Comment by ajnin

Been having a nice break over the new year, thank you :)

I can't argue with sticking on IPv4 when you have no need for IPv6. However, people saying no NAT means no firewall really bothers me because it's just wrong and usually gets thrown around as part of a point around "who needs IPv6 anyway".

The two layers IMO don't make a practical difference. A deny by default firewall will fail closed, unless poorly configured. A poorly configured firewall for IPv4 with NAT can still leave machines exposed. This is not an IPv4/IPv6 problem this is down to your router. However you do expose what used to be private addresses with IPv6, but there's not much to do with the address that couldn't be done with your IPv4 address assuming sane firewalls that both stacks run.

On the other side of the coin IPv6 being ubiquitous would make my life much easier. I self host a few things across a few different machines. IPv6 offers me a much simpler solution, both to managing firewalls and not needing to fight over port 80/443, but also because I can't get a public IPv4 address from my ISP without spending ungodly amounts of money. They support IPv6 but many of the services I host don't support it. I have to use a second site + machine, wireguard tunnels, and nginx socket proxies to expose stuff publicly (this is cheaper than the public IPv4 address from my ISP).

My point about DHCPv6 is to say that if you want to use DHCP in IPv6 you can. It's right there, it's just not the default.

IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things because, to be fair, they don't need them. But people who do need IPv6 are stuck behind garbage ISPs and this "not my problem" attitude throwing around ignorant arguments. Complaints about long addresses really get me too :), use a DNS.

A NAT is part of a firewall, not a separate thing, so if the firewall is misconfigued, then your NAT may not be working either.

On not running out of (private) IPs, I guess you've never had the fun of having to deal with overlapping ranges (because it isn't the number of IPs that's the issue, it's how the ranges are allocated). While this can still happen on IPv6, there are so many more subnets that this is far less likely.

Also, a key thing that IPv6 makes obvious (which is also true to some extent of IPv4, but that most systems try to avoid showing) is that each link can have multiple IPs (there will be at least one link-local address), and so while your ISP can provide you a public range, you don't need to use it if you do not want to, you can always use an Unique Local Address (ULA - https://en.wikipedia.org/wiki/Unique_local_address), which reduce the chance of overlapping ranges.

>If I move to IPv6 then my "internal" network address space is at the whim of my ISP.

This is a major problem to me before I'd go wholesale IPv6 at home as the primary way I address and connect to hosts

I have IPv6 enabled, but it's just all defaults. My traffic is going out over the internet on IPv6, my home automation stuff in the house using Matter is on IPv6, but for the few server-types that I have in the house they are still identifiable by me by their IPv4, and my addressing to get into my network from outside is via my ISP's IPv4 address

There really needs to be a universal way to bring IPv6 addresses to your ISP, so they're portable like a phone number. Both so that I can take them with me if I switch providers and so that my ISP can't arbitrarily change them from underneath me

> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

You have two layers of indirection and one layer of security. If you failed to configure your firewall correctly, you would be better off without NAT because you would become aware of it quicker and not rely on NAT.

NAT doesn't really do anything other than address conservation because of NAT-punching techniques like STUN/TURN/UPnP, which are nessisary because NAT's features are bugs.

> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

You talk about NAT like it's a single thing: it is not. There are at least three major varieties of NAT:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

See also various 'cones' that add complexity to getting things to work (and for which kludges like ICE/TURN/etc had to be invented):

* https://en.wikipedia.org/wiki/Network_address_translation#Me...

See also RFC 4787 which distinguishes between NAT mapping and NAT filtering. Also, also see perhaps "NAT Traversal Mess":

* https://blog.ipspace.net/2025/04/response-nat-traversal/

> Well, an ostensible advantage of IPv6 is publicly routable addresses. I know how to configure my internal IPv4 network with host table entries and so on. If I move to IPv6 then my "internal" network address space is at the whim of my ISP.

This is not quite correct. You have two simple options for avoiding this: DNS and SLAAC. By giving all of your hosts dns names you don’t have to care about the individual addresses much. If they change just update the dns zone.

