I have had a working IPv6 prefix from my ISP for ages and done absolutely nothing with it. Every device in the house was IPv4 only, NAT all the way down, the same arrangement I have had since forever. This weekend I finally wired the v6 side up properly, and it was both easier and more humbling than I expected.
The easy part was prefix delegation. The ISP hands me a /56, the router asks for it via DHCPv6-PD, and radvd advertises a /64 onto the LAN. Within a few seconds every machine had grabbed a global address via SLAAC, no DHCP server in sight, no NAT. After years of v4 plumbing that felt almost rude. Things just had addresses.
The humbling part was that IPv6 has no NAT to hide behind, so every one of those globally routable addresses is, by default, globally reachable. I knew this. I knew it the way you know the hob is hot. I still spent ten minutes confused about why a box was answering pings from the wider internet before the penny dropped: there is no implicit firewall here. The wall I relied on in v4 was an accident of NAT, not a security decision.
So the actual work was the firewall, not the addressing. A default-deny on inbound v6, with the v4 ruleset's intentions mirrored across, and suddenly the network felt like mine again. ping6 ipv6.google.com from a laptop, clean replies, and nothing answering from outside that should not.
Worth doing. Just do the firewall first, not, as I did, second.