My ISP still doesn't do IPv6, which in late 2017 is its own quiet scandal, so getting v6 into the house meant a tunnel. I've put this off for years on the grounds that nothing I run actually needs it. That's still true. I did it anyway, because "I should understand this properly before I have to debug it in anger" is a better reason than it sounds, and because the v4 internet is visibly running out of room.
The short version: a Hurricane Electric tunnel terminates on my router, I get a routed /48, and the LAN now has globally routable addresses. The long version is a sequence of small humbling moments, which is the part worth writing down.
the tunnel itself
The tunnel is the easy bit, genuinely. HE gives you a server endpoint, you give them your v4 address, and you bring up a sit interface. On the router it's roughly this:
ip tunnel add he-ipv6 mode sit remote 216.66.x.x local 81.x.x.x ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:xx:xx::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
Ping ipv6.google.com from the router and it works first time, which is dangerously encouraging. The router has v6. The LAN does not. Bridging that gap is where the afternoon went.
radvd, and the death of DHCP habits
On v4 I hand out addresses with DHCP and think no more about it. On v6 the clients mostly want to autoconfigure from a router advertisement, so the job is to run radvd and announce a prefix from the routed /48, then get out of the way. That part worked. What threw me is that suddenly every device had several v6 addresses: a stable one, a privacy one that rotates, a link-local. Coming from one-device-one-address on v4, watching a laptop carry four global addresses at once is a small mental adjustment. Privacy extensions are doing exactly what they should, but it means "which address is this host" stops having a single tidy answer, and any firewall rule keyed on a specific host address is now a bad idea.
the firewall is the actual point
Here's the thing nobody mentions when they tell you to "just turn on IPv6": your devices now have public addresses with no NAT in front of them. On v4, NAT was an accidental firewall. Everything inside was unreachable by default because it had no routable address. Turn on v6 and that accident evaporates. Every machine in the house is, by default, directly addressable from the entire internet.
So before the prefix went anywhere near the LAN, the v6 firewall got the same default-deny-inbound posture the v4 one has, established and related allowed back in, and nothing else inbound unless I say so. I tested it from the tunnel's far side before trusting it. This is the single most important step and it's the one a "five minute IPv6 setup" guide will skip. NAT was never security, but it was hiding a lot of hosts that were never hardened on the assumption they'd be reachable.
was it worth it
For day-to-day use? I notice nothing, which is the correct outcome. The web is dual-stack, things prefer v6 silently, nothing broke. The honest payoff is understanding. I now know how RAs and prefix delegation and the v6 firewall actually behave on my own kit, in a calm afternoon, rather than discovering it during an outage when the ISP finally enables it and something starts answering on an address I didn't know it had. That, and I can finally stop feeling like a fraud every time the subject comes up.