I didn’t touch firewall, and in Luci it seems forward is allowed. Unfortunately I don’t have deep knowledge to read iptables rules, so may be you can found something inside it.
ip6tables --list
Chain INPUT (policy DROP)
target prot opt source destination
delegate_input all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
delegate_output all anywhere anywhere
Chain MINIUPNPD (2 references)
target prot opt source destination
Chain accept (38 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all anywhere anywhere /* user chain for forwarding */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
zone_guest_turris_forward all anywhere anywhere
reject all anywhere anywhere
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
input_rule all anywhere anywhere /* user chain for input */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all anywhere anywhere
zone_wan_input all anywhere anywhere
zone_guest_turris_input all anywhere anywhere
accept all anywhere anywhere
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere /* user chain for output */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_output all anywhere anywhere
zone_wan_output all anywhere anywhere
zone_guest_turris_output all anywhere anywhere
accept all anywhere anywhere
Chain drop (0 references)
target prot opt source destination
DROP all anywhere anywhere
Chain forwarding_guest_turris_rule (1 references)
target prot opt source destination
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_guest_turris_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_guest_turris_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere
Chain zone_guest_turris_dest_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
Chain zone_guest_turris_dest_accept (1 references)
target prot opt source destination
accept all anywhere anywhere
Chain zone_guest_turris_forward (1 references)
target prot opt source destination
forwarding_guest_turris_rule all anywhere anywhere /* user chain for forwarding /
zone_wan_dest_accept all anywhere anywhere / forwarding guest_turris -> wan /
accept all anywhere anywhere ctstate DNAT / Accept port forwards */
zone_guest_turris_dest_REJECT all anywhere anywhere
Chain zone_guest_turris_input (1 references)
target prot opt source destination
input_guest_turris_rule all anywhere anywhere /* user chain for input /
accept tcp anywhere anywhere tcp dpt:domain / guest dns rule /
accept udp anywhere anywhere udp dpt:domain / guest dns rule /
accept udp anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc / guest dhcp rule /
accept all anywhere anywhere ctstate DNAT / Accept port redirections */
zone_guest_turris_src_REJECT all anywhere anywhere
Chain zone_guest_turris_output (1 references)
target prot opt source destination
output_guest_turris_rule all anywhere anywhere /* user chain for output */
zone_guest_turris_dest_accept all anywhere anywhere
Chain zone_guest_turris_src_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
Chain zone_lan_dest_accept (4 references)
target prot opt source destination
accept all anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all anywhere anywhere /* user chain for forwarding /
zone_wan_dest_accept all anywhere anywhere / forwarding lan -> wan /
accept all anywhere anywhere ctstate DNAT / Accept port forwards */
zone_lan_dest_accept all anywhere anywhere
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all anywhere anywhere /* user chain for input /
accept all anywhere anywhere ctstate DNAT / Accept port redirections */
zone_lan_src_accept all anywhere anywhere
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all anywhere anywhere /* user chain for output */
zone_lan_dest_accept all anywhere anywhere
Chain zone_lan_src_accept (1 references)
target prot opt source destination
accept all anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
Chain zone_wan_dest_accept (3 references)
target prot opt source destination
accept all anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
MINIUPNPD all anywhere anywhere
MINIUPNPD all anywhere anywhere
forwarding_wan_rule all anywhere anywhere /* user chain for forwarding /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-reply limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
zone_lan_dest_accept esp anywhere anywhere / @rule[7] /
zone_lan_dest_accept udp anywhere anywhere udp dpt:isakmp / @rule[8] /
accept all anywhere anywhere ctstate DNAT / Accept port forwards */
zone_wan_dest_REJECT all anywhere anywhere
Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all anywhere anywhere /* user chain for input /
accept udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client / Allow-DHCPv6 /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130 code 0 / Allow-MLD /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131 code 0 / Allow-MLD /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132 code 0 / Allow-MLD /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143 code 0 / Allow-MLD /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-reply limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept all anywhere anywhere ctstate DNAT / Accept port redirections */
zone_wan_src_REJECT all anywhere anywhere
Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all anywhere anywhere /* user chain for output */
zone_wan_dest_accept all anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere