To IPV6 or not to IPV6 , that is the question?

calssifed user · Wednesday at 11:58 AM

Recently i had enabled IPV6 on my router. All of the devices have a public IPV6 address. The experience is mixed. Noticing ads being pushed , though i have adblocker and devices are configured with proper DNS entries. If anyone of you have enabled IPV6 , would like to know your experience and best practices for Home devices w.r.t security, DNS etc. Or should I just stick to IPV4 for home devices.

vivek.krishnan · Wednesday at 7:53 PM

Better to have v6 than v4 - there should be a small performance boost.

Coming back to security - there is NAT and then there is the firewall. For v6 you need to configure the firewall properly to allow outside access to your devices - if allowed. There is no NAT (usually) in v6.

Your devices have both v4 and v6 address. So you should be able to manage them with ease.

We had enabled v6 in our office. Did not find it of much use. @superczar is another with v6.

intruderfps · 2025-06-26T13:22:18+0530

I have disabled ipv6 network wide. I read long time ago about the security implications, not sure and can't remember much details.
I would definitely want to know more if it's even needed and pros and cons. Personal experiences will be very helpful.

calssifed user · 2025-06-26T14:59:39+0530

I noticed cold load time of pages were longer as I am running dual stack up and dns is on ipv4 . But the page navigation is super quick. On security I am using router firewall , but nothing fancy

StygianClaw · 2025-06-26T17:18:40+0530

For a home user, I don't see any reason to not use IPv6. Saying it's not secure is not accurate.

IPv4 is easier to wrap your head around. The way IPv6 addresses are assigned, its types and the idea of having multiple addresses for a single device/interface is unfamiliar to most people (even for the technically inclined). Having a public global IP for each devices makes people think their device is exposed to the internet without safeguards. That's not true. It just feels that way without NAT or Port forwarding.

The main thing is that some of the network security or administration techniques developed around IPv4 cannot be used with IPv6. This causes a headache in Corporate/Enterprise environments where they have to figure out new ways to achieve the same effect.

calssifed user said:
Recently i had enabled IPV6 on my router. All of the devices have a public IPV6 address. The experience is mixed. Noticing ads being pushed , though i have adblocker and devices are configured with proper DNS entries.

Your ISP is assigning you one or more IPv6 DNS addresses via DHCP. You should manually set both IPv4 and IPv6 DNS addresses in this case. If it still happens, your ISP might be hijacking unencrypted DNS queries. To avoid that, use DNS over HTTPS.

calssifed user · 2025-06-26T17:31:24+0530

@StygianClaw , Regd IPV6 DNS, i am running my own unbound server . The dns server has its own IPv6, but haven't figure out how to set static ipv6 . All my DNS requests are routed to IPv4

StygianClaw · 2025-06-26T17:35:48+0530

calssifed user said:
The dns server has its own IPv6, but haven't figure out how to set static ipv6 . All my DNS requests are routed to IPv4

Is your router assigning a link-local IPv6 address for the unbound server? It starts with "fe80". If so, you can consider that to be static as it's generated based on the MAC address of that particular interface. Only the global IPv6 addresses keep changing for privacy reasons.

superczar · 2025-06-26T17:39:38+0530

vivek.krishnan said:
We had enabled v6 in our office. Did not find it of much use. @superczar is another with v6.

This reminds me of an issue...
I have 1 v4 WAN @500mbps (WAN A) and 1 v4+v6 @300mbps (WAN B)
The problem that I face is that my load balancer , ends up preferring v6 on WAN B over WAN A most of the time
even though I would have preferred the higher weighted WAN A to be the highest priority

StygianClaw said:
For a home user, I don't see any reason to not use IPv6. Saying it's not secure is not accurate.

Yes and No
v6 is not inherently more insecure by any means
But many consumer routers are not firewalls (some may have but most i have seen don't)

on v4, you get automatic security because of the NAT layer despite the lack of a firewall
On v6, you don't

ishanjain28 · 2025-06-26T18:04:09+0530

These problems are either related to your bad configuration or poor careless design of the equipment you are using, can't really fault ipv6 for that.

@superczar weren't you using mikrotik? If yes, then there is likely a config issue in your setup. If you are using UI and seeing this, then I am not surprised.

