(Notice to mods: I've asked in troubleshooting, but got no replies, so I hope that asking in networking might be better, without falling to cross-posting; in any case, this is my last attempt here...)
Setup: Raspberry Pi 3B with recent Jessie, updated as of today. Upstream IPv6 "Enterprise" network at eth1, downstream eth0 shall offer IPv6 "Enterprise" connectivity to its local IPv6 nodes. eth0 and eth1 are autoconfigured by SLAAC. dhcpcd for IPv6 requests a prefix block from the upstream router that is reached through eth1, then assigns a /64 from this prefix block to downstream eth0. radvd gets autoconfigured to properly announce the downstream prefix via eth0, as well as more specific routes to the prefix block on the upstream eth1 LAN. So far, so good, works as required. Pings from the RPi to upstream and downstream nodes work correctly.
A "net.ipv6.conf.all.forwarding=1" in /etc/sysctl.conf switches on IPv6 forwarding. I've also setup netifilter-persistent to load a default rule set from /etc/iptables/rules.ipv6 that sets INPUT, FORWARD, OUTPUT all to ACCEPT policy (because this is an "inner" routing node, not a border router). ip6tables -L confirms this setting.
Now, when I try to ping6 any upstream node from a downstream IPv6 node, I never get any ping responses. But I also don't get any ICMPv6 not reachable indications. Traceroute shows that my RPi IPv6 router correctly responds, but anything beyond upstream cannot be seen. Wireshark on "any" (eth0, eth1) shows that the IPv6 pings arrive on eth0, but never get forwarded to eth1.
A cross-check by adding a broken upstream route to the IPv6 RPi router causes the router to correctly reply with ICMPv6 not reachable to its downstream nodes on the eth0 LAN.
But removing this route the traffic from downstream eth1 to be destined for upstream eth0 completely disappears "inside" the RPi router without any indication.
Any idea what might be borked and what I'm missing here...?