There is no need to move your whole private network over to IPv6, although it might provide a good learning opportunity. You could start with enabling IPv6 for your nginx reverse proxy and make it listen on its IPv6 address.
IPv6 has subnets too and firewalling is still possible, only NAT isn't needed anymore (which is good).
Edit: Reading your post again it sounds like you have mental model of either IPv4 or IPv6, when in practice it is often mixed. Each client can have an IPv4 and IPv6 address - even multiple ones! When you enable IPv6 on your router it gets a subnet from your provider and announces the prefix on your network. The clients then generate their public IPv6 address based on this announcement. Note: Even though they now have a public IPv6 address, the router's firewall should block incoming connections to it by default. That's the case for my router, but to be sure you should check it yourself for yours.
Yes it confuses me very much. If I were to get an ipv4 and and ipv6 to the internet but my internal network stays ipv4, then the ipv6 networking would never get used anyway and I might as well disable it, correct?
Now if I also let internal devices get both a v4 and a v6, they essentially all become directly exposed to the internet through v6 don’t they? That’s the part that really confuses me. And if they aren’t publicly accessible from the internet then I’m back to v4 NAT where I was all along which kinda makes v6 pointless doesn’t it?
> If I were to get an ipv4 and and ipv6 to the internet but my internal network stays ipv4, then the ipv6 networking would never get used anyway and I might as well disable it, correct?
If you enable IPv6 on your router it will likely advertise an IPv6 prefix on your internal network, which in turn will lead to your clients getting IPv6 addresses - unless you disable IPv6 on their interfaces. Clients will then make use of IPv6 to connect to any service that has an IPv6 address, as they prioritize IPv6 higher than IPv4.
> Now if I also let internal devices get both a v4 and a v6, they essentially all become directly exposed to the internet through v6 don’t they? That’s the part that really confuses me.
They won't become directly exposed - the router's firewall should block incoming IPv6 traffic by default. This is the case for my router and should also be the case for others. To be 100% sure you could do a quick check and try to ping your device from the internet using its IPv6 address. You will likely see a message saying: "Destination unreachable: Administratively prohibited" or get a timeout.
> And if they aren’t publicly accessible from the internet then I’m back to v4 NAT where I was all along which kinda makes v6 pointless doesn’t it?
You can open ports in the router's firewall for IPv6 addresses.
However, the main advantage for you would be that your clients can access public IPv6 addresses - which they currently can't. This might not be a big deal yet, but as IPv6 slowly gains some traction it will be noticeable in the future. Some hosters already charge extra for IPv4 addresses.
>they essentially all become directly exposed to the internet through v6 don’t they?
Most consumer routers have a stateful firewall [0] for IPv6 that basically behaves like NAT. But it's less of a problem than on IPv4 anyway. It's possible to scan the whole IPv4 Internet in less than 5 minutes. [1] And this is done constantly by many people. The IPv6 address space is way to big to do this and you have to harvest addresses. [2] It's always a good idea to have a firewall but unlike IPv4 you don't get port and vulnerability scans seconds after you expose a host to the internet.
>which kinda makes v6 pointless doesn’t it?
IPv6 is mostly useful for ISPs. There are just not enough IPv4 addresses for everyone.
>Even though they now have a public IPv6 address, the router's firewall should block incoming connections to it by default. That's the case for my router, but to be sure you should check it yourself for yours
This is why I won't enable IPv6 unless ISPs dramatically change how their hardware works. My ISP-issued modem+router doesn't even have a way to disable routing or automatic updates. I can test the firewall today, but what guarantee is there it'll just keep working?
The comment you're replying to is referring to Homeland. If all you have is an ISP-issued device, then you don't need to worry about it, just use the defaults.
Also, I doubt ISPs will ever change their home routers to default to IPv6 because of the complexity it'll add to customer support with no extra benefits.
It's not the router that decides which IP version to use but the operating system and AFAIK all default to IPv6 if they have an address. And yes many ISPs have activated IPv6 by default that's the reason we see 80% IPv6 usage here. It's not because 80% of the users have actively activated it. Most of them have no idea what an IP even is.
Is there a specific reason you trust your router for IPv4 but not for IPv6 traffic? IPv6 privacy extensions should be enabled by default on most devices. So even in the unlikely case of a device being exposed, someone has to know the temporary IPv6 address and then try to access it while it is still in use. This device would also have to run a vulnerable service on some port that the attacker has to know. All in all, I think that this is a pretty unlikely scenario.
"Most devices", "should be, "unlikely case", "pretty unlikely". That's my impression too, and none of those are good enough. I have many internet connected devices (appliances) and really don't want to worry about someone remotely accessing them. Behind the NAT it just isn't possible.
It could be with UPnP, which as a security conscious person you likely have disabled. Do you trust it staying disabled or none of your many devices trying to use it to poke holes in the NAT?
Even if you have to use your ISPs modem/router device, it might have a bridge mode where it just becomes a modem, enabling you to use your own router. It might be worth checking this option if you didn't already.
It is possible -- NAT won't protect you from inbound connections. Even using RFC1918 addresses on your LAN won't protect you from all inbound connections. You need a firewall for that.
If you don't trust the ISP device to firewall, then you can't trust it even for v4. You need to run your own router.
Edit: Reading your post again it sounds like you have mental model of either IPv4 or IPv6, when in practice it is often mixed. Each client can have an IPv4 and IPv6 address - even multiple ones! When you enable IPv6 on your router it gets a subnet from your provider and announces the prefix on your network. The clients then generate their public IPv6 address based on this announcement. Note: Even though they now have a public IPv6 address, the router's firewall should block incoming connections to it by default. That's the case for my router, but to be sure you should check it yourself for yours.