RT-AX86U, turning on firewall breaks IPv6

[Trippie123]

Hey,
The fix for this is probably simple but I can't figure it out. I've hooked up the Asus router to my ISP modem with DMZ enabled towards the router.
When I turn off the IPv6 firewall in the Asus settings, IPv6 works fine. When it's turned on it stops working. I tried opening port 546 UDP which doesn't really help.
Anyone knows the solution? Do I even need the Asus firewall or does the modem have one anyway? If so, can I test it. If I understand DMZ correctly it would bypass the firewall right?

Thanks in advance.

Edit: I just figured out that I can disable the DMZ IPv6 on the modem so then I can also disable the firewall on the router. It would be nice though if anyone knows a way to let the Asus router handle the firewall?

 

[Tech9]

Your IPv6 configuration on the Asus router in double NAT has to be Passthrough.

 

[Trippie123]

Your IPv6 configuration on the Asus router in double NAT has to be Passthrough.

Alright, I didn't know that but when I put it in Passthrough IPv6 stops working entirely.

Edit: I think passthrough started working after turning IPv6 off and on and rebooting the modem. Idk, I was just trying some random things and noticed IPv6 clients were connected. So I checked my settings and it was still configured as passthrough. Hopefully it stays working. Thanks for the help

 

[Trippie123]

Your IPv6 configuration on the Asus router in double NAT has to be Passthrough.

Oh one more question: Do I need to enable DMZ or firewall with passthrough?

 

[Tech9]

Oh one more question: Do I need to enable DMZ or firewall with passthrough?

Honestly, based on questions you ask better leave IPv6 at default Disabled and don't play with options you don't need or understand how they work. Not trying to be rude. Trying to protect you. You're opening one more door to your network without clear idea how to keep it secured. You're not ready yet. Not sure why you're doing it, but if you have public IPv4 available the Internet experience benefits from IPv6 for you will be zero.

 

[Trippie123]

Honestly, based on questions you ask better leave IPv6 at default Disabled and don't play with options you don't need or understand how they work. Not trying to be rude. Trying to protect you. You're opening one more door to your network without clear idea how to keep it secured. You're not ready yet. Not sure why you're doing it, but if you have public IPv4 available the Internet experience benefits from IPv6 for you will be zero.

I'm just trying to have full functionality and now I have the time to figure these things out. My PC has it's own firewall too. Anyway, I enabled IPv6 DMZ towards the router and turned the Asus firewall on. I think it should be good now.

 

[Tech9]

There is not NAT with IPv6, but you still need port forwarding for your IPv4 services open to Internet. DMZ saves you some work on the ISP modem/router. With dual stack you have 2x in/out ways and you have to make sure you secure both. Asuswrt is not free of bugs. Some QoS options are broken with IPv6 enabled and DDNS with IPv6 enabled is still unreliable. You have to trust your IoT devices with direct access to Internet now. You have to watch for common IPv6 leaks when using VPN. Your ISP receives traffic from multiple devices now and some may be identifiable. Behind NAT they used to see your router only as single device. If you use DNS filtering service with custom categories like OpenDNS - it doesn't work anymore with IPv6. If you use ad-blockers you have to re-configure them. This full functionality is not just flipping a switch. You had full functionality before turning IPv6 on as well.

 

[Netbill]

Trippie123 - I know your thread has some age but wanted to share a fix, I searched it out as I was having the same issue on a new RT_AX86U PRO (this replaced my RT-AC68U). It was driving me nuts, I did a factory re-set and installed the latest Merlin software. I then manually set up the router and IPv6 works just as it should (IPv6 firewall on-no special rules). If you have not ran Merlin before its very similar and they concentrate on "fixing" instead of different.

Edit: I should have noted my ISP is Xfinity using a Netgear CM1200 cable modem

Hope this helps - Bill

 

[Tech9]

wanted to share a fix

This thread is >1 year old, RT-AX86U had 2 firmware updates since then, your RT-AX86U Pro is a different model router running different firmware.

 

[Netbill]

This thread is >1 year old, RT-AX86U had 2 firmware updates since then, your RT-AX86U Pro is a different model router running different firmware.

I did see the age of the thread (Thank you) it seemed relevant to post as it was an issue with the latest Asus firmware yesterday. The differences in firmware are also noted, seeing IPv6 issues on the board, Asus "may" have some bugs in certain configurations.

I was hoping to maximize for people searching, in hind sight I maybe should have started a new thread -- Bill

 

[Tech9]

Asus "may" have some bugs in certain configurations

They did in the past and perhaps still do looking at latest RT-AX86U Pro (like yours) Asuswrt firmware (3.0.0.6, Asuswrt 5.0) feedback. If the router is behind NAT though the IPv6 configuration option is still Passthrough instead of Native. Replacing the firmware with 3rd party option (still 3.0.0.4, Asuswrt 4.0 based) won't change this.

I also believe @Trippie123 figured it out already since the user was last seen on SNB Forums on Apr 21, 2023.

Starting a new thread with your original issue description and potential fix is a better idea indeed.