pfSense

RFC 4861 states in section 4.1 that during neighbor discovery a device may use the "unspecified" address if it does not yet have an IPv6 address. pfSense does not currently include that source in the list of sources allowed in the default ICMPv6 internal rules.

      Source Address
                     An IP address assigned to the sending interface, or
                     the unspecified address if no address is assigned
                     to the sending interface.

Section 2.3 states that the "unspecified" address is all zeroes, which compresses to ::

   unspecified address
               - a reserved address value that indicates the lack of an
                 address (e.g., the address is unknown).  It is never
                 used as a destination address, but may be used as a
                 source address if the sender does not (yet) know its
                 own address (e.g., while verifying an address is unused
                 during stateless address autoconfiguration [ADDRCONF]).
                 The unspecified address has a value of 0:0:0:0:0:0:0:0.

So rather than an address on the interface subnet, or link-local, such devices may send from a source of :: to the multicast all-routers destination.

Should be easy to correct by adding one more rule to the list near source:src/etc/inc/filter.inc#L3309 with :: as the source instead of fe80::/10.