Comment by jcgl

- Devices using SLAAC (idk about DHCPv6) do a thing called Duplicate Address Detection to manage just this. No need to worry. If you’re manually assigning addresses and have a conflict, one of the devices will mark its address(es) as duplicate and refuse to use them. Quite useful.

- Easiest is to use your devices’ public (“global unicast”) addresses and allow traffic on your firewall. This is how IP was meant to be used; no NAPT in sight. If you like, you can use ULAs locally and then do NPTv6 for internet-facing access. But I’d recommend against that to start.

Regarding the services, there’s not really anything IPv6 specific. Whether v4 or v6, you shouldn’t be exposing SMB to the internet. Whether v4 or v6, you can put any IP-based service behind Wireguard or any other tunneling solution. There’s nothing specific to v6 there; just use v6 addresses in your config, and you’ll be good to go.

- Basically the same way as with v4; IP (whether v4 or v6) have mostly the same semantics in their layer (layer 3). The only thing is that you’ll want to allow certain kinds of ICMPv6 traffic, assuming your firewall vendor doesn’t do that out of the box. When it comes to VLANs, that’s layer 2, so your layer 3 protocol doesn’t play any role there.

Network segmentation is way more fun with v6 because you have enough address space to make nice hierarchical topologies.