What's new

Blocking IPv6 clients to stop VPN circumvention

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mando

Occasional Visitor
Hi all,

I'm currently using a RT-AX86U on Merlin 386.7_2. I configured a VPN client using VPN director to route my Apple TV traffic through that tunnel & that was working fine until my ISP enabled IPv6.

Right now I keep getting errors in my streaming apps on the Apple TV that I'm in the wrong region. So I added the following to ip6tables via firewall-start script:

Code:
ip6tables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j REJECT

This seemed to work at first but then it stops working again after restarting the app. I noticed the Apple TV requesting multiple IPv6 IP's (in the IPv6 tab under clients it had 3 IP's at some point) & for some reason the IPv6 traffic gets through to the WAN even though I have that rule in ip6tables.

Is there any way to prevent the router from replying to DHCPv6 requests from the Apple TV? I tried by adding this to ip6tables but no dice:

Code:
ip6tables -I INPUT -p udp -m udp --sport 546 -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

I'm not looking into disabling IPv6 altogether, just trying to find a way to block the Apple TV from using it to circumvent the VPN.

My other "workaround" is hooking up my 2nd RT-AX86U to my primary router & have that one dedicated to running the VPN 24/7 with IPv6 disabled.

Thanks in advance for the input.
 
Last edited:
Other things will work differently or may not work at all with IPv6 enabled. Check what scripts are compatible with IPv6 (if you use any) and how it changes the way they work. Asuswrt firmware components may not work as expected. I found Traditional QoS and Bandwidth Limiter broken with IPv6 enabled in Asuswrt 388_22068, for example. Check if Cake is working properly, if you use it. VPN IPv6 leaks are only part of the issues. You decide what to do and what benefits you have from IPv6.
 
Hi all,

I'm currently using a RT-AX86U on Merlin 386.7_2. I configured a VPN client using VPN director to route my Apple TV traffic through that tunnel & that was working fine until my ISP enabled IPv6.

Right now I keep getting errors in my streaming apps on the Apple TV that I'm in the wrong region. So I added the following to ip6tables via firewall-start script:

Code:
ip6tables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j REJECT

This seemed to work at first but then it stops working again after restarting the app. I noticed the Apple TV requesting multiple IPv6 IP's (in the IPv6 tab under clients it had 3 IP's at some point) & for some reason the IPv6 traffic gets through to the WAN even though I have that rule in ip6tables.

Is there any way to prevent the router from replying to DHCPv6 requests from the Apple TV? I tried by adding this to ip6tables but no dice:

Code:
ip6tables -I INPUT -p udp -m udp --sport 546 -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP

I'm not looking into disabling IPv6 altogether, just trying to find a way to block the Apple TV from using it to circumvent the VPN.

My other "workaround" is hooking up my 2nd RT-AX86U to my primary router & have that one dedicated to running the VPN 24/7 with IPv6 disabled.

Thanks in advance for the input.

Why don't you want to disable IPv6 all together? Your ISP didn't support it before, now that they do, it has broken things. After several mom/friend/neighbor tech support calls after Comcast enabled IPv6 I now disable it in every router. No benefit (unless your ISP only has CGNAT for IPv4) and just unexplained issues and possible security holes. What wasn't working before they enabled IPv6 that now is?

Setting up a double NAT setup with daisy chained routers just to keep IPv6 enabled seems even more crazy if IPv6 isn't doing anything for you.
 
Setting up a double NAT setup with daisy chained routers just to keep IPv6 enabled seems even more crazy if IPv6 isn't doing anything for you.

I should have cleared that up in my original post but the reason I don't want to disable it is because I want to play around with IPv6 a bit. I don't know a whole bunch about networking & I like to learn more, so now that my ISP has finally enabled IPv6 I want to learn about its configuration and how it works. I'm limited in resources so I don't have a whole lab setup at home & I can just use my networking devices as I have them now but I don't want that to stop me from learning...

But now that it's "breaking" my streaming box over VPN I'd like to find a way around that without hooking up my 2nd router as dedicated VPN router. So preferably I'd like to find a way to block the Apple TV from using IPv6 on my main router so I can keep playing around with IPv6 on my other devices.