StygianClaw · 2025-06-26T18:31:56+0530

superczar said:
But many consumer routers are not firewalls (some may have but most i have seen don't)

I'm not sure about this. Most consumer routers released in the last 5 years that I have seen or used personally have a standard firewall at least.

superczar said:
on v4, you get automatic security because of the NAT layer despite the lack of a firewall

If there is actually no firewall then the obfuscation of the internal network might help but at that point I would consider it insecure regardless.

superczar · 2025-06-26T20:00:08+0530

ishanjain28 said:
These problems are either related to your bad configuration or poor careless design of the equipment you are using, can't really fault ipv6 for that.

@superczar weren't you using mikrotik? If yes, then there is likely a config issue in your setup. If you are using UI and seeing this, then I am not surprised.

Its not a configuration issue per se, I am using opnsense..
While I can assign each gateway its own weight and priority, you can't have cross stack prioritisation

Had both ISPs been dual stack (or had they both been v4) , then it would have been fine..
Similarly if i force ipv4 prioritization over ipv6 (which is pointless), it will still be fine

But this unusual scenario where the lower weight ISP is the one with a dual stack , and the other isn't ends up causing this..
This will remain true regardless of whichever soft router distro I or anyone use

StygianClaw said:
If there is actually no firewall then the obfuscation of the internal network might help but at that point I would consider it insecure regardless.

No - thats just internet/reddit speak
NAT is not obfuscation.

Unless you explictly allow traffic from outside to come in on to a device on a NATed network, you cannot have an out to in breach .
Since v6 = no NAT, the side effect is you can certainly have an out to in breach

As for in to out breaches, thats a different story altogether.. but i dont think that is what is being discussed here

ishanjain28 · 2025-06-26T20:09:03+0530

superczar said:
This will remain true regardless of whichever soft router distro I or anyon

Interesting and thanks for explaining your setup. It is actually possible to fix this in a setup like yours with NPT(null routed prefix when primary wan is active and mapped to wan2 when wan2 is active) but probably not intuitive/straightforward to do this on a opnsense machine.

superczar · 2025-06-26T20:38:08+0530

ishanjain28 said:
Interesting and thanks for explaining your setup. It is actually possible to fix this in a setup like yours with NPT(null routed prefix when primary wan is active and mapped to wan2 when wan2 is active) but probably not intuitive/straightforward to do this on a opnsense machine.

How would that help though.
I have WAN1 and WAN2 in LB (and not failover)
Because of dual stack on only 1 WAN, i end up with 3 concurrently active gateways.. Lets say 1v4, 2v4 and 2v6

I would prefer the routing algo to Load balance between the 3 gateways with 1v4 getting priority over 2v6 over 2v4.
so that (e.g.) if i initiate a single thread download , the traffic gets routed via 1v4

however the first priority would go to 2v6 because majority of the end clients (i.e. pretty much any current OS) will always prefer sending requests on the v6 stack
Since the client request is a v6 request, any configuration magic on the router will be ineffective (short of disabling v6 altogether)

StygianClaw · 2025-06-26T20:50:20+0530

superczar said:
No - thats just internet/reddit speak
NAT is not obfuscation.

I'm aware of what NAT is. I referred to the internal IP addresses being hidden as obfuscation.

superczar said:
Unless you explictly allow traffic from outside to come in on to a device on a NATed network, you cannot have an out to in breach .
Since v6 = no NAT, the side effect is you can certainly have an out to in breach

As for in to out breaches, thats a different story altogether.. but i dont think that is what is being discussed here

I understand that you are saying IPv4 with NAT acts like a firewall for out to in and that is less secure when compared with IPv6 without firewall. Its assuming the NAT implementation blocks by default. I don't think that is guaranteed though?

Also, NAT66 technically exists so can we really this is an IPv4 vs IPv6 thing? It's just how it's commonly implemented and used so by that logic most recent routers block IPv6 incoming connections by default (through a firewall I guess). So it makes no difference to regular users.

Feel free to correct me because networking and security is something I'm actively learning at the moment and would love to have more insights.

Search

Search

To IPV6 or not to IPV6 , that is the question?

calssifed user

vivek.krishnan

BLR~ZRS-TX-1-MX

intruderfps

calssifed user

StygianClaw

calssifed user

StygianClaw

superczar

ishanjain28

StygianClaw

superczar

ishanjain28

superczar

StygianClaw