The second is to configure a Unique Local Address for each host using SLAAC. Have your router announce a prefix inside of fd00::/7 so that every one of your computers ends up with a private address as well as the public one. This is like using a reserved private address in IPv4, such as 10.0.0.0/8, except that there are a lot more possible networks. There is only one 10.0.0.0/8, but the convention with IPv6 ULAs is to generate 40 random bits and use them to make a /40. Add 16 more bits for a subnet id to create a /64 that your router will advertise as a prefix. This is probably overkill for most of us, but it does enable us to merge networks without causing address collisions. You can keep using them no matter what happens. Even changing ISP won't change these addresses.

Of course the third option is to buy IP transit service instead of internet access service. You can then go to your local RIR and ask them to assign you your own address block. Announcing that address block using BGP gives you a permanent block of routable addresses that follows you from ISP to ISP. But most people find that to be a bit of a hassle compared to consumer–grade internet service.

> I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

That's not true. When you configure just NAT (with e.g. nftables on Linux), the NATed devices are still reachable from the outside, you just have to add an entry to your routing table to reach that internal address space using the router.

The RFC for NAT was extremely specific: this was only about creating more addresses, NOT security.

Because your devices are routable. You can’t be on the Internet without an IP. They just have some ephemeral addresses. But randomizing port numbers (that is NAT) is not a good security mechanism.

Just FYI you can do ULA + NAT with IPv6 and get the same thing as RFC1918 + NAT on v4.

>I don't want any of my devices listening on the public address, much less multiple.

That is good for you, but given the option between an address scheme that requires a proxy and one that does not, I would prefer the latter.

>I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

Why? NAT is a network tool. Firewall is a security control.

>I don't want any of my devices listening on the public address, much less multiple.

If you don't listen to public ports on IPv4, then there is no point in touting any of the benefits of IPv4. Even if you think NAT is good, you're not using it in the first place so why care about it?

You basically ruined your entire case with that sentence.

Great response. Your last point is particularly convincing and I never thought of it before. Even better, what happens if you use a failover WAN on your router?

> I don't want any of my devices listening on the public address, much less multiple.

Just because you don't shouldn't mean other people get denied this.

Firewall is a feature. Forced NAT that noone in the above described situation wants is just a flaw. And the other solution where you're forced to buy a fucking "public" number out of a grossly insufficient pool of those for $5/month for each of the NATted machines and your router, is a crime against humanity.

But at this point you can just leave the factory settings on your devices, which mostly enable IPv6 by default anyways...

Your ISP gives you a IPv4 /32 which you don’t have a prayer of subnetting, you have to NAT.

With a IPv6 /64 you can (1) NAT, or (2) better, subnet it and use DHCPv6.

The only thing significant about /64 is that’s the smallest unit for SLAAC.

I haven't looked at pfsense UI, but you can happily hand out a prefix to a device, which can then hand out its own prefixes. I do it with my k8s clusters, which means the node themseves have enough IPs addresses to launch their own routable k8s clusters.

Thats why its recommended that ISPs give /56 by default (and up to /48 if requested). This way you can do plenty of effortless subnetting. If your ISP is only giving you /64 even after you requested a larger subnet he is doing IPv6 WRONG.

You can totally subnet from /64, you just can't use SLAAC. The packet header doesn't care about your address allocation scheme.

At the same time SLAAC is the reason your ISP doesn't give you a /128.

Of course you can subnet ipv6, in fact I run several ipv6 subnets at home. You have to delegate a different prefix to each subnet.

Actually, all your open connections break (including outbound ones, inbound ones via UPnP which is commonly on by default, etc.)

The IPv4 10.0.0.0/8 (along with the other private ranges) runs into lots of problems when connecting two private networks (e.g. VPNs, VMs/docker, hotspotting), whereas that /64 will not conflict with anyone.

Really? Unbelievable!

Your router will open up any port for an ephemeral forwarding if the traffic looks like that forwarding is warranted. Any application can open arbitrary inbound pathways. "Application" also includes the Javascript you run in your Browser. Which is externally controlled.

Security folks call those techniques "hole punching" but they are how NAT is expected to work.

> With NAT, I absolutely know my ESP32 is not vulnerable and exposed

I mean thats not actually true, uPnP will open ports up, as will misconfiguration.

The firewall is still the same in ipv6 vs 4, and has the same problems.

