I've been meaning to turn on IPv6 at home for, conservatively, a decade. This week I finally did it, mostly because my ISP quietly started handing out a proper prefix and I ran out of excuses. The headline: it was less dramatic than I feared and broke in exactly one way I should have predicted.
The enabling part was almost anticlimactic. The router picked up a delegated prefix, handed addresses out to everything on the LAN, and within a few minutes most devices had a global v6 address alongside their old v4 one. ping6 -c1 google.com came back. The dual-stack world just worked, which after years of imagining a painful migration felt almost suspicious.
Then the firewall. This is the part that needs unlearning, and it's the part that bit me. With IPv4 and NAT, every device on my network is hidden behind a single address by accident of the architecture. Nothing reaches in unless I forward a port. With IPv6, every device has a globally routable address. There is no NAT hiding anything. The router's firewall is now the only thing standing between the open internet and the printer, the NAS, and that one IoT gadget I don't fully trust.
So I went and checked, properly, that the default v6 firewall policy was deny-inbound. It was, but I'd have felt foolish assuming it. The mental model has to shift from "NAT protects me by default" to "the firewall protects me, and I'd better know its rules". Those are not the same comfort.
A couple of other small things surfaced. One older device refused to do v6 sensibly and sat there with only a link-local address, sulking; I left it on v4 and moved on. And I learned to stop trusting "it works" until I'd tested from outside the network, because dual-stack hides a lot. A service can answer fine over v4 whilst its v6 path is quietly broken, and you won't notice until something prefers v6 and falls over.
Worth doing? Yes, finally. Not because anything at home needs it today, but because the future keeps arriving and I'd rather meet it having already learned where the sharp edges are. The sharp edge, it turns out, was never the addressing. It was remembering that NAT was doing security work I'd never asked it to.