This will be a IPv6 question, oh yes it will … But …
Okay first, the set up. I have 2 dedicated IPS (IPv4) from my ISP. In order to utilize them both and seperate one for Remote login, outgoing only, I have the internet connection hitting a small switch first. The switch feed into two routers, a Tenda AC900 with LAN side IP 192.168.3.1, and a Linksys WRT-160N with a LAN side IP 192.168.2.1. Each of these have a WAN side IP set to one of the dedicated from my ISP.
Now the Tenda is a no frills little router. It has all the basic features of a home, gaming and surfing, router including their version of channelizing etc. If is used for PS4, Xbox360, a gaming system and the 3 smart T.V.s that do Netflix etc. The gaming system runs Windows 10 Pro, but that is really unimportant. The internal IPs for everything are manually configured in the different devices and the DHCP server on the Tenda is disabled.
The Linksys is a custom flashed DD_WRT firmware with a router side VPN (I configured OpenVPN client to work with my VPN service). It is set to use a custom, non-ISP dns, with WebRTC, & DNS leak protection and a OpenVPN kill switch built using IPTables. I further customized the IPTables to allow a single system of the LAN to bypass the OPENVpn configuration as a DMZ and use the dedicated IP. This system is an Ubuntu server 16.04 commandline only, that lets me SSH into a number of systems that require the decicated IP as part of their validations. The Linksys routs WIFI for 2 phones, 2 tablets, 2 windows desktops, a windows/kali linux dual boot system, 2 laptops and a fitbit, and any phones etc friends or family connect with when they visit.
Because I DD-WRT flashed the Linksys and added OpenVPN, my systems do not need a TAP driver for VPN in windows, and do not have the “Public Network” issues associated with it. All permanently connected systems have assigned IPs in their OSes, and the router assigns reconnecting devices like my brother’s phone from a reserved list that matches MAC addresses to IPs. I have to add to this list every time a new devices shows up. No random device can recieve an IP from the router. Overkill? Maybe.
At the core of all this is a universal block of all IPv6 protocols. From the OS level, to protocols attached to interfaces, etc. Neither router has PNP enabled, nor do the various Windows machines, having disabled it in their respective registries. Firewall, router, network and tunnels for NFS and SMB are manually configured and maintained. As you can guess, all this comes with a crap-ton of little special configurations, tweaks, and outright “well this works”.
Both the routers are IPv6 ready, and my ISP does offer IPv6 over IPv4. Which is good because I now need to have an IPv6 connection to two different company VPNs if I want to avoid having to actually be at the office GASP. But where do I start changing this setup to one compatible with IPv6. What is a good resource for firewall and security migration, or is migration even a possibility? If I have to start from scratch, where should I look for the education needed?