LAN clients unable to reach OPNsense via v6

[deadman]

Hi all, I have a dual-v6WAN setup that uses NPTv6 that doesn't work properly. Here's how the network is set up

(I use 2400::/64 and 2001::/48 addresses as placeholders in my post; obviously I use the proper prefixes assigned to me)

ISP -> WANv4 (DHCPv4)                -> OPNsense [2400::1234/64 | 2001::1/64] -> LAN Clients [2001::xx/64]
    -> WANv6 (DHCPv6) [2400::/64] ->
HE.net Tunnel (GIF)    [2001::/48] ->

I'm using NPTv6 as the LAN network was built using HE.net's prefix before the ISP started supporting v6. So NPTv6 is used to translate the LAN address to the ISP's prefix. The HE.net tunnel is kept around as a backup gateway. Router Advertisements is set to Assisted.

Everything works fine. v4 and v6 works in both directions. If I disable the ISP's v6 link, traffic automatically fails over to the he.net tunnel. I see that all LAN clients use the firewalls's link-local address as the router.

The only thing that does not work is accessing OPNsense(the firewall) over its assigned [2001::1/64] v6 address. As such, it does not respond to DNS queries and LAN clients behave oddly while waiting for the v6 DNS query to timeout.

I've verified that Unbound is working properly over v4. Unbound also properly responds to v6 queries done on the firewall itself (using the same v6 [2001::1/64] address).

Looking at the interface packet captures, I see the DNS query entering the firewall over the LAN interface, then leaving out of the GIF interface of the he.net tunnel. Nothing seems to be recorded in the firewall logs.

I believe this is likely a configuration error on my part, but where do I start?