I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.
Works great for me.
Don't you have problems with clients using the wrong source address and not matching firewall rules?
Different person here, but no. I never write firewall rules based on individual source addresses. They’re too easy to fake. And with IPv6’s privacy extensions, you never know what source address a given machine will have anyway.
Interesting. How do you deal with destination addresses on your local network? DHCPv6 like the other poster and myself?
I haven’t had a need for DHCPv6. I’d use DNS (or better, mDNS) to assign a hostname to the destination’s fixed IPv6 address or ULA, both of which are static. I don’t ever manually assign an IPv6 address to a host, though. I just let SLAAC do the thing it was designed for.
No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address.