So they finally made it:
router # ip6tables -t nat -A POSTROUTING -s 2001:db8:ffff::/64 -o eth1 -j MASQUERADE
client # ip -6 addr 1: lo:mtu 16436 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qlen 1000 inet6 2001:db8:ffff::cafe/64 scope global valid_lft forever preferred_lft forever inet6 fe80::216:3eff:fec8:871e/64 scope link valid_lft forever preferred_lft forever client # ping6 -c 4 -n www.google.com PING www.google.com(2a00:1450:4004:803::1010) 56 data bytes 64 bytes from 2a00:1450:4004:803::1010: icmp_seq=1 ttl=54 time=78.6 ms 64 bytes from 2a00:1450:4004:803::1010: icmp_seq=2 ttl=54 time=70.9 ms 64 bytes from 2a00:1450:4004:803::1010: icmp_seq=3 ttl=54 time=71.2 ms 64 bytes from 2a00:1450:4004:803::1010: icmp_seq=4 ttl=54 time=72.5 ms --- www.google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 70.986/73.343/78.619/3.105 ms
Ah right, because NAT gives you, um, more security. Oh yeah.