Re: ipv6 maybe has arrived.

[jeremy ardley <jeremy@ardley.org>]

On 9/2/23 04:54, gene heskett wrote:
> My several machine home net is behind a dd-wrt install, NAT'ed so that 
> any machine here has access to the net via the ipv4 address my router 
> obtains from them. That legally is a dynamic address but hasn't 
> changed in the decade and a half since I last switched isp's to one 
> that just worked courtesy of cloning the mac from one router to its 
> backup.
>
> So now my question is, can I maintain the same level of security if I 
> start using an ipv6 address in my router?
>
> And if so, how do I maintain the NAT, & how would I do it? Or am I 
> better off to not kick this sleeping dog called ipv6?

You have three options.

1. Eradicate IPv6 completely and carry on with your IPv4

2. Go all-in and use IPv6 without NAT (but still keep IPv4 with NAT), 
but with the necessary firewall protections

3. Use IPv6 (and IPv4) with NAT and some firewall

Personally I use (2) - which is likely the case for most domestic users 
of Internet with access to dual stack IPv4 and IPv6.

I don't know dd-wrt. In my case I use an Armbian based firewall/router 
using iptables with rulesets for IPv4 (NAT) and IPv6 (native).

I find that the large majority of my web traffic is IPv6

I should also note that many internet routers these days support dual 
stack IPv6 IPv4 and are generally 'safe' for domestic use. My fallbacks 
if my Armbian firewall/router fails include simply giving in and putting 
in a modern router/modem.


Jeremy