idea why the netgear works fine, but the mikrotik doesn't? Is it an ISP issue, any the netgear just works around it somehow? Any tips for IPv6 debugging on RouterOS?