Updated to macOS 15.0 on 2 x MacBook Air and 1 x Mac mini and unable to connect to Wifi. iPhones, iPads & HomePods updated to 18.0 are OK.

APs are hAP ax2 and hAP ax3 capsman managed by RB5009.

Will troubleshoot tomorrow.

If you using Unifi,and enable ipv6 with unifi. U will get /64 subnet which will auto distribute by the router to device.
And every device under the network will get a unique ipv6 address with 3 days lease time. (Which mean every 3days or eveytime you reboot your router,your device ipv6 address will changes)

Unless you only enable the ipv6,and only allow local ipv6 address,then u will only have one ipv6 address with your router,and all ipv6 will be running under NAT mode.

Remember to change the in-interface to suit your LAN
Note that this is all the firewall rules I have as I removed all the default rules

In my use case, IPv6 traffic is 4.73x more than IPv4. You should get full 1Gbps even on ancient Mikrotik device. The improvement is substantial.

IPv6 means every device get their own Global Unique Address (GUA). They can have both a GUA and also a Unique Local Address (ULA). They can have special address like ORCHIRD too. Or Segment Routing v6. You cannot use IPv4 knowledge to understand IPv6. You must unlearn IPv4 and learn IPv6 fresh! This is why old dog in the industry has a hard time with IPv6. It is a paradigm shift.

1) Yes firewall in Mikrotik is still very important. Yes router route traffic. You need to understand the packet flow diagram of RouterOS first: https://wiki.mikrotik.com/Manual:Packet_Flow
2) Computer know it is lan traffic from the configured subnet mask.
Yes IPv6 is faster than IPv4 if they both go the same route. hap ac2 can definitely get 1Gbps with fasttrack.
I removed all the default firewall rules and yes there are only 3. I can do that because I disabled all services on my router. Not running codes in the first place means zero chance of security issue.

Anytime you modify firewall rules, you need to nmap yourself, from your LAN and also the Internet.

Ok, here is the problem with TM IPv6.
1. It is only /64
2. It is dynamic and not tied to DUID at all

Which means it is useless if you have more than 1 VLAN that needs IPv6. You can assign it to one of your VLAN while other VLAN continue without IPv6.
If you are not using Android device, you can try using DHCPv6 and slice a smaller subnet from the /64.

Regarding your firewall security question, my opinion:
Endpoint security is superior to perimeter security.

If you can have all your device operate properly in hostile network, nobody can touch you. Basically it comes down to only a few thing:
1. Audit all the port that accept traffic, both TCP and UDP
2. Use SELinux on all services with open port. Or limit them with constrained SELinux user. Or container runtime like Firecracker.
3. Do not do anything unencrypted and unauthenticated. This means using NTS instead of NTP. Using DoH instead of plain DNS. Enforce HTTPS instead of allowing HTTP fallback. Disable all captive service (from OS and browser).
4. Practice security hygiene.

As you can see, even without firewall on your endpoint, you are pretty much untouchable if you know what you are doing.
For development, bind to ::1 or 127.0.0.1.

Even if your subnet don't have global IPv6 address, you can bind to ULA for all your local services, like fc00::/64. This means all the IPv6 traffic is local subnet only. You don't even need firewall rule as the routing table will prevent your LAN traffic from leaking, ever!
The same cannot be said for IPv4.

I will offer my perspective from running infrastructure and also address your security hygiene issue.

IPv6 will replace IPv4 whether you like it or not:
1. IPv4 routing table is getting excessively large and fragmented they require hardware with serious amount of TCAM or HBM
2. For dual stack to work, I need 2 copy of routing table, one for IPv4, another for IPv6. For the simplest BGP setup of dual upstream, that's a minimum of 4 routing tables.
4. IPv6 don't need to calculate checksum since it doesn't have one. This is not just about end-user speed, it is about scalability. Very few routing SOC can saturate a port with single stream. The only one I know is Cisco One Silicon and Nokia FP5. This is a deep topic to discuss here. Research run to completion network silicon.
5. It prevent new player from coming into the market. If I decide to start a new ISP, I cannot get anymore new IPv4 address. Even if I am able to get IPv4 address, it will only be a /24 and it cost a fortune. It prevent competition, and network design that does IPv4 simply sucks from this point of view.
6. Running CGNAT cost money. Money in term of hardware and scaling. Money in term of licensing fees. "Money" in term of hardware choice.
7. IPv4 requires all kind of hack like ALG, STUN and firewall hole punching.

Addressing your security hygiene:
The last point above is directly related to why games will give you firewall prompt. They are performing hole punching for you to get a an end-to-end connection. Same happens to any app that makes and receive calls like WhatsApp. If it happen in your web browser, you firewall already allows it.

Not practicing security hygiene will eventually get you pwned. It is not even APT level sophistication.
1. Attack of known patched security vulnerability. Not performing Windows Update falls under this.
2. End user clicking on things. Clicking on unknown thing falls under this. Also include clicking links and running unknown codes. Your kids clicking on prompt to literally disable security. Rightly includes plugging in thumb drive you picked up outside.

Your whole argument with using IPv4 comes down to depending on NAT to protect you. All the IPv6 firewall rules in Mikrotik is to emulate this exact behavior in IPv6. The reason is a legacy one. All RouterOS before 7.2 (Don't remember exact version) do not support NAT66.

If you want to have this exact behavior, a more effective way it still to remove the rules and do NAT66 properly. By doing this, you will also requires all the NAT hack to make your app work. If your app backend don't do STUN and hole punching in IPv6, it will stop working.

Depending on your Mikrotik to secure your family with zero security hygiene is a terrible idea. It is not even an IDS / IPS. It is just a router with very basic firewall capability.

Security hygiene starts with education.
No product can save you from ignorance. Not even IPS.
Same goes to sex education and religion. Refusal to talk about it won't save you.

Massive MikroTik router botnet has been spreading malware – here’s how to stay safe
https://www.tomsguide.com/computing/online-...ow-to-stay-safe

Attacker compromised all these routers by scanning the IPv4 address space. No way they can effectively scan an IPv6 address space.

Thanks for your helps.
Now my result not accurate...haha cant compare.
Let me fix it with TM 1st. I observe tonight,maybe will contact TM tomorrow or Sunday.