|
|
|
|
|
|
by BorRagnarok
2546 days ago
|
|
|
The complexity in that few sentences you wrote alone wants me to keep doing nice and simple and reliable ipv4. I don't think I'll ever transition, because the amount of knowledge I have to acquire to trust myself with all the complexities of ipv6 is gigantic. Ipv4 however, is simple. I can have a simple firewall at home that does NAT, a DHCP server and I'm done and secure. Well ok, secure enough. But I don't even know how to find out what documentation to study to make that same setup on ipv6. |
|
|
Masquerading NAT is not a security feature. You need state tracking to build a masquerading NAT (so that your residential gateway knows which internal machine to route reply traffic to), and once you have state tracking, you can build a stateful firewall. It doesn't matter which version of IP is carrying the traffic, it still has to go through your gateway before it can get to you, and the gateway can do all the policing you want it to.
If you want certain services on your internal machines to be reachable from the outside over IPv6, you open up that service's port in your gateway's firewall configuration, which is ... exactly what you do for IPv4 too.
OpenWRT (a popular third-party residential gateway firmware) has a stateful IPv4 and IPv6 firewall and DHCPv6/PD support out of the box. You flash it, and if your ISP provides IPv6, you're done. If they don't, you can set up e.g. a 6in4 tunnel with Hurricane Electric, and you're done.
It's not complicated. Yes, you have to learn some things, but they're the same things you had to learn when you were starting out with IPv4.