The lack of NAT has no bearing on security. Despite an old mistaken belief.

iso1631 · 2026-01-21T07:24:08 1768980248

Defence in depth is a valid security approach, and NAT provides another defence in depth

If you have a vulnerable ipv4 machine on 192.168.0.24 port 2345 which is hidden behind a public IP of 1.2.3.4, and you set your firewall rule to allow any inbound traffic, with no nat rules then it will be exceedingly difficult for a remote attacker to reach that vulnerable port (they have to trick your router's connection table into routing it)

If the same machine is on 2100:1234:5678:a::24 then that port is exposed.

Now sure your firewall could block the traffic, and that's great. But having multiple layers of active configuration to allow the traffic through is more secure than having a single layer as it means you need to screw up twice.

Worse than that with dual stack you may think you have set your firewall to block non-established connections at the ipv4 stage, but your device is sat there on an open ipv6 address you didn't even consider. Dual stack is certainly less secure than single stack as there are two opportunities to screw up.

Gigachad · 2026-01-21T09:23:56 1768987436

It’s the same layer. On router admin panels it’s literally the same UI for firewall rules and nat port forwarding. If you went in to your router admin and allowed all ports on v4 it would be exactly the same as allowing all on v6. The router will happily forward all connections to v4 devices the same.

iso1631 · 2026-01-22T11:25:15 1769081115

> If you went in to your router admin and allowed all ports on v4 it would be exactly the same as allowing all on v6. The router will happily forward all connections to v4 devices the same.

Forward to where?

You have to actively say "forward port 80 to 192.168.0.2". Port 80 can't be forwarded to 192.168.0.2 and 192.168.0.3.

Where allowing all traffic means you can talk to 2100:xxx::192.168.0.2 and 2100:xxx::192.168.0.3

Gigachad · 2026-01-22T23:47:26 1769125646

Yes, you can't expose multiple computers at the same time on v4, but you certainly can expose one, in exactly the same UI you exposed v6. And then that one you exposed has full access to the local network beyond the firewall to expose the rest.

The argument seems silly almost like "I deliberately shot myself in the foot, but with v4 I could only shoot one foot at a time while v6 lets me shoot both". The answer is to just not shoot yourself in the foot, since you have to make a deliberate effort to do this in the first place, just not doing that is the answer.