Could this be less secure, especially for devices you don’t want to be publicly accessible? Or are you just supposed to make sure to have good firewall settings?
Most modern routers will act as a statefull firewall for IPv6.
What that means in you need traffic generated from the LAN in order for the traffic to be permitted back from the internet.
You can not start a session with something in a home.
To give an example, I have a server with an address of 2001:db8:10::1 and you are coming from 2001:db8:20::1 I will allow it because my firewall is set up for it. But a home firewall will not allow a new connection from my web server to your home device.
I’m not sure i understand. If the traffic needs to be generated from the lan, does that mean that when i’m away from home the server needs to regularly try to ping my device so that my device can send it traffic?
That would be one way, but your phone would drop the unsolicited traffic.
This is why people recommend using a VPN when away from your home for anything self hosted. Your VPN connection will bring you into the trusted LAN so you can talk unsolicited.
Basically, with stateful firewalls traffic is disallowed by default unless the thing in the LAN is the one that initiates it. You add exceptions to say oncoming traffic is allowed on certain ports to certain devices.
The only difference v.s. port forwarding & NAT is that you can refer to different devices explicitly off of the LAN, meaning you could host two ssh instances, both on port 22, and have your firewall allow traffic through to both. You can then ssh outside the LAN on port 22 to either device. With port forwarding and NAT, since you only have 1 IP that isn’t possible.
The convenience factor is you can say things like, both services run on port 443 and host a web server. Both services get their own IP you can refer too off of the LAN, and you just add an exception to the firewall to let incoming traffic through on those ports on either IP. No finnicking around with reverse proxies pointing to different hosts needed.
Firewalls in sensible routers will drop new incoming IPv6 packets by default anways, unless you initiated the connection first.
So in effect it’s just like NAT (people on the Internet can’t see you without an initial connection), but without the internal IP:Port → external IP:Port translation and all the disadvantages associated with it.
But some router manufacturers treat IPv6 as a second-class citizen, which could be a problem.
Could this be less secure, especially for devices you don’t want to be publicly accessible? Or are you just supposed to make sure to have good firewall settings?
Most modern routers will act as a statefull firewall for IPv6.
What that means in you need traffic generated from the LAN in order for the traffic to be permitted back from the internet. You can not start a session with something in a home.
To give an example, I have a server with an address of 2001:db8:10::1 and you are coming from 2001:db8:20::1 I will allow it because my firewall is set up for it. But a home firewall will not allow a new connection from my web server to your home device.
I’m not sure i understand. If the traffic needs to be generated from the lan, does that mean that when i’m away from home the server needs to regularly try to ping my device so that my device can send it traffic?
That would be one way, but your phone would drop the unsolicited traffic.
This is why people recommend using a VPN when away from your home for anything self hosted. Your VPN connection will bring you into the trusted LAN so you can talk unsolicited.
Much like how you need to setup port forwarding for your servers back in the IPv4 days, you need to setup firewall rules for IPv6 servers.
“If a packet is arriving in server IP:Port, simply accept it”
Basically, with stateful firewalls traffic is disallowed by default unless the thing in the LAN is the one that initiates it. You add exceptions to say oncoming traffic is allowed on certain ports to certain devices.
The only difference v.s. port forwarding & NAT is that you can refer to different devices explicitly off of the LAN, meaning you could host two ssh instances, both on port 22, and have your firewall allow traffic through to both. You can then ssh outside the LAN on port 22 to either device. With port forwarding and NAT, since you only have 1 IP that isn’t possible.
The convenience factor is you can say things like, both services run on port 443 and host a web server. Both services get their own IP you can refer too off of the LAN, and you just add an exception to the firewall to let incoming traffic through on those ports on either IP. No finnicking around with reverse proxies pointing to different hosts needed.
Not a network expert, but I have the same question.
I would like to limit access to my internal network to only trusted devices, so something like a VPN is needed anyway.
And I don’t want to expose my internal setup through DNS either.
Still though, IPv6 is better. But I don’t feel easy doing what this guy is doing.
Firewalls in sensible routers will drop new incoming IPv6 packets by default anways, unless you initiated the connection first.
So in effect it’s just like NAT (people on the Internet can’t see you without an initial connection), but without the internal IP:Port → external IP:Port translation and all the disadvantages associated with it.
But some router manufacturers treat IPv6 as a second-class citizen, which could be a problem.