[IgorPartola]

Every time IPv6 comes up on HN, around 50% of the comments seem to be about how IPv6 doesn't do NAT and how now every device you have is suddenly directly exposed to the internet. Let's clarify this a bit instead of answering individual commenters:

In IPv6, just like in IPv4, you have a firewall. In Linux, you use ip6tables instead iptables, for example. This is what keeps your devices on your network safe. If you were to start from scratch to set up a router with an IPv6 firewall, you'd need just two rules: (1) allow packets in for already established connections and (2) drop every other incoming packet. If you know what you are doing, you can actually set this up yourself. I have, and while educational, it provided no real world benefit.

Most people don't want to bother with using iptables directly, so don't. Get a router that supports OpenWRT and flash it. For most of them, it's a really simple process (my TP-Link let me upload the binary to flash via the web GUI). Why OpenWRT? Well, it's secure and constantly updated, it supports IPv6 natively, and it comes with the IPv6 firewall that is configured in a fashion very similar to how you think of IPv4 (it even rate limits ping requests, etc.). As a bonus, if your ISP doesn't support IPv6, OpenWRT has an installable web GUI component for configuring an IPv6 tunnel. Lastly, even if you don't want IPv6 (yes, I see you there in the back, climbing back under your rock), still use OpenWRT. It seems to have a lot less bugs than commercial router firmware, and is a lot more stable and up to date than DD-WRT or Tomato.

Edit: One other misconception that comes up frequently is that IPv6 means that your privacy is at a more of a risk because your MAC address may be exposed. While in some configurations this can happen, IPv6 has what's called Privacy Extensions: in addition to your more permanent MAC-based IPv6 address (network prefix + munged MAC address), your OS will periodically generate a new random IPv6 address (network prefix + random number). This actually makes it marginally harder to track you since your exact IP address will change frequently, as seen by hosts you access. See http://en.wikipedia.org/wiki/IPv6#Privacy.

[citrin_ru]

Privacy Extensions is dangerous: http://blog.bimajority.org/2014/09/05/the-network-nightmare-...

[somesay]

I haven't read the long article but it ends with:

> UPDATE (2014-09-06): As […] was the first to point out, RFC 7217 addresses all of my issues with “privacy” addresses. Let implementation come soon!

So, not backing your message.

[IgorPartola]

This seems like the case of a very specific problem for a large network. I don't believe that in a typical home or small office setting this would have a bad effect.

[TrainedMonkey]

I recently had to disable ipv6 because my router started freaking out about "neighbor table overflow". Some kind of issue between Asus and Comcast.

[revasm]

This error is caused by a bug[1] present on outdated versions of Linux (typically exhibited by DD-WRT and Tomato routers) and can also be fixed by upgrading to OpenWRT.

Or, if that is not an option, by creating an ip6tables rule:

  ip6tables -A PREROUTING -t mangle -p icmpv6 --icmpv6-type neighbor-solicitation -i `nvram get wan0_ifname` -d ff02::1:ff00:0/104 -j DROP

Or you can experiment with the ARP cache limits:

  sysctl net.ipv6.neigh.default.gc_thresh1=256
  sysctl net.ipv6.neigh.default.gc_thresh2=512
  sysctl net.ipv6.neigh.default.gc_thresh3=1024

[1] http://serverfault.com/a/461053

[TrainedMonkey]

I will try that, thanks!

[cm2187]

But does UPnP work on firewalls?

[1_player]

It does.. and it only makes sense on firewalls actually.

I'm running OpenWRT and miniupnpd to manage UPnP requests and open holes in the firewall.