IPv6 is weird for someone coming from IPv4. Basically every IPv6 address is a public IP address. Your firewall is responsible for blocking inbound traffic from actually getting to the devices at these addresses. This replaces NAT. So, what I do is have a default rule that blocks all IPv6 traffic inbound. Then, instead of a NAT rule, port forwarding, etc., I just allow inbound traffic on certain ports to certain addresses.