IPv6 is not enabled by default in Docker. Since we are configuring our network inside the container all we need to do is add the following sysctls:
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.all.forwarding=1
And leave the rest to OpenWrt.
It's recommended to generate a good random ULA prefix using something like https://simpledns.plus/private-ipv6 and setting LAN6_PREFIX to something other than the default.
For bandwidth monitoring of ipv6 it may also be necessary to load the module nf_conntrack_ipv6 on the host:
$ sudo modprobe nf_conntrack_ipv6
I noticed that my syslog was filled with the following line about every 3-5 seconds:
Tue Mar 3 23:39:26 2020 daemon.notice netifd: wan6 (5949): /lib/netifd/dhcpv6.script: line 14: can't create /proc/sys/net/ipv6/conf/eth1/mtu: Read-only file system
Every time ICMPv6 RA messages are received, odhcp6c triggers this script. Since we are running in Docker and can't modify sysctls from inside the container, this error would be printed.
The solution workaround is to comment out any lines in /lib/netifd/dhcpv6.script that try to modify kernel parameters. See etc/dhcpv6.script.
Obviously this is an ugly hack but it works.
The other solution would be to run the container with --privileged, but that's a terrible idea.