Firewall rules alone are not a great choice for protecting unsecured internal devices like printers. While they will drastically reduce the scope of people that can access them firewall rules are not authenticated or private. A VPN is much better.
I beg to differ. Firewall rules are excellent. Lack of routing (which VPN basically amounts to) is useful too, but not as convenient. Also, with universally routable addresses like v6 ones (yeah, I know about local scope) one needs firewall rules TOO.
No, a VPN is not about "lack of routing". While VPNs work at the network layer and therefore involve routing they are about authentication, data integrity, and privacy not "lack of routing".
IP addresses are not secure. If you allow access from a remote site by IP block you are open to anyone who can spoof that address which is a lot of people. With a VPN connecting the remote networks you can actually authenticate the connection, protect the integrity of the data in transit, and prevent snooping.
Yes, a firewall rule will drastically reduce the number of people who can easily gain unauthorized access to your network but far less than a VPN would, as that would require them to take direct control of the endpoint.
Firewalls are necessary course, but mostly only in that they let you treat data on physically different networks differently. "inside" vs. "outside" vs "DMZ". Filtering traffic based on which physical network connection they originate on is secure and can't be spoofed without physical access or compromising a device on the private network and the firewall helps to prevent that. A VPN gives you a "virtual private network" -- that is a connection that physically comes in on your connection to the public internet but which you can treat as an internal device. A firewall granting access to private resources for connections coming from the public internet based on insecure data like the IP address is not a good use of firewalls.
VPN's like the ones advertised by youtubers are basically useless except for watching Netflix from another country. Secure or safe they are not.
Sure, I never suggested using one. Those systems are not VPNs in any real sense of the word. They are encrypted proxies. While they use VPN technology internally, a VPN is a network connection between two trusted devices/networks that takes place over an untrusted intermediate network. Unless your desire is to communicate in a trusted fashion with NordVPN it doesn't really qualify as a VPN.
What I am saying you should do is run wireguard or openvpn or other similar technology between your hone network and your colo hosts if you want to use unsecured services like printing. Relying on firewalls for that is better than nothing but is not real security. It's not actually much better than simply using IPv6 and an open network since IPv6 is almost impossible to brute force scan due to the address space. If you don't publish your printers IPv6 address only people who have the capability to sniff your network traffic will be able to find it and those are mostly the people who could also mount a spoofing attack. Of course in this model once your printers IP address becomes public all bets are off and anyone in the world can print random stuff, so I'm not seriously recommending it.
Exactly. This is how IP is supposed to work. We have, by thinking "NAT is good enough" conditioned at least 25 years of networking users and administrators into not expecting and requiring the end-to-end model that is arguably the most fundamental component in IP networking.
I think you misunderstand. End-to-end connectivity is great, but the goal is to treat the connectivity layer as a neutral infrastructure. Assigning identity to certain IP addresses/ranges is fundamentally bad idea. Part of the goal of IPv6 that goes beyond even the pre-NAT intent of IPv4 is to make addresses less meaningful -- they are tools for routing, and they are supposed to support renumbering easily when needed. If you want identity, use a service built on top of IP, not the low level identifiers.