Unfortunately the ip6tables as mentioned in my opening post doesn't seem to work as some streaming apps on my Apple TV seem to throw a wrong region error with VPN enabled, which doesn't happen at all if IPv6 is disabled & VPN is connected. Which is why I suspect IPv6 is still leaking from the Apple TV to the WAN even with the ip6tables rule in place.
 
I should have cleared that up in my original post but the reason I don't want to disable it is because I want to play around with IPv6 a bit. I don't know a whole bunch about networking & I like to learn more, so now that my ISP has finally enabled IPv6 I want to learn about its configuration and how it works. I'm limited in resources so I don't have a whole lab setup at home & I can just use my networking devices as I have them now but I don't want that to stop me from learning...

But now that it's "breaking" my streaming box over VPN I'd like to find a way around that without hooking up my 2nd router as dedicated VPN router. So preferably I'd like to find a way to block the Apple TV from using IPv6 on my main router so I can keep playing around with IPv6 on my other devices.

Unfortunately the ip6tables as mentioned in my opening post doesn't seem to work as some streaming apps on my Apple TV seem to throw a wrong region error with VPN enabled, which doesn't happen at all if IPv6 is disabled & VPN is connected. Which is why I suspect IPv6 is still leaking from the Apple TV to the WAN even with the ip6tables rule in place.

Does the Apple TV (I don't have one) allow you to manually configure anything related to network, maybe disable IPv6 on that? Or put it on a guest network and disable IPv6 on that network with a script.

It is known that Apple devices will request multiple IPv6 IPs.
 
Does the Apple TV (I don't have one) allow you to manually configure anything related to network, maybe disable IPv6 on that? Or put it on a guest network and disable IPv6 on that network with a script.

It is known that Apple devices will request multiple IPv6 IPs.

Unfortunately Apple does not let you disable IPv6 on their devices (except on the MacBooks). It also has a wired connection to my router because of the better speed I get (I tested Wired & Wireless before & speeds were a lot better Wired).

I'll do some research to see if it can be disabled on a Guest Network with a script. This would be my less preferred scenario however because I'll sacrifice some speed switching back from Wired to Wireless. But thanks for the valuable tip.
 
Last edited:
Unfortunately Apple does not let you disable IPv6 on their devices (except on the MacBooks). It also has a wired connection to my router because of the better speed I get (I tested Wired & Wireless before & speeds were a lot better Wired).

I'll do some research to see if it can be disabled on a Guest Network with a script. This would be my less preferred scenario however because I'll sacrifice some speed switching back from Wired to Wireless. But thanks for the valuable tip.

It is possible to put a wired port into the guest networks (I have mine set up that way), but with your HND router a lot more complex to do.

Is the device using a randomized MAC on wired? If not you should be able to filter all IPv6 as long as you get all the MAC addresses it is using into the rules.

I think there are other threads on here about IPv6 leaks when using VPN, there may already be a fix in one of them.
 
No benefit (unless your ISP only has CGNAT for IPv4) and just unexplained issues and possible security holes. What wasn't working before they enabled IPv6 that now is?

Indeed. Especially on a home router with perpetual beta stage firmware with multiple advertised, but non-working features.

I don't want to disable it is because I want to play around with IPv6 a bit

Someone may play around with you in the process. Like this issue found recently exposing your entire network on Internet:

 
I don't know a whole bunch about networking
I don't want that to stop me from learning...

Then you're the perfect target because there is nothing much you can learn on a blind and you can't even detect issues. The issue mentioned above was suspected 30+ pages in the beta testing thread. With basic knowledge you may be exposed to Internet for weeks without even noticing it.
 
Then you're the perfect target because there is nothing much you can learn on a blind and you can't even detect issues. The issue mentioned above was suspected 30+ pages in the beta testing thread. With basic knowledge you may be exposed to Internet for weeks without even noticing it.

Thanks for that information. I read that thread & that exposure seems to be on 388.1 with "Enable IPv4 inbound firewall rules" enabled. I'm still on 386.7_2. I tested on those IPv6 test websites while enabled & besides ICMPv6 nothing else was reachable from the internet.

Maybe I'll just set up my second router as my plaything & mess around there to see if I can work around my issue. I have a second Apple TV I can hook up to test so I can keep this separate from my primary network.
 
Last edited:
Your choice. You have enabled something you don't need and now solving the problem it creates.
 
