Blocking IPv6 clients to stop VPN circumvention

[Mando]

For quite some time IPv6 in Passthrough mode was reported as IPv6 Disabled in Asuswrt, System Log. This is what a user can eventually see in WebUI. What else is broken - no one knows. On every new firmware release there is something fixed and something broken. Folks actually using the routers for Internet access can't really test much without disrupting the home network. With today's work/learn-from-home thing - even less chances.

I'm currently running (maybe call it testing now) IPv6 in Native mode. Are there any known issues with that mode?

 

[drinkingbird]

You have to be Native then. Or Naked... not sure. Test and report.

Yeah in my case it would be native, and when I flipped it on a couple months ago it worked as expected. However I'll stick with the more secure "disabled".

 

[drinkingbird]

I'm currently running (maybe call it testing now) IPv6 in Native mode. Are there any known issues with that mode?

Native is preferred over passthrough, but yes, there are many known issues (and unknown ones) with IPv6 on the vast majority of home routers, including Asus. The challenge here is Asus lets you tinker with a lot more settings than other brands, potentially exposing more exploitable issues.

 

[Tech9]

Are there any known issues with that mode?

As I said I found QoS not working properly with IPv6 enabled in latest Asuswrt 388_22068 for RT-AX86U. What else is broken - I don't know.

 

[drinkingbird]

I'm currently running (maybe call it testing now) IPv6 in Native mode. Are there any known issues with that mode?

Put it this way - IPv4 on home routers has been developed and refined since late 90's.

IPv6, dunno, maybe roughly 5 ish years now?

So basically IPv6 is at around 2002 in terms of progress. The internet was a far different place in 2002. Not that there were no bad things out there, but nothing like today.

 

[Viktor Jaep]

Hi Viktor, thanks for this. Can it also work the other way around?

In my case I only want to kill IPv6 traffic for a single device (the Apple TV) when the VPN tunnel is up (so it doesn't leak) & allow IPv6 traffic again when the tunnel is down. I switch between tunneled & non-tunneled traffic often so I can sometimes access local content on my Apple TV.

Yep, you can specify a specific IP4/6 IP... However, when the tunnel goes down, that's when the killswitch would prevent that device from getting out over the WAN. So you'd need to disable the killswitch in that situation.

 

[jimbobub]

Openwrt has vlan capability and one can enable and disable ipv6 on each one.