Are you using IPv6?

[sfx2000]

Any recommendations on where to start?

IPv6 - NetworkLessons.com

The IPv6 course helps you understand IPv6, what the addressing looks like, how to configure routing, the difference with IPv4 and more.

networklessons.com

Good place to start

 

[Tech9]

One reason I can see is it simplifies security.

The main reason to keep IPv6 at default Disabled. Users have to specifically Enable IPv6 for whatever reasons they may have.

 

[sfx2000]

One reason I can see is it simplifies security. IPv6 being routed, it means you don't have the inherent firewalling provided by NAT for inbound connections. IPv6 requires you to manually configure it in some cases. It's easy to accidentally leave a device fully exposed to the Internet. While a misconfigured NAT would immediately be visible with loss of Internet access.

Depends on the vendor - but this brings up a really good point, in that there is a lack of consistency across the ISP's and the OEM's on how to configure devices - not pointing fingers, it's just that IPv6 has more options than a Porsche 911...

On the WAN side - it is SLAAC, DHCP, DHCP-PD, 6in4, 6to4, 6RD, IPv6 Relay and other options - and that's just to configure the WAN - on the LAN, it's just as bad - do we do stateless, stateless-dhcp, or stateful, just for IPv6, and that's on top of IPv4 settings for the LAN.

Then you have the 5G Fixed Wireless carriers like T-Mobile US - they use 464XLAT, and they don't assign PD on the WAN, which makes things a bit of a challenge for obvious reasons when one want to use something other than their gateway.

I can see why folks would just say "screw it" and turn it off...

At least with firewalls - OpenWRT does try to do the right thing with firewall support, as both IPv6 and IPv4 are treated equally within the rulesets via nftables and firewall4 - and flexible enough that one can set up IP version specific rules if needed. But this is the exception, and not the norm.

 

[ZebMcKayhan]

Since I'm behind cgnat I'm using a VPS to relay Wireguard to my server peer on the router.
I have ipv6 /56 and have enabled it on wan but not on lan so I can connect to my server peer direct via ipv6 or via VPS ipv4.

internet for Wireguard connected clients are dual stack since that how I setup my VPS and it was causing issues with some apps if ipv6 is available but not working.

The reason I didn't enable it on lan is mostly about vpn director not compatible and would be annoying or create leak if my prefix changes. And I don't really see the benefit for my use case.

 

[dave14305]

IPv6 requires you to manually configure it in some cases. It's easy to accidentally leave a device fully exposed to the Internet.

What would need to happen for this to be true? By default, most firewalls will block incoming IPv6 from the WAN (except for required icmp or dhcpv6 traffic).

 

[RMerlin]

What would need to happen for this to be true? By default, most firewalls will block incoming IPv6 from the WAN (except for required icmp or dhcpv6 traffic).

Better support by ISPs would be the starting point. Still plenty of ISPs don't offer IPv6 at all, and quite a few do it through some hackish implementation like 6rd. And since for a lot of end-users they also provide the router, then they could provide a complete stack. Fewer users running 10 years old routers with incomplete/missing IPv6 support.

 

[Tech9]

ISP with IPv6 support providing residential gateways with IPv6 disabled in quite common. Both of my ISPs with IPv6 support do exactly this. Most customers don't know what IPv4 or IPv6 is and don't care. Internet is working, everyone is happy.

 

[sfx2000]

Better support by ISPs would be the starting point. Still plenty of ISPs don't offer IPv6 at all, and quite a few do it through some hackish implementation like 6rd. And since for a lot of end-users they also provide the router, then they could provide a complete stack. Fewer users running 10 years old routers with incomplete/missing IPv6 support.

I agree - and I believe I've made that point up thread...

FWIW - in a brief scan of my local neighborhood - about 95 percent of the WiFi AP's are carrier provided Gateways - most are cable, but I'm seeing more 5G-FWA

out of the 30+ wifi networks at the moment as I'm posting this - 3 are not carrier equipment - 1 is AsusWRT, one is an Orbi system next door, and my Synology setup - everything else is either Netgear CPE, or Vantiva, along with a smattering of Sagemcom and Arris - which are Carrier CPE.

Which goes back to what I said earlier - most folks don't know they're running IPv6 - most are running it link-local already, and many might be running it dual-stack without even knowing, as the CPE may not even show they are...

 

[sfx2000]

ISP with IPv6 support providing residential gateways with IPv6 disabled in quite common. Both of my ISPs with IPv6 support do exactly this. Most customers don't know what IPv4 or IPv6 is and don't care. Internet is working, everyone is happy.

Similarly - many ISP CPE's are dual-stacked, and it's not so obvious - as you mention, most end users don't know/care, and the internet just works...

 

[sfx2000]

many ISP CPE's are dual-stacked, and it's not so obvious

And to this end perhaps - Carrier CPE's and RG's (even in Bridge Mode) are probably out of scope for @thiggins ask here...

 

[sfx2000]

Similarly - many ISP CPE's are dual-stacked, and it's not so obvious - as you mention, most end users don't know/care, and the internet just works...

Interesting metric - and this probably crosses over to Eric's thread on the same topic...

IPv6 – Google

 

[Tech9]

about 95 percent of the WiFi AP's are carrier provided Gateways

The same around here. Many Sagemcom (Bell) and Arris (Rogers) gateways, few multi-AP TP-Link, perhaps Deco. No wonder if ISP provided as well, there is a company around here sending them out to customers. No idea if they come with IPv6 enabled...