How could I prevent the assignment of global IPv6 addresses to my LAN devices? I don't want to directly expose them to the world nor to have to configure a firewall, but I just want them to have local IPv6 addresses only instead (beginning with fd2a:4bdc:... as per the first picture). This happens if I disable the DHCPv6 client on the PPPoE, but in this way I'm losing also the IPv6 /128 assigned by my ISP, which I would need for further management/routing.
If I'm correct, what I should do is to disable the PPPoE-obtained prefix delegation to LAN, but I didn't figure out how to do it. I tried to add option pd '0' on wan6, which uses the dhcpv6 proto, but the effect was not the desired one as the prefix was still obtained from ISP and delegated to LAN.
You don't actually need to do anything, access from WAN to LAN is restricted.
That's why there's nothing "directly exposed to the world".
The default firewall configuration in OpenWrt is safe enough for both IPv4 and IPv6.
Indeed, I've tried an online port scanner and the ports of the scanned host appear closed. However, it responds at ping from outside of LAN, but this is not an issue in my usage scenario.
FYI the ip6class local option would only distribute the ULA addresses and ignore the GUA from your ISP.
However if your concern is merely of the security, you don't need to worry. ICMP packets in IPv6 are necessary for the correct operation, hence they are allowed.
