For all poor souls out there that have the tunnel running on rt-n66u but do not have v6 firewall I have found a simple solution (although it has to be applied at each router restart).
You need to keep in mind that if you do not pay a lot of attention to what you block, you may end up blocking legitimate packets, which may result in flaky connectivity to some services. Here are things to watch out for.
ICMPv6 packets are required in order for IPv6 to operate correctly. Most of them do not need to be forwarded across routers, but too big error message do need to get forwarded. Inappropriate filtering of those is often causing problems.
Certain tunnelling protocols utilize ICMPv6 echo request packets as well as no next header. If you block those, you may not be able to communicate with peers utilizing such tunnelling protocols.
Stateful inspection is generally less reliable because state can time out or get lost in case stateful equipment is restarted. TCP can be firewalled statelessly, which will give a better user experience in those cases. Doing the firewalling statelessly means you block the SYN packets, which would be used to establish a new connection and let other packets through. In that case packets can come in without being part of a connection, but they are going to be rejected by the TCP stack on the destination, so they will never reach any service, which may be listening on that port.
Using a DROP rule will make debugging network problems harder, it will also make it easier for others to spoof your IP address. Instead I recommend using proper REJECT rules (I use three different reject rules such that TCP can be rejected with TCP RST packets, UDP is rejected with port unreachable, and everything else is rejected with a generic ICMP error).
While you are configuring ip6tables, you can also make your connectivity a bit more reliable by utilizing the tcpmss module. By reducing MSS to 1220 on all SYN packets, which had a higher MSS, you can avoid most PMTU discovery problems.