Stop RA of one IPv6 tunnel, to prevent multiple global address assignment

Hi all
I hope that one of the super expert here can help me :slight_smile:
So the problem is this one: my ISP provides only a /64 (with 6in4 tunnel) which is fine for normal navigation, but not usable for some "advanced" stuff, such OpenVPN IPv6 tunnel (without using subnetting which will likely break everything else) and NAT46( where there is no workaround than NAT6 of local prefix).
I have created an HE tunnel for a nice /48 subnet, so now on my LEDE router I have two 6in4 tunnels, my ISP and HE.
The problem is that on my LAN I get both subnet prefix and consequently, the devices in the network, either via DHCP or SLAAC, or both, get the global address from both tunnels and select the source address based on their policy (normally the RFC6724). But I want that the devices, except the NAT46 and OpenVPN clinets, use my ISP address. I know how tweak it on Linux devices, by using the address deprecation, but as far as I know, little if not can be done for Windows machine and Smartphones.
So I am thinking about something more radical. In the end the devices that can use, or actually must use, the HE tunnel, are the one that will NOT get the IPv6 address via DHCP or SLAAC. So what if I just avoid that the HE /48 prefix is provided via DHCP and Router Advertisement? In the end I just need that the HE tunnel is routable and the Neighbours Discovery works. Note: it is ok if the LEDE router and only the LEDE router use also HE tunnel.
But how accomplish it? I see that there is a ICMPv6 accept rule in the default firewall configuration, is it enough if I move the HE tunnel in another firewall zone and drop the RA in ICMPv6? My doubts concern on which is the firewall zone where the tunnel termination assign the prefix to the router LAN, so I don't know if I can stop them somehow with firewall. Or maybe there are other alternatives?
Thanks, bye