My ISP does not allow BYOM (bring your own modem) and assigns me a /64 net, so I have a hard time running an (ipv6) router behind it that would do the firewalling.. I guess I'm stuck with ipv4 for the time being...
A firewall can be run "in-line" and not have IP addresses on the interfaces. On a Palo Alto firewall this would be a "virtual wire", and "transparent firewall" or "bridging firewall" would be other common terms.
Thanks for the hints. Currently, I have a fully routed setup with two routers behind the IPSs box, multiple wireless networks and VPN uplinks (via wireguard) to my servers. It's just that all of this is ipv4, because I don't see any way of doing that using a single /64 network.
ISP uses DS-Lite: ipv6 is native, ipv4 is 4-in-6/CG-NAT. When
I switch to bridge mode, it loses ipv6 connectivity, so sadly, that's not an option if ipv6 is the goal.
I'm not very familiar with DS-Lite. My ISP also uses CG-NAT but I get my connection details over DHCP - both native v6 with /56 PD and the v4 CG-NAT 100.x.x.x IP. That means I connect my OpenWRT router directly to the ISP's plug in the flat.
You said v6 is native for you, but if you put the modem in bridge mode you lose v6 connectivity. Why is that so? Shouldn't you lose v4 instead, which relies on tunneling?
Examples: https://docs.opnsense.org/manual/how-tos/transparent_bridge.... https://docs.netgate.com/pfsense/en/latest/bridges/index.htm... https://www.fortinet.com/resources/cyberglossary/transparent...