Block IPv6 Link Local?

I’m running a network with PFSense firewall and a mix of Linux and Windows machines. My intention is to run both IPv4 and IPv6. I’m not sure what the best way to do IPv6 is. Should I run it with DHCP6 off PFSense? EL seems configured not to even grab that by default. If I use DHCP6 is there a good way to get rid of Link Local? Do I just firewall rule block all link local?

Should I not use DHCP6 and only use link local addresses?

The default mechanism for IPv6 address assignment is SLAAC. DHCP doesn’t have the same status in the IPv6 world as it does in the IPv4 world. In most cases, SLAAC is sufficient. The “stateless” part means that there is no authority that assigns and remembers individual IP addresses (like a DHCP server does), but instead a host wanting to join a network will be given the network prefix and chooses the rest of the address itself.

Link local addresses only work in a layer 2 broadcast domain. They are not routed. So while the router itself can be connected to using a link local address, other (local) networks on that router cannot be communicated with. There is no need to disable link local addresses, in fact they are required by SLAAC because that is a layer 3 protocol.

Yes, normally you do, probably without thinking about it. All traffic is blocked by default. If you set the source of a rule to an interface’s network (e.g., “LAN net”) this doesn’t include link-local addresses (don’t confuse link local addresses with unique local addresses).

Where DHCPv6 makes sense is when you want to have control over the addresses that hosts are assigned (e.g., the address pool and reservations).