Okay, a follow-up to my own "IT WORKS!" post with some details.
I can confirm that at this point:
1. My TomatoUSB router is able to talk IPv6 to the Internet directly (e.g. ping6 ipv6.google.com from TomatoUSB natively works),
2. My FreeBSD box on my LAN is able to talk IPv6 to the Internet directly (e.g. ping6 ipv6.google.com from FreeBSD works). IMPORTANT: My FreeBSD box is statically configured for IPv6, it is not configured to dynamically get an IPv6 prefix/etc. from the TomatoUSB router.
I have rebooted my RT-N16 and done the manual fix-ups needed and it does in fact work reliably.
Now for the details:
1. The IA-NA fix (in dhcp6c.conf)
ISN'T NEEDED. And that seems correct/logical given what I described in my earlier post. There is absolutely no need for a /128 address on the WAN interface (vlan2).
2. The "spurious default route" fix
IS NEEDED. Removing the spurious route is absolutely required. Simply put:
there should be only one default route for ::/0 and it should be an fe80::xxx address (negotiated via IPv6 RAs announced from Comcast).
3. Under Basic / IPv6, the WAN checkbox for "Accept RA from"
must be checked. This is the only way to ensure that the TomatoUSB router gets a default IPv6 gateway from Comcast (DHCPv6 does not negotiate this; its announced via IPv6 RAs. This greatly differs from classic IPv6 DHCP, for those familiar with it).
4. Under Basic / IPv6, the "Enable Router Advertisements" checkbox is probably required for systems on a LAN which don't have statically configured IPv6 addresses and default IPv6 gateways. This checkbox makes it so that IPv6 RAs (from TomatoUSB to the LAN) are sent across the LAN. It has no bearing on the IPv6 RAs received via WAN from COmcast.
5.
For statically-configured IPv6 machines on a LAN (like my FreeBSD box) only, it's very important that for the default gateway you ensure that you use the link-local IPv6 address of the TomatoUSB system (that would be the "Scope:Link" IPv6 address shown for interface br0),
and that you use a zone index using the %index syntax as described here:
»
en.wikipedia.org/wiki/IP ··· _indicesWithout use of the zone index, you cannot do something like "route add -inet6 default fe80::e2cb:4eff:fec0:c4" because the system has no idea what interface (zone index) is associated with the fe80::xxx address. On FreeBSD, without the zone index specifier, you get an error such as "Network unreachable" when trying to add the default route.
In the case of machines which are not statically routed, I imagine that IPv6 RAs (received from the TomatoUSB router across the LAN) should negotiate all of this stuff dynamically. I haven't gotten to that phase yet; I imagine that is the phase/methodology that most of the people on this forum will use, but for my setup I cannot use it at this point in time (has to do with issues/complexities with FreeBSD and what it does when recieving IPv6 RAs). Baby steps!
So, the WAN Up script I'm using now is the following, again, with 100% success (including after a reboot):
#
# Workaround for TomatoUSB bug where a spurious default IPv6 route is
# added for no justified reason, resulting in packets getting forwarded
# effectively to /dev/null.
#
# 1. Temporarily disable accepting IPv6 RAs on the WAN interface. This
# will stop the kernel from automatically adding a default IPv6 route
# when such an RA is received via the WAN.
# 2. Delete ALL default IPv6 routes. In effect this deletes the spurious
# IPv6 default route, as well as any default IPv6 routes received via RA.
# Sadly the "ip" command does not give you a way to differentiate between
# the two, since the one we truly want to delete lacks "proto kernel".
# 3. Restore honouring IPv6 RAs via the WAN. Within 60-120 seconds (often
# within seconds on Comcast) a default IPv6 route should be added by the
# kernel. You can use "ip -6 route show default dev `nvram get wan_iface`"
# to verify; you should have only one route ("default via fe80::xxx ...").
#
# http://www.dslreports.com/forum/r27234575-TomatoUSB-and-Comcast-IPv6-bugs-found
#
echo 0 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/accept_ra
ip -6 route flush default dev `nvram get wan_iface`
echo 2 > /proc/sys/net/ipv6/conf/`nvram get wan_iface`/accept_ra
And before criticising the script ( :-) ) please be sure to read the comments in the script; its written this way for a reason.
For those who have tried/used the IA-NA fix previously mentioned, please replace your WAN Up script with the one above and then reboot the router. (Yes, there is a way to do this without rebooting, but the instructions would be long and I'd rather not explain it. It involves editing /etc/dhcp6c.conf to remove the ia-na bit, restarting dhcp6c with its previous arguments, then running the above WAN Up script by hand)