diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index e0fdf10d6..006697fbf 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -4339,6 +4339,7 @@ function interfaces_has_prefix_only($interface)
 
 function interfaces_primary_address($interface, $ifconfig_details = null)
 {
+    /* primary returns preferred local address according to configuration */
     $ifcfgip = $network = $subnetbits = null;
 
     foreach (interfaces_addresses($interface, false, $ifconfig_details) as $addr) {
@@ -4362,56 +4363,58 @@ function interfaces_primary_address($interface, $ifconfig_details = null)
     return [ $ifcfgip, $network, $subnetbits ];
 }
 
-/* XXX rename "primary" to "routed" as that is what it is */
-function interfaces_primary_address6($interface, $ifconfig_details = null, $allow_track = true)
+function _interfaces_primary_address6($interface, $ifconfig_details = null, $allow_track = true, $link_local = false)
 {
     $ifcfgipv6 = $networkv6 = $subnetbitsv6 = null;
 
-    if (interfaces_has_prefix_only($interface) && $allow_track) {
+    if ($allow_track && !$link_local && interfaces_has_prefix_only($interface)) {
         /* extend the search scope for a non-NA mode to tracking interfaces */
         $interface = array_merge([$interface], array_keys(link_interface_to_track6($interface)));
     }
 
     foreach (interfaces_addresses($interface, false, $ifconfig_details) as $addr) {
-        if ($addr['family'] != 'inet6' || $addr['deprecated'] || $addr['tentative'] || $addr['alias'] || $addr['scope']) {
+        if ($addr['family'] != 'inet6' || $addr['deprecated'] || $addr['tentative'] || $addr['alias']) {
+            continue;
+        }
+
+        if ($link_local && !$addr['scope']) {
+            continue;
+        } elseif (!$link_local && $addr['scope']) {
             continue;
         }
 
         $networkv6 = gen_subnetv6($addr['address'], $addr['bits']) . "/{$addr['bits']}";
         $subnetbitsv6 = $addr['bits'];
         $ifcfgipv6 = $addr['address'];
+        if ($link_local) {
+            $ifcfgipv6 .= "%{$addr['name']}";
+        }
         break; /* all done */
     }
 
     return [ $ifcfgipv6, $networkv6, $subnetbitsv6 ];
 }
 
+function interfaces_routed_address6($interface, $ifconfig_details = null)
+{
+   /* "routed" returns a non-link-local address only, possiby derived from tracking interfaces */
+    return _interfaces_primary_address6($interface, $ifconfig_details, true, false);
+}
+
 function interfaces_scoped_address6($interface, $ifconfig_details = null)
 {
-    $ifcfgipv6 = $networkv6 = $subnetbitsv6 = null;
-
-    foreach (interfaces_addresses($interface, false, $ifconfig_details) as $addr) {
-        if ($addr['family'] != 'inet6' || $addr['deprecated'] || $addr['tentative'] || $addr['alias'] || !$addr['scope']) {
-            continue;
-        }
-
-        $networkv6 = gen_subnetv6($addr['address'], $addr['bits']) . "/{$addr['bits']}";
-        $subnetbitsv6 = $addr['bits'];
-        $ifcfgipv6 = "{$addr['address']}%{$addr['name']}";
-        break; /* all done */
-    }
-
-    return [ $ifcfgipv6, $networkv6, $subnetbitsv6 ];
+    /* "scoped" returns own link-local address only */
+    return _interfaces_primary_address6($interface, $ifconfig_details, false, true);
 }
 
-/* XXX rename "prefix" to "primary" as that is what it is */
-function interfaces_prefix_address6($interface, $ifconfig_details = null)
+function interfaces_primary_address6($interface, $ifconfig_details = null)
 {
+    /* primary returns preferred local address according to configuration */
     $ifcfgipv6 = $networkv6 = $subnetbitsv6 = null;
 
     if (interfaces_has_prefix_only($interface)) {
-        return interfaces_scoped_address6($interface, $ifconfig_details);
+        return _interfaces_primary_address6($interface, $ifconfig_details, false, true);
     }
 
