pfSense

The Default Allow rule that pfSense generates on the LAN for IPv6 traffic are supposed to allow all IPV6 traffic from "LAN net" (and I assume for the other Interface net macros) to everywhere on the LAN. That rule does not work for traffic using (at least) Link Local addresses and Privacy Addresses (these appear to be the first 4 hextets of the address with random stuff added). It seems that the "LAN net" macro does not include these various flavors of local IPv6 addresses. It only seems to include the actual IPv6 addresses noted in the DHCP6 server (not everything noted in the NDP table). This has resulted in my having to add a specific rule allowing traffic sourced from link local addresses to the IPv6 multicast address. I'm still seeing default deny blocks on privacy address sourced traffic to pfSense's LAN interface port 53. But, since I don't know where or how those privacy addresses are generated, I can't come up with an alias or rule that would let me allow the traffic on the LAN.

Each interface's "net" macro should include all IPv6 addresses local to that interface.

https://forum.netgate.com/topic/138293/default-deny-from-my-computer-to-multicast-log-entries-solved
https://forum.netgate.com/topic/138351/how-to-allow-privacy-addresses-on-the-lan