IPv6 at Home: Why It Matters Now and How to Stop Ignoring It

Most of us have spent two decades treating IPv6 as someone else’s problem — a thing that exists, that we’ll get round to, that the internet seems to run fine without. Meanwhile it quietly crept onto your network anyway. Your phone is probably using it right now. A large slice of traffic to Google, Netflix and the big CDNs is already IPv6 over your home connection, and you never lifted a finger. The question stopped being “should I enable IPv6” some time ago. It’s now “should I keep pretending the IPv6 that’s already running is something I understand.”

You should stop pretending. Not because IPv4 is about to vanish — it isn’t — but because IPv6 is no longer the future, it’s the present, and ignoring it means running a network with a whole protocol you don’t monitor, don’t firewall properly, and can’t reason about when something breaks.

1 Why it actually matters now

Three things have changed. First, carrier-grade NAT. To cope with IPv4 exhaustion, many ISPs now hide hundreds of customers behind one public IPv4 address. That breaks inbound connections, ruins port-forwarding, and makes self-hosting miserable. IPv6 hands every device a real, globally routable address — no NAT, no sharing — so the thing you couldn’t expose over a CGNAT’d IPv4 link just works over IPv6.

Second, performance. Major content networks frequently serve IPv6 faster, with fewer NAT hops in the path. Eyeball networks prefer it via Happy Eyeballs, the algorithm that races both protocols and usually picks v6.

Third, security by omission. If IPv6 is running on your LAN — and it almost certainly is — but your firewall rules only cover IPv4, you may have devices reachable over v6 that you never intended to expose. An unfirewalled IPv6 stack is the kind of thing that bites quietly.

2 The mental model is different, embrace it

The single biggest unlearning: IPv6 has no NAT, and that’s good. Every device gets a globally unique address from a prefix your ISP delegates to you — typically a /56 or /64, which is an absurd number of addresses. Instead of one public IP and a NAT table, you get a routed prefix and a stateful firewall doing the gatekeeping.

That firewall now matters enormously, because there’s no NAT accidentally hiding things. Default-deny inbound is non-negotiable:

# nftables: allow established/related, drop new inbound, permit ICMPv6
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iifname "lo" accept
    ip6 nexthdr icmpv6 accept       # don't break PMTUD/ND
    tcp dport 22 accept
  }
}

Note the ICMPv6 line — IPv6 genuinely needs ICMP to function. Path MTU discovery and neighbour discovery ride on it, so the old IPv4 habit of blanket-dropping ICMP will leave you with a network that mysteriously half-works.

3 Getting your addresses in order

Run ip -6 addr on a Linux box and you’ll likely see several addresses on one interface: a link-local fe80:: one, a stable global address, and a temporary “privacy” address that rotates so you’re not trackable by a fixed identifier across the web.

ip -6 addr show dev eth0
# inet6 2a01:4b00:abcd:1::42/64 scope global      <- stable, use for servers
# inet6 2a01:4b00:abcd:1:9c3f::8d2/64 temporary    <- rotates, for outbound
# inet6 fe80::5054:ff:fe12:3456/64 scope link      <- link-local only

For a server you want a stable address, so set a static one or use DHCPv6 with a reservation. For self-hosting, you point an AAAA record at that global address and — firewall permitting — it’s reachable from the internet directly, no port-forward, no CGNAT misery. Just remember that “directly reachable” cuts both ways, which is why the firewall section came first.

4 The honest caveats

It’s not all clean. Your ISP-delegated prefix may change when your connection resets, which makes static AAAA records flaky unless you use dynamic DNS for v6 too. Some ISPs are still embarrassingly behind and hand you a single /64 or nothing at all. And dual-stack means twice the firewall surface and twice the things to debug when something’s slow — Happy Eyeballs can mask a broken v6 path by silently falling back to v4, so a half-working IPv6 setup hides itself.

5 The verdict

If you self-host, if you’re stuck behind CGNAT, or if you simply want to actually understand the network you run, it’s well past time to take IPv6 seriously — and in 2025 that’s most people reading this. You don’t need to rip out IPv4; dual-stack is the sane goal. But enable IPv6 deliberately, firewall it as carefully as you firewall v4, and learn to read the addresses on your own machines.

The protocol is already on your network whether you engage with it or not. The only choice you’re really making is whether you’re the one in control of it, or the one surprised by it.