WANs with IPV6 Configuration set to None still occasionally get IPV6 addresses

[MaeveFirstborn]

Every once in a while, our Opnsense firewalls will report an IPV6 address on one or both of our WAN interfaces. The IP addresses are definitely not link local addresses, they start with 2601 for instance. We absolutely do not have IPV6 enabled anywhere in our system. IPV4 is preferred in settings, all our firewall rules are explicitly only IPV4, and every interface has IPV6 set to None. The firewalls don't always receive an address, only occasionally on reboot. If it has one, it usually goes away after a reboot.

I have a second problem, and I can't tell if this is related or not - the secondary firewall's unbound doesn't really work if the outgoing network interfaces includes our wireguard tunnels (which we want to so that if the local domain controller fails, the firewall can route requests to another site's domain controller). The configuration of tunnels on the primary and secondary are identical aside from individual tunnel addresses. If I disable the wireguard addresses on the outgoing interfaces on the secondary, unbound works fine, but if not, it times out. First firewall seems fine. During the troubleshooting process for this, I discovered that the timeouts correlate to the firewall attempting to route to an IPV6 DNS server - which should be impossible, since we don't use IPV6, and I have no idea why it's trying to do this.

This forum thread (https://forum.opnsense.org/index.php?topic=29266.0) helped identify a similar issue and fixed it on the primary, but I'm still seeing it on the secondary.

Any insights? Thanks.