My Sophos firewall is getting an assigned IPv6 address for its WAN interface along with a delegated /64 as expected but when I use the delegated address for my LAN subnet and try to ping6 some public IPv6 addresses (Google DNS 2001:4860:4860::8888) from an internal host, I'm not getting a response.

I can get on the firewall and see the un-NAT'ed outbound traffic on the WAN interface but no response. If instead I configure the firewall to NAT that traffic behind the assigned WAN address, the ping6 works.

It's as if the delegated subnet isn't properly routed back to my WAN address on Comcast's side.  Any ideas why this isn't working?  It used to work fine.