I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.

Works great for me.

▲

candiddevmike a day ago | parent [-]

Don't you have problems with clients using the wrong source address and not matching firewall rules?

▲

kstrauser a day ago | parent | next [-]

Different person here, but no. I never write firewall rules based on individual source addresses. They’re too easy to fake. And with IPv6’s privacy extensions, you never know what source address a given machine will have anyway.

▲

gspr 21 hours ago | parent [-]

Interesting. How do you deal with destination addresses on your local network? DHCPv6 like the other poster and myself?

	▲	kstrauser 15 hours ago \| parent [-]
		I haven’t had a need for DHCPv6. I’d use DNS (or better, mDNS) to assign a hostname to the destination’s fixed IPv6 address or ULA, both of which are static. I don’t ever manually assign an IPv6 address to a host, though. I just let SLAAC do the thing it was designed for.

▲

gspr a day ago | parent | prev [-]

No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address.