jeremy ardley <jeremy@ardley.org> writes:
In the case of adding IPv6 without NAT, then without a firewall, external baddies can connect unsolicited to your internal devices. Some of your devices will
have their own personal firewalls already, e.g. any windows machine. Some won't, e.g. a printer. In the printer case it would be unfortunate if your printer
suddenly started printing out obscenites.. You get the picture.
One point about the IPv6 without NAT: for external connectivity, you
still need to explicitly allow IP forwarding in the *router* and also in
the router's firewall. In Linux terms of course, but Gene said he has
dd-wrt in his router.
If forwarding is not enabled, then the LAN IPv6 hosts are just as
isolated from incoming traffic from the internet as hosts behind NAT.
This was a happy revelation when I started playing with IPv6 last
year. Mostly because systemd-networkd grew built in 6rd support and
that's all my extremely backward ISP does for IPv6 so it was super easy
to try.
The other option of NAT for your IPv6 is frowned on
I don't know why though. The other IPv6 access I have is through a VPN
and there, for privacy, of course my connection is NATted to the same
exit IPv6 address as everyone else's. IPv6 defines the range fc00::/7 as
unique local addresses which are similar to IPv4 private network ranges
and I get a local IPv6 address from that range from the VPN server.
.