Ipv6 firewall exposing all ports in assigned addresses

First of all i’m completely new to ipv6 and i’m trying to learn a bit here.

Anyone out there with experience in ipv6?

My isp provides me a /56 prefix so I went to pfsense configured as a DHCP6 and Track interface ony my LAN interface o WAN.
As for RA set it to managed and set a DHCP sever from ::1000 to ::2000
Everything is working fine except for the fact that all the devices I have behing the lan interface are completely exposed and accessible on IPV6 address but firwalled on IPV4 execpt for the few ports i really needed to open on/nat forward on IPV4.
I know nat doesn’t exist on IPV6 so how do i secure my devices behind IPV6?
I have a few virtual machines running docker and other services i don’t want to expose to the world!! do I need to configure a firewall on each of them? ( this is quite a pain…) or there any way to do it on pfsense?
I’ve searched everywhere for info of ipv6 firewall rules and there’s verry little information on it.

Thanks… I’m really lost here!
My config:

Interfaces → WAN → DHCP6 Client Configuration → DHCPv6 Prefix Delegation size=“56” → Save
Interfaces → LAN → General Configuration → IPv6 Configuration Type=“Track Interface”
Interfaces → LAN → Track IPv6 Interface → IPv6 Interface=“WAN”
Interfaces → LAN → Track IPv6 Interface → IPv6 Prefix ID=“0” → Save
Services → DHCPv6 Server & RA → Router Advertisements → Router mode=“Managed” → Save
Services → DHCPv6 Server & RA → DHCPv6 Server → “Enable DHCPv6 server on interface LAN”
Range from=“::1000”
Range to=“::2000” – > Save

I have no ipv6 rules at all at wan interface so in theory all inbound traffic should be blocked, but no.
I just tested using my vultr vps and and can ssh into all my VMs using iv6.