[adriancr]

Although I'm going to get comments saying this is wrong...

What I did was:

- IPv6 DHPC - private address range within: fc00::/7

- IPv6 NAT, same as for IPv4.

- Firewall.

Why:

- digital ocean only allowed ~16 IPv6 addresses.

- I wanted a local IPv6 network exiting through digital ocean.

- I see no reason to give public route-able addresses to each device in my home (allows remote websites to determine who is calling it and set up profiles/target each remote device).

- Sure, privacy extensions which cycle unique addresses, but it still allows profiling based on source address, even if a bit of work is needed for each new addresses.

[Xelynega]

Why would your firewall allow your ipv6 IoT devices to receive inbound connections from the internet? Whats the difference between "ipv6 Nat" and a firewall when theres not likely to be any address overlap.

[adriancr]

> Why would your firewall allow your ipv6 IoT devices to receive inbound connections from the internet?

It does not, problem is with outbound connections.

> Whats the difference between "ipv6 Nat" and a firewall when theres not likely to be any address overlap.

Outbound connections can be profiled by remote websites.

With NAT (Well... Port-address-translation to be fair, so single outgoing address), traffic can't as easily be profiled.

Imagine ISPs/Ad providers having easier time identifying you, your spouse, your kids, etc. (and device, and so on just by observing addresses)

With initial SLAAC it is even nicer as MAC address is included in the address... Can look up device much easier just cross reference manufacturer database...

[xnyanta]

Digital Ocean has horrible IPv6 support, I would just move to another provider. Most VPS providers will, at the very least, provide you with a /64.