Thanks for that information. I read that thread & that exposure seems to be on 388.1 with "Enable IPv4 inbound firewall rules" enabled. I'm still on 386.7_2. I tested on those IPv6 test websites while enabled & besided ICMPv6 nothing else was reachable from the internet.

Maybe I'll just set up my second router as my plaything & mess around there to see if I can work around my issue. I have a second Apple TV I can hook up to test so I can keep this separate from my primary network.

If you want to play around with it but maintain some security maybe use your second router daisy chained as IPv4 only and only connect devices to the first router that a breach wouldn't result in financial or identity losses?

When I was toying with IPv6 to learn about it I had a Cisco router running firewall and IPS software and a Juniper enterprise firewall which had been certified for IPv6 in corporate environments. Effectively 3 layers of protection (access lists on the router, firewall and IPS rules on the router, firewall and IPS on the firewall).

Not sure if any of the asus models support 6 to 4 NAT but that is potentially another way to learn it, have IPv6 on your LAN but v4 on the WAN. Mine shows a "Tunnel 6 to 4" option but I'm assuming you need a tunnel or VPN provider on the other end for that.

In reality IPv6 was rushed into these home routers just to show they supported it and weren't lagging behind, but it is far from polished. There is much more to it than just different/more IPs, it is a fundamental change in how many parts of how networking works.
 
For quite some time IPv6 in Passthrough mode was reported as IPv6 Disabled in Asuswrt, System Log. This is what a user can eventually see in WebUI. What else is broken - no one knows. On every new firmware release there is something fixed and something broken. Folks actually using the routers for Internet access can't really test much without disrupting the home network. With today's work/learn-from-home thing - even less chances.
 
Hi all,

I'm currently using a RT-AX86U on Merlin 386.7_2. I configured a VPN client using VPN director to route my Apple TV traffic through that tunnel & that was working fine until my ISP enabled IPv6.

Thanks in advance for the input.

Not sure if this will help, @Mando, but KILLMON (killswitch configurator & monitor) will help keep IPv6 traffic in its place. It's designed to only route IP4/6 traffic over an established VPN connection, and nothing else. If that VPN goes down, traffic is not allowed to go out over the WAN. Give it a shot, and let me know if this helps with your mission?
 
For quite some time IPv6 in Passthrough mode was reported as IPv6 Disabled in Asuswrt, System Log. This is what a user can eventually see in WebUI. What else is broken - no one knows. On every new firmware release there is something fixed and something broken. Folks actually using the routers for Internet access can't really test much without disrupting the home network. With today's work/learn-from-home thing - even less chances.

Have we even seen a definitive answer on whether IPv6 passthrough mode bypasses the firewall? Some say yes, some say no. That in and of itself makes me the most nervous about IPv6 on the Asus, the lack of clear answers on how it does/doesn't work.
 
Don't worry about it. You have a firewall on the ISP router. Does it work properly - I don't know. :D
 
Don't worry about it. You have a firewall on the ISP router. Does it work properly - I don't know. :D

Heh I connect directly to a Fiber ONT.

I enabled v6 in the Asus a couple months ago just to see if my ISP had finally enabled it. They had. Curiosity satisfied, I quickly disabled it again. :D
 
Not sure if this will help, @Mando, but KILLMON (killswitch configurator & monitor) will help keep IPv6 traffic in its place. It's designed to only route IP4/6 traffic over an established VPN connection, and nothing else. If that VPN goes down, traffic is not allowed to go out over the WAN. Give it a shot, and let me know if this helps with your mission?

Hi Viktor, thanks for this. Can it also work the other way around?

In my case I only want to kill IPv6 traffic for a single device (the Apple TV) when the VPN tunnel is up (so it doesn't leak) & allow IPv6 traffic again when the tunnel is down. I switch between tunneled & non-tunneled traffic often so I can sometimes access local content on my Apple TV.
 
Asuswrt's IPv6 functionality is still far from usable, and the IPv6 firewall functionality doesn't even come from stock, it's RMerlin added.

Since IPv6 and IPv4 are equally important, especially in terms of security configuration, all the efforts you made on IPv4 must be redone on IPv6, but due to the lack of a large number of configuration options, I do not recommend enabling IPv6 on Asuswrt.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top