[throw0101a]

> In consumer routers, port forwarding is the exact same thing as an inbound traffic firewall. But when I turn on IPv6, what is the equivalent? Is my printer still protected from random inbound internet traffic?

Copy-pasting from a previous discussion a little while ago:

---

IPv4+NAT does not remove any more classes of problems than IPv6+firewall. Firewalls under IPv6 work exactly the same way as they do with IPv4.

An IP connection is started from the 'inside' to the 'outside', and the source-destination tuple is recorded. When an 'outside' packet arrives the firewall checks its parameters to see if it corresponds with an existing connection, and if it does it passes it through. If the parameters do not correspond with anything in the firewall's table/s it assumes that someone is trying to create a new connection, which is generally not allowed by default, and therefore drops it.

The main difference is that with IPv4 and NAT the original (RFC 1918?) source address and port are changed to something corresponding to the 'outside' interface of the firewall.

With IPv6 address/port, rewriting is not done. Only state tables are updated and checked.

New connections are not allowed past the firewall towards the inside with either protocol, and only replies to connections opened from the inside are passed through.

There's no magical security behind NAT: tuples and packet flags are read, looked up in a state table, allowed or not depending on either firewall rule or state presence.

The security comes from the state checking.

[…]

I have a printer with an IPv6 stack. I also have IPv6 addresses from my ISP. Yet somehow my Asus AC-68U prevents the public Internet from reaching my printer.

---

* https://news.ycombinator.com/item?id=28390634

IPv6 firewall on my Asus:

* https://www.asus.com/us/support/FAQ/1013638/

If you want to test, find the IPv6 address of your printer and try pinging it:

* https://tools.keycdn.com/ipv6-ping

[lokedhs]

Ping will still likely work. At least I can ping all my machines on my private network. However, I'm not able to ssh into it or anything else, because all traffic is dropped.

It all depends on firewall configuration, but I think you may unnecessarily scare people by suggesting they're wide open just because ping works.

[kazen44]

ICMP should be allowed anyways because of MTU path discovery.

stop disabling ping

[throw0101a]

> ping

True. There are IPv6 port scanners available:

* http://www.ipv6scanner.com/cgi-bin/main.py

* https://www.subnetonline.com/pages/ipv6-network-tools/online...

[GrayShade]

All right, but assuming I have a dynamic DNS setup, how do I connect to one of the hosts in my network?

I think most OSes do that privacy thing where they periodically randomize the suffix of their v6 address.

[yrro]

Your hosts will also use SLAAC to determine their permanent 'management' address, that's the one you use for connecting _to_ them.

The 'management' address won't be used as the source addrrss packets originating _from_ the host unless the use of temporary/privacy addresses is disabled.

[lillecarl]

I need to remove IPv4 from my home network so that I can finally try and understand all mechanics around it properly.

[yrro]

If you've not seen it before - check out https://ipv6.he.net/certification/ - it's a pretty neat basic IPv6 training course.

[lillecarl]

As a matter of fact I'm an "enthusiast" already, but since I was using the HE tunnelbroker I was banned from several services, I'll have to get a VPS with a /56 or smth and wireguard over it. I'm a bit uncertain still about MTU so I'm thinking about just fragmenting stuff on 1500 and take the penalty hit (still can't get v6 in most of residential Sweden)

[throw0101a]

Given the number of addresses available in a /64 IPv6 subnet, pick a value to statically assign to it and use that. If you have a SSH bastion host / jump box, perhaps pick ::22 as the end address part.

A friend assigned ::25 for the service vIP of his SMTP server/process, and ::143 for IMAP. Your web(mail) host could be ::80 and/or ::443. All on the same host (if you wish). If you have an HA setup you can have the vIP failover by using (e.g.) keepalived.

Using tokens may be of some interest as well:

* https://man7.org/linux/man-pages/man8/ip-token.8.html

You can have a public prefix address, as well as a local 'private' ULA address at the same time. In some ways I wish the best practice would be for IoT devices and appliances (like printers) only have link-local addresses, and perhaps ULA if advertised, with global addresses only configured via config switch. It would perhaps allay some the concerns that people have (like you do).