You should use unique local addresses (ULAs, fc00::/7) not link-local addresses (fe80::/10) for this. Choose a random prefix and advertise it in your network (you can use some website like https://www.unique-local-ipv6.com if you want).

This prevents clashing subnets when using VPN like it sometimes happens with IPv4.

Landed on 172.16/22 for this reason however it's not uncommon how an enterprise to use all 3 private classes. One place I worked used 192.168 for management, 10 for servers, and 172 for wifi

Using 2 different classes has been a pretty common setup for wifi and wireless in my experience

Amusingly, there a lot more special IPv4 networks that you just don't know about too. e.g. Link local IPv4 is 169.254.0.0/16. It just isn't auto-configured on every IPv4 interface by default, like fe80::/10 is on IPv6 interfaces, and the TCP/IP stacks on most platforms do not enforce the link-local properties of it in IPv4 like they do in IPv6.

It's like the difference between HTML and a strictly typed language. Permissiveness and flexibility is both a blessing and a curse. As with a lot of things, which thing it is in any given situation depends greatly on the situation.

For almost all cases, there is absolutely zero need to ever remember addresses, or dealing with them directly. Give your devices proper names, and your router’s DNS will handle resolution automatically.

There is no point in your network having sequential addresses, so you don’t need DHCP; routers advertise configuration, clients know where to look for it.

IPv6 is amazing, if you let it handle connectivity without trying to micromanage it.

You forgot 127.0.0.0/8 for loopback, 100.64.0.0/10 for CG-NAT, and 203.0.113.0/24 and 0.0.0.0/8

Why do you need to remember that when you can look it up?

Important part is knowing there are special networks.

> IPv6 has SO many special networks. Network. Public. Multicast. Link local.

IPv4 has those exact same ones: link-local (169.254/16), multicast (224/4), public, private (RFC 1918).

* https://en.wikipedia.org/wiki/Reserved_IP_addresses

IPv6 is (IMHO) simpler: 2001::/32 and anything else (either link-local (fe80), multicast (ff00), and ULA (fc)). So either it starts with a "2" or an "f".

No, the side effect of NAT is that outbound connections made from your network look like they come from the router's WAN IP. It doesn't filter incoming traffic.

If it did then you might have a point, but since it doesn't it's very different from a firewall that's configured to do that.

Yeah, you really can do that.

The only caveat is that if you're using RFC1918, it greatly limits who can connect -- only your ISP, or another customer connected to the same shared VLAN your router is, or anyone that can physically attach to that network (or anybody in a position to order, blackmail or social engineer those three groups or their employees) can do it, because they're the only people that can set a route to your router for RFC1918 destinations.

Other than that, the connection will just head right on through your router. NAT's whole thing is to change the source address of your outbound connections. Inbound ones (when they don't match port forward rules) are ignored by it, which means they get routed by the router in exactly the same way they would if the router wasn't doing NAT.

At best you could argue that RFC1918 blocks connections, which would be somewhat closer to true, but... well, it doesn't. If you actually want to stop all connections from outside your network, you've always had to do it with a firewall on the router.

And of course, I said "if". You can NAT on public IP space. On residential connections you're unlikely to have public IP space on v4, but that's just a consequence of v4 being exhausted.

If you'd bothered to read the Original Post, you'd know that the author already answered that.

An ASN with a /32 allocation (the smallest for ISPs) is four billion /64s. It takes dozens of yottabytes of traffic to exhaustively scan one single /64. The entire v4 space takes 0.00000001 yottabytes, or about 110 GB/port in more understandable units.

There's a ton of things you can do to cut down on the scan space for v6, but it's still far huger than v4 can be.

I think that hex digits are inherently hard to remember also because they are unpronounceable.

> That’s the good part.

Disagree. We are trained on numbers from kindergarten. It's used everywhere (e.g. see a number, store it in short-term memory and input it into calculator). Hex digits are completely different and we don't have developer neural paths for that. They are also unpronounceable.

If the NAT function is running on a box that I can walk over and kick, then it is absolutely under my control. :)

CGNAT is a different discussion entirely. Neither the presence nor absence of upstream CGNAT changes my thoughts on locally-administrated NAT for my own LAN in IPv6 land.