IPv6 RAs always include on-link prefix; clients may not use DHCPv6 managed addresses
pfSense IPv6 RA support in 2.3.1-x correctly includes the 'M' (Managed) bit in its advertisements.
By contrast, Cisco IOS supports an explicit "ipv6 nd prefix default non-advertise" configuration to prevent this.
However, pfSense always includes the on-link prefix in these advertisements, even if the "Router mode" in Services -> DHCPv6 Server & RA -> LAN -> Router Advertisements is set to "Managed".
This causes Mac OS X clients to (inappropriately) use SLAAC & privacy addresses by default, unless temporary addresses are explicitly disabled system-wide using sysctl (as per FreeBSD).
Linux and Windows do not exhibit this issue and use the DHCPv6 statefully-managed address by default -- which is the desired behaviour in this configuration. (It's an office, PCI DSS is in play, and we need to at least track who initiated communication to the outside world, even if we don't act as a man-in-the-middle.)
There appears to be no option to disable advertising the on-link prefix.
Updated by Bruce Simpson about 5 years ago
First two sentences above are reversed -- my bad.
TL;DR -- a Cisco will let you advertise 'M' and only 'M', causing clients to use DHCPv6 managed (desired here). pfSense will advertise 'M', but also includes the RA Option 24 ('route info') for the on-link prefix. Some IPv6 clients take that as a sign to use SLAAC/privacy (not desired here).