I’m the administrator of kbin.life, a general purpose/tech orientated kbin instance.
I believe the privacy concerns are made moot if all consumer level routers by default blocked incoming untracked connections and you need to poke holes in the firewall for the ports you need.
Having said that, even knowing the prefix it’s a huge address space to port scan through. So it’s pretty secure too with privacy extensions enabled.
But for sure the onus is on the router makers for now.
I used HE for ages until my isp gave native ipv6. I also used sixxs back then too. Both provided good connectivity for the few sites that were around using it at the time.
This is my biggest bugbear about a lot of UK isps. They are dynamically allocating ipv6 prefixes for absolutely no good reason.
I’ve only ever done ipv6 using Linux directly as a firewall or a mikrotik router. So cannot help with pfsense I’m afraid.
You start by adding ipv6 and serving both. One side needs to move first. Content providers or isps.
The big tech companies are using ipv6. In the UK the isps are mostly offering it too.
Host both and help us move towards dropping Ipv4 some day. It’s not going to happen in a day.
Whenever anyone asks if I use AI. My answer is that, so far it hasn’t ever delivered working code. However the majority of times I used it, the code it did provide sent me in the right direction.
So it’s not useless. And I know tools have gotten better. But when I see companies seriously talking “AI first” and wanting vibe coding to be a main development strategy. I do really worry.
But new IPv4 allocations have run out. I’ve seen ISPs that won the lottery in the 90s/2000s (when the various agencies controlling IP allocations just tossed them around like they were nothing) selling large blocks for big money.
Many ISPs offer only CGNAT, require signing up to the higher speed/more expensive packages to get a real IP, or charge extra on top of the standard package for one. I fully expect this trend to continue.
The non-move to IPv6 is laziness, incompetence, or the sheer fact they can monetize the finite resource of IPv4 addresses and pass the costs onto the consumer. I wonder which it is.
Actually how is your ISP giving out IPs to you? Mine uses IPv6 PD to give me a /48. And I then use SLAAC locally on the first /64 prefix on my LAN. Plus another /64 for VPN connections.
If you mean receiving RA/ND packets from your ISP (which are used to announce IPv6 prefixes) then you need to allow icmpv6 packets (if you don’t want to be able to be pinged, just block echo requests, ICMP in v4 and v6 carry important messages otherwise).
If your ISP uses DHCPv6 Prefix delegation you will need to allow packets to UDP port 546 and run a DHCPv6 client capable of handling PD messages.
If you have a fixed prefix, then you probably don’t need to use your ISPs SLAAC at all. You could just put your router on a fixed IP as <yourprefix>::1 and then have your router create RA/ND packets (radvd package in linux, not sure what it would be on pfsense) and assign IPs within your network that way.
If you have a dynamic prefix… It’s a problem I guess. But probably someone has done it and a google search will turn up how they handled it.
EDIT: Just clarified that the RA/ND packets advertise prefixes, not assign addresses.