My ISP has quietly supported IPv6 for a while, my router supports it, and every device in the house supports it. So naturally I had been running v4-only for years, because everything worked and "if it isn't broken" is a powerful sedative. This week I decided that was a bad excuse and turned it on properly. It took an evening, not the five minutes I had optimistically budgeted.
The first thing to understand is that home IPv6 is not "one address" the way a v4 setup is. The ISP hands you a delegated prefix via DHCPv6-PD, and your router carves subnets out of it for each internal network. My provider delegates a /56, which is gloriously roomy: 256 individual /64 subnets, each containing more addresses than the entire IPv4 internet. For a house, that is comically excessive, and it is wonderful.
The first surprise was that my prefix is not static. The ISP delegates it via the PD mechanism but does not guarantee stability, so it can change when the line renews or the modem reboots. With v4 and a single NAT address you barely notice a change; with v6 your entire internal addressing shifts underneath you, which matters the moment you want to reference a device by address or write a firewall rule. The pragmatic answer for internal stability is Unique Local Addresses, the fc00::/7 space, which is the v6 analogue of RFC 1918 private addressing. You run ULA alongside the global prefix so internal services have a stable address regardless of what the ISP does outside.
The second surprise, and the important one, is the firewall. With IPv4 and NAT, every device sits behind the translation layer and is unreachable from outside by default, almost by accident. NAT was never a firewall, but it behaved like one and we all leaned on that. IPv6 has no NAT. Every device gets a globally routable address. That is the point of v6, and it is genuinely better, but it means the safety-by-accident is gone. If your router's v6 firewall is not configured to deny inbound by default, you have just exposed every machine in your house directly to the internet.
So the actual checklist, once the prefix delegation was up, was: confirm the router requests a prefix and assigns a /64 to the LAN, enable SLAAC and a DHCPv6 server so clients get addresses, add ULA for internal stability, and then, before anything else, verify the inbound firewall default is deny. I tested that last point from outside the network rather than trusting the config, because the failure mode here is silent and unpleasant.
The reward for all this is that I now have genuine end-to-end addressing. No port forwarding, no NAT hairpinning, no clever tricks to reach a device from outside, just a firewall rule allowing the specific thing I want. Connecting to a machine at home by its actual address, with no translation in the path, feels like how the internet was supposed to work before we ran out of numbers. It was an evening well spent, even if "eventually" did a lot of work in that headline.