Good; incentive to go learn something. Have a plan in place to deal with it though.

Firewall rules don’t replace parenting.

Just create a dhcp lease in unifi.

I used my work address. My work is small enough that it’ll filter to me eventually if they snail mail me.

I still haven’t figured out how to make a firewall rule with slaac on pfsense, with an ISP that hands out addresses at random. It’s my understanding’s slaac is the “right” way to do things, not dhcp and reservations.

Granted, it’s been a minute since I tried so I don’t remember the issues, but as I recall, when ipv6 prefix changes, device gets new IP (and it seems not just the prefix part. I can get the firewall to register IPs into DNS and use a dns based firewall rule, but unbound restarts and blows out its cache when a device joins the network. And there another part to it but it’s all gone fuzzy.

This depends entirely on what you want to run. A pihole needs vastly different resources than for example offering jellyfin to 20 simultaneous users. Both can be hosted at home.

Jellyfin has a pile of security issues regarding unauthenticated enumeration of the media that’s shared. That’s probably not awesome on the public internet. 

I’d suggest setting up Tailscale. https://github.com/jellyfin/jellyfin/issues/5415

Thanks for sharing; I was unaware. Just closed off that network hole.

To be pedantic, there is no 6e. Just 6A. I am looking at a spool labelled 6e as I type this, but that’s just a manufacturer thing, not an actual spec.

What sort of isp supplied residential equipment doesn’t block inbound connections? Pedantically, you’re correct.

You have a firewall. It’s in your router, and it is what makes it so that you have to VPN into the server. Otherwise the server would be accessible. NAT is, effectively, a firewall.

Should you add another layer, perhaps an IPS or deny-listing? Maybe it’s a good idea.