1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Can I Block Specific Devices from getting IPv6 Address?

Discussion in 'Asuswrt-Merlin' started by Stephen Harrington, Jul 11, 2019.

Tags:
  1. Stephen Harrington

    Stephen Harrington Regular Contributor

    Joined:
    May 24, 2017
    Messages:
    157
    Location:
    Sydney, Australia
    Running latest Asuswrt-Merlin 384.12 on an RT-AC86U.

    My ISP has enabled experimental IPv6 support on their infrastructure and I'd like to have a play with it on my network, mostly as a learning exercise at this point. I got it working fine using "Native" mode and with DHCP-PD "Enabled".

    Is there any way through creating/editing Custom Configs or otherwise to block a couple of specific devices from getting an IPv6 address, but still keep getting their (static) IPv4 address "as usual"?

    For example, my main media player is an Apple TV 4K. I use DNS Filter feature to give it an alternate DNS address to get around geo-blocking for some streaming services. If I enable IPv6 on the network though, the Apple TV grabs an IPv6 address, and this appears to take precedence over IPv4 and thus the "alternate" IPv4 DNS no longer works to "aid" my streaming services. There seems to be no way to turn off IPv6 on the Apple TV itself.

    Thanks in advance, any suggestions or discussion gratefully received.
     
  2. Poul Bak

    Poul Bak Occasional Visitor

    Joined:
    Dec 2, 2017
    Messages:
    10
    How about turning OFF router announcment?
    Then it won't get a prefix from the router.
     
  3. Stephen Harrington

    Stephen Harrington Regular Contributor

    Joined:
    May 24, 2017
    Messages:
    157
    Location:
    Sydney, Australia
    @Poul Bak I assume you are talking about disabling “Enable Router Advertisement” under IPv6 menu?

    Won’t that effect ALL devices, not just the single device I wish to exclude from IPv6 (Apple TV) ?
     
  4. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    I don't think you can block an address from being assigned, but you maybe able to block the flow of ipv6 traffic involving the clients mac address using iptable rules. I donot know of a rule but it is a place to start. This might have a negative impact on your devices connection though.
     
  5. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    It may help to understand your specific purpose. Are you using a vpn for that specific device and don't want any ipv6 leaking through
     
  6. Stephen Harrington

    Stephen Harrington Regular Contributor

    Joined:
    May 24, 2017
    Messages:
    157
    Location:
    Sydney, Australia
    @SomeWhereOverTheRainBow thanks for your input.

    As per my OP I’m using the DNS Filter feature of Merlin firmware to give my Apple TV an “alternate” DNS (dns4me, paid service) so that I can stream US Netflix etc here in Australia. DNS4Me is an IPv4 only service. This all works fine, but if I enable IPv6 on my network, the Apple TV naturally grabs an IPv6 address and then ignores the IPv4 DNS and uses IPv6, thus I lose my overseas streaming. There is no way to turn IPv6 Off within the Apple TV interface.

    Ideally I’d like some way of just blocking IPv6 on the Apple TV so that it never gets an IPv6 address and keeps behaving as though it is IPv4 only, whilst having full IPv6 on the rest of my network so I can play and learn.
     
  7. Adamm

    Adamm Part of the Furniture

    Joined:
    Mar 26, 2013
    Messages:
    2,238
    If its just Netflix you want prevent resolving an IPv6 address, add the following line to /jffs/configs/dnsmasq.conf.add

    Code:
    address=/netflix.com/::
    I use this method for similar reasons with selective routing and it works perfectly.
     
  8. Stephen Harrington

    Stephen Harrington Regular Contributor

    Joined:
    May 24, 2017
    Messages:
    157
    Location:
    Sydney, Australia
    @Adamm, thanks that's useful info, but my setup is a bit more complex than that.
    I have multiple geo-blocked streaming providers in the USA and UK.
    Is there something I could put in /jffs/configs/dnsmasq.conf.add to stop a single device, identified by either mac address or IP, from getting an IPv6 address at all, or at least behaving like it can't?
     
  9. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,449
    I don't know if this will work, but can you not use ip6tables to drop all packets from the device? I don't know whether the device will keep trying ipv6 or stick to ipv4 only though.
     
