Alright, here is one for you to chew on. I wont go into the specifics of why my network is set the way it is (unless you ask of course). Running a WRT54G v5 with DD-WRT micro v24sp2. I have an IPv6 tunnel of course, and in the simpler days, this was all I needed in my configuration:
iptables -t nat -I PREROUTING -i vlan1 -p 41 -j DNAT --to 10.0.0.2
iptables -I FORWARD -s 66.220.18.42 -i vlan1 -j ACCEPT
iptables -t nat -I POSTROUTING --proto ! 41 -o vlan1 -j MASQUERADE
Works like a charm, as 10.0.0.2 is a Centos server that handled the radvd and the routing. Well, I had a need to separate the LAN ports behind this router, and the main reason was to isolate this Centos box that was handling the IPv6 routing. Well, now the rest of the router is on a 192.168.11.0/24 subnet and is of course blocked from seeing the Centos box on the 10.0.0.0/24 subnet. This was accomplished with the following:
ifconfig vlan2 10.0.0.1 netmask 255.0.0.0
ip addr add 11.22.33.44/29 dev vlan1
iptables -t nat -I POSTROUTING 1 -p all -o vlan1 -s 10.0.0.0/24 -j SNAT --to 11.22.33.44
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop
Question: Can I open a route between the two vlans for only IPv6, or say only protocol 41 traffic? That way, the Centos box on the 10.0.0.0/24 subnet can still act as the tunnel endpoint and serve the addresses and IPv6 routing for BOTH the 10.0.0.0/24 and 192.168.11.0/24 subnets? See? I told you this would be fun! Thanks for your help.

Phil