Comment by sneak
12 years ago
Most soho ipv6 routers (that also do v4 nat) do connection tracking for their v6 subnet, blocking inbound connection attempts by default, to emulate the security properties of v4 nat.
This means that you still have the same "unconnectable from the outside" problem you have with v4 + nat.
Yes, I too wish it weren't this way.
At least with a decent, non-greedy ISP you have the option of turning off said connection tracking and enjoy your fully routable /48. But I do understand how it remains a problem when most people don't know or want to do that.
Ideally, there could be some kind of uPnP-like protocol to open ports on an IPv6 middlebox, so that you can have a firewall on by default but still be able to punch a hole through it, without user intervention, when an application needs so.
Maybe there is; I haven't checked.
I actually think that's a sane default. With NAT it's a PITA to undo that and in some cases impossible (e.g. when you have 2 machines on a LAN using a protocol that requires a static port, so you can't just forward to a specific machine). With stateful firewalls, it should be much easier to just say "Allow port X through" and have a single application "just work"