[vel0city]

> what would be the best way forward to keep it that way in a IPv6-only future?

Firewalls. You configure what traffic should be allowed from who to who. Default deny incoming traffic, and its the same behavior as when you had a NAT.

Something having a routable IP address doesn't mean it needs to receive all traffic addressed to it.

[candiddevmike]

The problem I have had with this setup is allowing inbound traffic to things that need it becomes tricky. Some devices don't support DHCPv6 like Android) and some firewalls don't let you do suffix matching. With a dynamic block via PD, the rules to allow inbound traffic to say an Xbox become quite complicated.

[nrabulinski]

You can still have a firewall on the router level, just as you do with IPv4. You shouldn’t allow any external traffic by default anyway and NAT shouldn’t be a security measure.

[candiddevmike]

I know, I'm saying that when you want to embrace global routable addresses for outbound AND inbound, it's hard with Prefix Delegation and spotty DHCPv6 support.

ISPs should be forced to let customers get IPv6 prefix reservations. Yes, PD doesn't change for most, but I'd rather not use PD at all.

[groestl]

My ISP does not allow BYOM (bring your own modem) and assigns me a /64 net, so I have a hard time running an (ipv6) router behind it that would do the firewalling.. I guess I'm stuck with ipv4 for the time being...

[aaronax]

A firewall can be run "in-line" and not have IP addresses on the interfaces. On a Palo Alto firewall this would be a "virtual wire", and "transparent firewall" or "bridging firewall" would be other common terms.

Examples: https://docs.opnsense.org/manual/how-tos/transparent_bridge.... https://docs.netgate.com/pfsense/en/latest/bridges/index.htm... https://www.fortinet.com/resources/cyberglossary/transparent...

[groestl]

Thanks for the hints. Currently, I have a fully routed setup with two routers behind the IPSs box, multiple wireless networks and VPN uplinks (via wireguard) to my servers. It's just that all of this is ipv4, because I don't see any way of doing that using a single /64 network.

[throwaway742]

https://www.fortinet.com/resources/cyberglossary/transparent...

[cassianoleal]

Doesn't it let you put it in bridge mode (i.e. modem only)?

[groestl]

ISP uses DS-Lite: ipv6 is native, ipv4 is 4-in-6/CG-NAT. When I switch to bridge mode, it loses ipv6 connectivity, so sadly, that's not an option if ipv6 is the goal.

[cassianoleal]

I see. Or rather, I don't quite. :D

I'm not very familiar with DS-Lite. My ISP also uses CG-NAT but I get my connection details over DHCP - both native v6 with /56 PD and the v4 CG-NAT 100.x.x.x IP. That means I connect my OpenWRT router directly to the ISP's plug in the flat.

You said v6 is native for you, but if you put the modem in bridge mode you lose v6 connectivity. Why is that so? Shouldn't you lose v4 instead, which relies on tunneling?

[justeleblanc]

Does your ISP's router not have a firewall?

[groestl]

A very very inconvenient one.