OK, no need to panic, the good news is that you've got a year or two to get comfortable with IPv6 and understand how it is different than IPv4 and how you can take advantage of it features.
First, as most of your questions seem to be around security, as mentioned, NAT is not a firewall. Many rely on it to provide restrictions on connectivity, but it is poor at truly controlling access. Everything that people "misguidedly trust" NAT to perform is better handled by firewall rules (and should, in my opinion, be, even with NAT present). Here's roughly what NAT does, as typically configured:
- Accept all packets coming in from the internal network, no matter the destination
- Forward all packets coming from the router or the internal network to any external destination
- Accept any packets from any external destination that seem related to a connection from the router or the internal network
- Accept any setup packets (TCP) and any UDP packets to destinations that have been preconfigured ("port forwarding")
(You don't really "open ports" to all addresses with IPv4 NAT, you open access to a mapping from one host:port to another host:port. With IPv6 you open the firewall to a specific host:port, so if anything, it is easier and more secure.)
Note that with NAT, by the time you reach the perimeter, you no longer know the source of outgoing packets, so you can't filter on that. All you know is some inside host is trying to connect to some outside host. There are also all kinds of techniques developed to "fool" NAT into opening ports that perhaps you don't want open (STUN, for example, and, hopefully you've already disabled UPnP).
All of this can, and probably should be managed with firewall rules. The differences between IPv4 and IPv6 are mainly that:
- You have to write the firewall rules explicitly, rather than blindly trusting that NAT works
- You can write those rules to be very fine-grained, including knowledge of the inside host
The hacks required to properly manage dynamic firewall rules for NAT-ed IPv4 drive people nuts. Even networking experts! IPv6 makes this process much easier, and much more robust.
Addressing is another "interesting" difference.
An IPv6 interface can have multiple addresses. The only one that is required is a link-local address. You don't have to do anything to get a link-local address in modern OSes, Linux, macOS, Windows, FreeBSD, Android, iOS, .... As crazy as it may sound, you can have the same link-local address on two or more interfaces on the same machine. Since the link-local address is only used on that link, it doesn't matter. You may well find that your router uses its link-local address (and that of the upstream router) for routing packets, not your IA_NA (ISP-assigned global address). Assuming that the services and firewalls on each of your devices permit it, you can use a link-local address for everything, as long as on that link. Printers, for example, can serve the entire subnet with just a link-local address.
The other address scopes that are generally interesting to SOHO users are ULAs and global addresses. Any interface can have zero, one, or more of these, from either scope. Most SOHO users don't use DHCPv6 as IPv6 is intended to allow reasonable self-configuration. A router advertises itself, perhaps some DNS servers, and what "pool" a host can pick from. The host picks from that, checks that nobody else is using it (unlikely in a SOHO network, with 18,446,744,073,709,551,616 addresses in a /64), then announces that it is "claiming" that address. As dlakelan points out, many OSes don't use a MAC-generated address and periodically rotate them.
"Topology hiding" came up over and over in the early days of IPv6 from NAT users, including enterprises. Virtually all of the arguments I have seen can be eliminated by appropriate use of addresses. The fact that you can't easily scan 18,446,744,073,709,551,616 addresses in a /64 as easily as you can the 254 in an IPv4 /24 alone should be comforting.
ULA addresses are ones that you randomly pick a prefix from the permitted space, then assign as you see fit. They can be valuable for connections within your own network, even across routers for the various topological subnets you may have. ULA address don't route over the "open Internet"; they are effectively private to your network.
How does a host pick which address and interface to use? It is not significantly different than IPv4; the routing table identifies if the destination is direct, or what the next hop is. The "additional" part is that a link-local address is generally used if the target is, well, link-local, a ULA typically used if the destination is in the same ULA address range, and a global address if the destination is a global address.
All in all, the fact that with properly deployed IPv6 you know the host and destination at all your control and routing point means that things get easier to robustly control. Yes, you have to control them, and NAT has been a crutch for many, SOHO or otherwise, in the past. Yes, pull the crutch and if you don't have a leg to stand on, you fall down. However, you've got plenty of time to strengthen that leg and begin to run with ease. The idea of learning more about IPv6 and getting into it a bit with a tunnel broker over the next year or so is a good one.