Maybe you have encountered the same problem. You have a dual-stack home connection and are used to having NAT + port forwards in your firewall to allow external access. This only works with v6 if you have static addresses, but with ipv6-pd your prefix will change from time to time, depending on your isp. Well, you could start doing v6 NAT to get the old behavior, but who really wants NAT?

So, I did some digging and found an older OpenWRT post where a user had a similar problem [1]. Post #11 explained it perfectly. Just use a mask for the prefix and statically code your interface identifier into iptables. For some reason, the concept of submasks that are not in CIDR notation has left my head once I turned to ipv6.

So, my solution was simple.

• Disable ipv6 privacy extensions for the hosts that I want to expose, so they get a stable IID
• add a ip6tables call to my OpenWRT router that adds the correct entry

ip6tables -I FORWARD -d ::1b4d:f4e0:194e:c6a8/::ffff:ffff:ffff:ffff -p tcp --dport 22 -j ACCEPT

With a good DDNS setup in place, I can always directly connect to my machines from the ipv6 internet.

[1]	https://forum.archive.openwrt.org/viewtopic.php?id=68912