Comment # 4 on bug 1153813 from Mathias Homann

two things happened here:

1. upgrading to firewalld 0.7.2, which introduced one important change:
masquerading is only enabled for IPv4; if one wants to masquerade IPv6 as well,
one has to add one rich rule to the external zone:

firewall-cmd --zone=external --add-rich-rule='rule family=ipv6 masquerade'
--permanent

2. in my attempts to fix that I set net.ipv6.conf.eth1.autoconf to 0 which
breaks accepting RA packets.