  10. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    this method will work, you can also use
    Code:
    ip -6 route add blackhole 2620:108:700f::/48
    ip -6 route add blackhole 2a01:578:3::/48
    for netflix specifically, this doesn't cover any amazon AWS affiliation though.
     
  11. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    is there away to specify this as a DHCP option to only be used for one device and not universally?
     
  12. Poul Bak

    Poul Bak Occasional Visitor

    Joined:
    Dec 2, 2017
    Messages:
    10
    Yes, that will affect all devices. You can MANUALLY give the other devices an ipv6 address, then all should work.
     
  13. Stephen Harrington

    Stephen Harrington Regular Contributor

    Joined:
    May 24, 2017
    Messages:
    157
    Location:
    Sydney, Australia
    Only one way to find out I guess, but have never played with ip6tables (on Merlin or elsewhere) can you suggest what I would need to put in which file?
    Presumably it might be ip6tables commands in /jffs/scripts/nat-start or /jffs/scripts/firewall-start or the like ?
     
    Last edited: Jul 18, 2019
  14. Stephen Harrington

    Stephen Harrington Regular Contributor

    Joined:
    May 24, 2017
    Messages:
    157
    Location:
    Sydney, Australia
    Thanks, but that seems counter-productive to me as a long-term solution, as I have around 40 "other" devices, want something much more elegant. :)
     
  15. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    try dnsmasq.postconf that would probably be best as the IPV6 routed addresses may be purged if dnsmasq gets restarted i believe.
     
  16. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    also you can check out this site for other Netflix workarounds that go even deeper
    https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6

    i don't know the depths of merlins IPtables support with ipv6, but here are some IPV6 table rules that can be added to /jffs/scripts/firewall-start
    Code:
    ip6tables -I OUTPUT -d 2620:108:700f::/48 -j REJECT
    ip6tables -I FORWARD -d 2620:108:700f::/48 -j REJECT
    ip6tables -I OUTPUT -d 2a01:578:3::/64 -j REJECT
    ip6tables -I FORWARD -d 2a01:578:3::/64 -j REJECT
    You may have to experiment with additional ranges in order to stop Netflix using IPv6 for your geolocation

    UPDATED to add a couple more address.
     
    Last edited: Jul 18, 2019
  17. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    key netflix domains to block IPV6 to netflix
    Code:
    netflix.com
    netflix.net
    nflxvideo.net
    nflximg.net
    nflxext.com
    nflxso.net
    dnsmasq.conf.add
    to block ipv6 appropriately
    Code:
    server=/netflix.com/#
    address=/netflix.com/::
    server=/netflix.net/#
    address=/netflix.net/::
    server=/nflxext.com/#
    address=/nflxext.com/::
    server=/nflximg.net/#
    address=/nflximg.net/::
    server=/nflxvideo.net/#
    address=/nflxvideo.net/::
    server=/nflxso.net/#
    address=/nflxso.net/::
    then assign your own look up address.
    Code:
    server=/netflix.com/127.0.0.1
    server=/netflix.net/127.0.0.1
    server=/nflxext.com/127.0.0.1
    server=/nflximg.com/127.0.0.1
    server=/nflxvideo.net/127.0.0.1
    server=/nflxso.net/127.0.0.1
    the 127.0.0.1 would be the DNS address of your DNS service used that provides your GEOlocated support, so replace it with whatever address that maybe.
     
  18. Adamm

    Adamm Part of the Furniture

    Joined:
    Mar 26, 2013
    Messages:
    2,238
    I feel your pain as I also live in Australia, the same method applies to other streaming services, just need to find the right domains with a quick google search.



    From first hand experience I can assure you this only needs to be done for the main netflix.com domain as I posted above, the other domains are unnecessary.
     
  19. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    I just recommended it to completely strip all IPV6 from netflix and fall back to IPV4.
     
  20. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    222
    If none of these work, You can also try
    Code:
    dhcp-mac=set:red,MACADDRESSOFDEVICE
    dhcp-option-force=tag:red,option6:dns-server,::
    This would null out ipv6 dns for specific mac address but would only be offered as suggestion the device may still overrule it.