I reached out to them with my ideas and all the evidence that the Internet couldn't ping my WAN IP. They looked and fixed it.

They didn't say what they fixed, just, well, this:

our FTTxSME identified an issue upstream which may have been inhibiting proper routing of traffic from A to B--however this has since been corrected

Whatever it was, they stopped the inhibition, and now it works.

It allowed my external monitor to respond with its "all good" message (which I got before I noticed the message from my ISP). It allowed my IPv6 tunnel to connect.

With my IPv6 working, I thought I'd try some of the other things the router wasn't doing well, like curling to fetch HTTP pages, and run its own updater. They worked, and didn't even use IPv6 for all of it! Whatever was blocking may have been blocking that all along.

I felt a little bad, realizing that much of the Firewalla's trouble was caused by my ISP. Still, that I couldn't administer the box with their tool, that their underlying system kept configurations out of where they could be changed via the shell, and ultimately that it didn't support IPv6 6in4 tunnels reminded me that I'd made the right call.

I felt a little vindicated, since the more standard configurations in the pfsense router (albeit on a different OS than I use daily) allowed me to recognize it isn't my rig. I'm glad, also, that I could provide enough detail to allow my ISP to look where they did and go "whoops" and fix it so quickly. I'm a little disappointed that they were dismissive that they had a problem the first time around, but I also understand the "usually user error" path is often the right answer.

I'm going to play with the new bits in the router, see if I can get it a little more locked down, like by getting a proper SSL cert for its GUI, and making sure the GUI isn't accessible from the Internet.

After a little of that, I need to fix the database issues that are also happening.