-    return interfaces_primary_address6($interface, $ifconfig_details, false);
+    return _interfaces_primary_address6($interface, $ifconfig_details, false, false);
 }
diff --git a/src/etc/inc/plugins.inc.d/dpinger.inc b/src/etc/inc/plugins.inc.d/dpinger.inc
index 3a3ddd437..7fc0621d7 100644
--- a/src/etc/inc/plugins.inc.d/dpinger.inc
+++ b/src/etc/inc/plugins.inc.d/dpinger.inc
@@ -220,7 +220,7 @@ function dpinger_configure_do($verbose = false, $gwname = null, $bootup = false)
                 /* link local monitor needs a link local address for the "src" part */
                 list ($gwifip) = interfaces_scoped_address6($gateway['interface'], $ifconfig_details);
             } else {
-                list ($gwifip) = interfaces_primary_address6($gateway['interface'], $ifconfig_details);
+                list ($gwifip) = interfaces_routed_address6($gateway['interface'], $ifconfig_details);
             }
 
             if (empty($gwifip) && is_ipaddrv6($gateway['gateway'])) {
diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index d49dd21af..b84a3efb8 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -570,7 +570,7 @@ function ipsec_idinfo_to_cidr(&$idinfo, $addrbits = false, $mode = '')
                 $mode = $idinfo['mode'];
             }
             if ($mode == 'tunnel6') {
-                list (, $network) = interfaces_primary_address6($idinfo['type']);
+                list (, $network) = interfaces_routed_address6($idinfo['type']);
                 return $network;
             } else {
                 list (, $network) = interfaces_primary_address($idinfo['type']);
diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc
index 2dc70b74f..5c2b2cc45 100644
--- a/src/etc/inc/plugins.inc.d/unbound.inc
+++ b/src/etc/inc/plugins.inc.d/unbound.inc
@@ -419,7 +419,7 @@ function unbound_add_host_entries($ifconfig_details)
             }
 
             list ($laddr) = interfaces_primary_address($interface, $ifconfig_details);
-            list ($laddr6) = interfaces_primary_address6($interface, $ifconfig_details);
+            list ($laddr6) = interfaces_routed_address6($interface, $ifconfig_details);
 
             foreach (['4' => $laddr, '6' => $laddr6] as $ip_version => $addr) {
                 if (empty($addr)) {
diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6
index 7e48e534d..b1889ef3f 100755
--- a/src/etc/rc.newwanipv6
+++ b/src/etc/rc.newwanipv6
@@ -62,7 +62,7 @@ if (!isset($config['interfaces'][$interface]['enable'])) {
 system_resolver_configure();
 
 $interface_descr = convert_friendly_interface_to_friendly_descr($interface);
-list ($ip) = interfaces_prefix_address6($interface);
+list ($ip) = interfaces_primary_address6($interface);
 
 if (!is_ipaddr($ip)) {
     /* interface is not ready */
diff --git a/src/opnsense/scripts/shell/banner.php b/src/opnsense/scripts/shell/banner.php
index ec3b6eb7f..95b853ef0 100755
--- a/src/opnsense/scripts/shell/banner.php
+++ b/src/opnsense/scripts/shell/banner.php
@@ -89,7 +89,7 @@ foreach ($iflist as $ifname => $ifcfg) {
     list ($primary,, $bits) = interfaces_primary_address($ifname, $ifdetails);
     $network = "{$primary}/{$bits}";
 
-    list ($primary6,, $bits6) = interfaces_prefix_address6($ifname, $ifdetails);
+    list ($primary6,, $bits6) = interfaces_primary_address6($ifname, $ifdetails);
     $network6 = "{$primary6}/{$bits6}";
 
     $tobanner = "{$ifcfg['descr']} ({$realif})";