Any reasons not to disable IPv6 for home setup?
-
I'm considering blocking all IPv6 traffic (un-checking the box, prefering ipv4, etc.) on my network so I only have to deal with IPv4 rules and other configurations. This is a simple home network it is all ipv4.
Are there any strong reasons these days not to do this? Meaning, any sites that are IPv6 only or significantly slower IPv4?
My wan ip is v4 and ipv6 tests reveal my isp isn't doing me any ipv6 favors anyways, so thinking i'll just lower the potential complexity (for now at least)
-
Well, other than the fact that the world is moving to IPv6 and you'll be cutting yourself off from the future? Configuring for IPv6 is not harder than IPv4.
-
Lots of reasons not to, in addition to what JkNott said. If you have any windows clients on your network, windows has been supporting and using ipv6 since windows 7. ipv6 is used heavily by many windows services. AFAIK, it's no different for apple.
I've had ipv6 enabled on my network since long before "world ipv6 day". Initially, I used a tunnel from HE and when my ISP started supporting it (and when pfsense supported the way my ISP implemented it), I switched over to native ipv6.
Really the question you should be asking is are there any reasons to block ipv6, and the answer is no. If you enable ipv6, depending on what sites you visit, you could find that much of your traffic is ipv6.
-
Lots of reasons not to, in addition to what JkNott said. If you have any windows clients on your network, windows has been supporting and using ipv6 since windows 7. ipv6 is used heavily by many windows services. AFAIK, it's no different for apple.
Actually, it's been in Windows since XP SP3. Apple is also very strong on moving to IPv6.
I've been using IPv6 on my home network for over 7 years, via 6in4 tunnel, and almost 1.5 years native from my ISP. Also, Windows HomeGroup networks require IPv6. It won't work over IPv4.
Even my cell phone is IPv6 only. It has to use 464XLAT for IPv4 only apps & sites.
-
IPv6 is already disabled on a default install of pfSense to a point where nothing IPv6 related will work and is completely blocked unless you explicitly enable IPv6 in the interface setups. Further tinkering to disable and block it will accomplish absolutely nothing.
-
Here is my 2 cents on the matter. Until you ready to complete the setup and validate you understand how it works. I would suggest you keep it disabled on pfsense. If your ready to take the plunge – which yes ipv6 is the future.. So this is a great idea!!
If your not ready I would suggest you take the extra step of disable correctly on your clients - because if your not going to actually use it. Its just going to be a bunch of noise on your network.. Windows is terrible with the noise, yes it has IPv6 support going back for quite some time. But starting with 7 they put in the freaking kitchen sink to try and get it an IPv6, tunneled through your IPv4 etc..
Teredo, ISATAP, 6to4 all enabled windows - this is just bs if you ask me. So If your ready take the time to correctly configure it.. You sure and the F do not need teredo, isatap and 6to4 running if your going to proper setup dual stack, etc.
Do an ipconfig /all on a windows machine out of the box... Its 4 freaking pages long giving zero info if your not using these tunnel interfaces.. Simple reg entry can remove all of that nonsense if your not going to actually configure ipv6 correctly for your use.
Linux is way less noisy when it comes to IPv6 if you don't have it actually setup.. And it doesn't try and tunnel ipv6 out your ipv4 connection without even asking you that is for damn sure..
So either set it up, or disable it would be my suggestion.. Don't just leave it out of the box on windows since its just a mess like that.. I run /48 from HE. And some of my segments have IPv6 and some do not.. As anything that happens on your network - you are the one that should be in control.. So one way or the other you should take that control.. Leaving protocols running on your network that you are not actively using and have put the proper controls in place is BAD Security plain and simple.. Letting your devices spew noise onto your network that serves no purpose is bad management.
-
I disabled IPv6 on my router because my VPN provider doesn't support it. By disabling it entirely, I avoid a potential leak.
However, one downside to disabling IPv6 on pfSense is that your firewall log can get flooded with IPv6 packets (such as ICMP packets coming from your ISP). To avoid that, you can turn off logging for all default rules, but that also throws out IPv4 logging.
-
I do the following on all windows hosts on my network:
netsh interface ipv6 isatap set state disabled netsh interface ipv6 6to4 set state disabled netsh interface teredo set state disabled