What's new

Asus XT8 IPv6 bypasses pihole

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

elias4444

Occasional Visitor
FYI, every time I search for a solution to this, it keeps taking me to the Merlin forum (which isn't available for Asus mesh routers). I'm running on an Asus XT8, which is not supported by Merlin. Stock firmware solutions only please.

If I turn off IPv6, and run DHCP on my Raspberry Pi, everything works as intended. However, as soon as I turn on IPv6 on the router, my PiHole is bypassed by all IPv6 capable clients on my network. It appears that when clients auto-configure IPv6 (SLAAC), the Asus router tells them to use the router's address for DNS lookups. I've told the router to use the PiHole (under IPv6 DNS settings).

Problem ONE is, even if that worked, all DNS requests on the PiHole will be logged as coming from the router. Basically making my log files near useless.
Problem TWO is, it doesn't work. Just like with IPv4 (when the Asus router is running a DHCP server), it still uses the WAN assigned DNS as a backup, bypassing any blocking the PiHole is trying to do.

As some recommend, I've tried setting the WAN DNS to the local PiHole, but that causes the router to not be able to connect to the internet (chicken and egg problem with the PiHole being on the local network under the router).

I know with IPv4, I can hard-code the dhcp_dns2_x nvram variable to solve the problem, but I can't find anything similar for IPv6.

Has anyone found a solution for this?
 
FYI, every time I search for a solution to this, it keeps taking me to the Merlin forum (which isn't available for Asus mesh routers). I'm running on an Asus XT8, which is not supported by Merlin. Stock firmware solutions only please.

If I turn off IPv6, and run DHCP on my Raspberry Pi, everything works as intended. However, as soon as I turn on IPv6 on the router, my PiHole is bypassed by all IPv6 capable clients on my network. It appears that when clients auto-configure IPv6 (SLAAC), the Asus router tells them to use the router's address for DNS lookups. I've told the router to use the PiHole (under IPv6 DNS settings).

Problem ONE is, even if that worked, all DNS requests on the PiHole will be logged as coming from the router. Basically making my log files near useless.
Problem TWO is, it doesn't work. Just like with IPv4 (when the Asus router is running a DHCP server), it still uses the WAN assigned DNS as a backup, bypassing any blocking the PiHole is trying to do.

As some recommend, I've tried setting the WAN DNS to the local PiHole, but that causes the router to not be able to connect to the internet (chicken and egg problem with the PiHole being on the local network under the router).

I know with IPv4, I can hard-code the dhcp_dns2_x nvram variable to solve the problem, but I can't find anything similar for IPv6.

Has anyone found a solution for this?
I use pi-hole on my n66u. I think there was something mentioned about "do not insert a dns in x box as you can't delete it afterward" thing. Meaning if you've filled that box in. Only way is to wipe and start again. Unless that nvram command does the same thing?

My WAN DNS goes to my pi-hole. Second box blank.
Works fine.
My Asus is the DHCP server.

I curently have a new pair of XT8s setup but my isp doesn't do ipv6 so can't help with that unfortunately.
 
I've got it somehow working on my end, still not perfect, but.

  • on the Asus side of things:
    • IPv6 is in Native mode (since my ISP router is in Bridge mode)
    • IPv6 Auto DNS is disabled (Set Connect to DNS Server automatically to Disabled)
    • On IPv6 1st DNS (IPv6 DNS Server 1) entry I've inserted the local Rpi (pi.hole) IPv6 address fe80:: (...) (scope link if you do ip addr show on the Rpi)
      • The command ip addr show | grep -E 'inet6.*scope.link' should give you what you need
    • "DHCP-PD" is enabled as well as "Enable Router Advertisement"
    • "Auto Configuration Setting" was kept on Stateless
  • On the Pi.Hole side of things:
    • Enabled the option "Enable IPv6 support (SLAAC + RA)"

My Pi.Hole is also the DHCPv4 server.

Don't forget to reboot the router afterwards, I've had better success that way after setting this configuration.

Not being able to use the local IP addresses of the Pi.Hole on the WAN DNS entries was broken a few firmware upgrades ago, but I've seen newer changelogs, for other routers, that have fixed this, so possibly when a new FW version comes out it should be possible to use the Pi.Hole local LAN IP's on the WAN DNS addresses.
 

Attachments

  • 1632330098100.png
    1632330098100.png
    21.5 KB · Views: 198
Thank you for your replies. I’ve tried the solutions you mentioned. Unfortunately though, the router continues to use the WAN DNS servers as its primary source. Causing my network to still load plenty of ads.

When I put my local DNS into the WAN field(s), the router is no longer able to perform its own lookups internally (via SSH to the router, and using nslookup for instance). The router then believes it’s no longer connected to the internet. I also tried the Network Monitoring settings to alleviate that, without success).
 
You are putting WAN DNS as pihole IP then on the pihole putting an external DNS right?
 
These are my settings if it helps.
 

Attachments

  • Screenshot_20210925-154825_Firefox.jpg
    Screenshot_20210925-154825_Firefox.jpg
    65.1 KB · Views: 227
  • Screenshot_20210925-155147_Firefox.jpg
    Screenshot_20210925-155147_Firefox.jpg
    15.2 KB · Views: 233
Sorry that other image looks a bit poor so here it is zoomed in.
 

Attachments

  • Screenshot_20210925-155147_Firefox.jpg
    Screenshot_20210925-155147_Firefox.jpg
    40.9 KB · Views: 176
These are my settings if it helps.
Thank you for that. I’m guessing there’s a difference between our device’s firmwares. The XT8 firmware has been notoriously buggy until just recently, which was not the case with my older/non-mesh Asus router. Everything I’ve tried so far is pointing to a design flaw (feature?) with the current firmware. I was hoping there was a stray setting buried somewhere I could try, but it’s not looking likely. Which is really unfortunate, seeing as the hardware itself had been great.

For those looking for only an adblocking solution with the XT8 with IPv6 enabled, I recommend setting your WAN DNS to the Adguard servers. You can still specify your own DNS in the IPv6 and DHCPv4 settings, just know that it will only be used as a secondary or tertiary lookup (which can be verified by looking at the router’s resolv.conf file). At this time, the XT8 will always push itself as A DNS proxy to all IPv6 clients (as well as IPv4 unless you turn off DHCP and run your own).

Hopefully Asus will change their minds and fix this in the stock firmware someday. Or maybe, dream of dreams, Merlin will start supporting Asus mesh kits (XT8 and the new ET8). Aside from that, I’m probably going to have to buy a more configurable router to put in front of my expensive Asus mesh router.
 
Those setting were from my RT-N66U running very old Merlin firmware. I haven't tried in on my XT8 yet and I don't have IPv6.

Was just showing what works for me.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top