Finally got this sorted. Zen offered a loan router as I couldn't find the original and it arrived next day, which was nice. Then, after spending over an hour on the phone to a tech person they finally passed the issue over to their IPv6 team who rebuilt the connection and all is now fine. Well, I say all is fine - After I configured everything I started receiving reports that xbox was not working and sure enough xbox.com is painfully slow to load when connecting with IPv6 - I'll look into that one day, could be DNS related. All I really needed to do was get some servers connected so I can play with DNS AAAA records and get some web servers running IPv6. Had to disable the local DHCPv6 server as it either leases addresses to all or nothing. Couldn't find a way of only releasing the static entries so ended up with static IPv6 addresses for just the servers I wanted. Everything seems to be OK for now. Thanks all for your replies and help.

@EDaleH Thanks for your input on this matter. This issue is not related to the DHCP server, especially KEA DHCP. We are still on pfSense 2.6 as mentioned, so ISC DHCP is in use, and there are no lease problems. Lease times are already configured correctly. The core reason that @Gertjan pointed out is correct and seems to be the right direction to get this resolved. It doesn’t affect everyone, but systems under heavy load during peak hours are the ones that usually run into it. The issue is a race condition under load. If the pruning process takes a long time to enumerate and remove old entries, and a new session or disconnection occurs, or if the process is interrupted or times out, the lock file may remain or the process might not finish its database write cleanly. This can leave the system in a partial state where the voucher record is removed but the session is still present. I also believe this issue also exists in pfSense+ since the captive portal code is same in the areas related to this behavior.

Really appreciate you circling back with the full explanation — this is extremely useful for anyone running multi-WAN with Starlink in the mix.