jeremy ardley <jer...@ardley.org> writes: > In the case of adding IPv6 without NAT, then without a firewall, external > baddies can connect unsolicited to your internal devices. Some of your > devices will > have their own personal firewalls already, e.g. any windows machine. Some > won't, e.g. a printer. In the printer case it would be unfortunate if your > printer > suddenly started printing out obscenites.. You get the picture.
One point about the IPv6 without NAT: for external connectivity, you still need to explicitly allow IP forwarding in the *router* and also in the router's firewall. In Linux terms of course, but Gene said he has dd-wrt in his router. If forwarding is not enabled, then the LAN IPv6 hosts are just as isolated from incoming traffic from the internet as hosts behind NAT. This was a happy revelation when I started playing with IPv6 last year. Mostly because systemd-networkd grew built in 6rd support and that's all my extremely backward ISP does for IPv6 so it was super easy to try. > The other option of NAT for your IPv6 is frowned on I don't know why though. The other IPv6 access I have is through a VPN and there, for privacy, of course my connection is NATted to the same exit IPv6 address as everyone else's. IPv6 defines the range fc00::/7 as unique local addresses which are similar to IPv4 private network ranges and I get a local IPv6 address from that range from the VPN server.
