After performing more IPv6 testing with a Fritz!Box 6591 as provider router and a Peplink Balance One, I have understood, that enabling IPv6 on a Peplink Router will expose all my IPv6 clients from the “untagged LAN” behind it fully to the WAN. The Balance One just makes a pipe/bridge from WAN to LAN for IPV6 traffic, as it is working only in IPv6 passthrough mode. That means, all IPv6 traffic from WAN is passed to clients connected to “untagged LAN” only (not to clients in VLANs).
So all clients with IPV6 addresses will be exposed to the internet, if the provider’s router IPv6 firewall (Fritz!Box) is not enabled.
So I highly recommend to not enable IPv6 “exposed host” or “Open firewall for delegated IPv6 prefixes of this device” setting for security reasons on your provider’s router with the Balance One having enabled IPv6.
6 Likes