Can I Block Specific Devices from getting IPv6 Address?

[Stephen Harrington]

Running latest Asuswrt-Merlin 384.12 on an RT-AC86U.

My ISP has enabled experimental IPv6 support on their infrastructure and I'd like to have a play with it on my network, mostly as a learning exercise at this point. I got it working fine using "Native" mode and with DHCP-PD "Enabled".

Is there any way through creating/editing Custom Configs or otherwise to block a couple of specific devices from getting an IPv6 address, but still keep getting their (static) IPv4 address "as usual"?

For example, my main media player is an Apple TV 4K. I use DNS Filter feature to give it an alternate DNS address to get around geo-blocking for some streaming services. If I enable IPv6 on the network though, the Apple TV grabs an IPv6 address, and this appears to take precedence over IPv4 and thus the "alternate" IPv4 DNS no longer works to "aid" my streaming services. There seems to be no way to turn off IPv6 on the Apple TV itself.

Thanks in advance, any suggestions or discussion gratefully received.

 

[Poul Bak]

How about turning OFF router announcment?
Then it won't get a prefix from the router.

 

[Stephen Harrington]

@Poul Bak I assume you are talking about disabling “Enable Router Advertisement” under IPv6 menu?

Won’t that effect ALL devices, not just the single device I wish to exclude from IPv6 (Apple TV) ?

 

[SomeWhereOverTheRainBow]

I don't think you can block an address from being assigned, but you maybe able to block the flow of ipv6 traffic involving the clients mac address using iptable rules. I donot know of a rule but it is a place to start. This might have a negative impact on your devices connection though.

 

[SomeWhereOverTheRainBow]

It may help to understand your specific purpose. Are you using a vpn for that specific device and don't want any ipv6 leaking through

 

[Stephen Harrington]

@SomeWhereOverTheRainBow thanks for your input.

As per my OP I’m using the DNS Filter feature of Merlin firmware to give my Apple TV an “alternate” DNS (dns4me, paid service) so that I can stream US Netflix etc here in Australia. DNS4Me is an IPv4 only service. This all works fine, but if I enable IPv6 on my network, the Apple TV naturally grabs an IPv6 address and then ignores the IPv4 DNS and uses IPv6, thus I lose my overseas streaming. There is no way to turn IPv6 Off within the Apple TV interface.

Ideally I’d like some way of just blocking IPv6 on the Apple TV so that it never gets an IPv6 address and keeps behaving as though it is IPv4 only, whilst having full IPv6 on the rest of my network so I can play and learn.

 

[Adamm]

As per my OP I’m using the DNS Filter feature of Merlin firmware to give my Apple TV an “alternate” DNS (dns4me, paid service) so that I can stream US Netflix etc here in Australia.

If its just Netflix you want prevent resolving an IPv6 address, add the following line to /jffs/configs/dnsmasq.conf.add

address=/netflix.com/::

I use this method for similar reasons with selective routing and it works perfectly.

 

[Stephen Harrington]

I use this method for similar reasons with selective routing and it works perfectly.

@Adamm, thanks that's useful info, but my setup is a bit more complex than that.
I have multiple geo-blocked streaming providers in the USA and UK.
Is there something I could put in /jffs/configs/dnsmasq.conf.add to stop a single device, identified by either mac address or IP, from getting an IPv6 address at all, or at least behaving like it can't?

 

[Jack Yaz]

I don't know if this will work, but can you not use ip6tables to drop all packets from the device? I don't know whether the device will keep trying ipv6 or stick to ipv4 only though.

 

[SomeWhereOverTheRainBow]

If its just Netflix you want prevent resolving an IPv6 address, add the following line to /jffs/configs/dnsmasq.conf.add

address=/netflix.com/::

I use this method for similar reasons with selective routing and it works perfectly.

this method will work, you can also use

ip -6 route add blackhole 2620:108:700f::/48
ip -6 route add blackhole 2a01:578:3::/48

for netflix specifically, this doesn't cover any amazon AWS affiliation though.

 

[SomeWhereOverTheRainBow]

If its just Netflix you want prevent resolving an IPv6 address, add the following line to /jffs/configs/dnsmasq.conf.add

address=/netflix.com/::

I use this method for similar reasons with selective routing and it works perfectly.

is there away to specify this as a DHCP option to only be used for one device and not universally?

 

[Poul Bak]

@Poul Bak I assume you are talking about disabling “Enable Router Advertisement” under IPv6 menu?

Won’t that effect ALL devices, not just the single device I wish to exclude from IPv6 (Apple TV) ?

Yes, that will affect all devices. You can MANUALLY give the other devices an ipv6 address, then all should work.

 

[Stephen Harrington]

I don't know if this will work, but can you not use ip6tables to drop all packets from the device? I don't know whether the device will keep trying ipv6 or stick to ipv4 only though.

Only one way to find out I guess, but have never played with ip6tables (on Merlin or elsewhere) can you suggest what I would need to put in which file?
Presumably it might be ip6tables commands in /jffs/scripts/nat-start or /jffs/scripts/firewall-start or the like ?

 

[Stephen Harrington]

Yes, that will affect all devices. You can MANUALLY give the other devices an ipv6 address, then all should work.

Thanks, but that seems counter-productive to me as a long-term solution, as I have around 40 "other" devices, want something much more elegant.

 

[SomeWhereOverTheRainBow]

Only one way to find out I guess, but have never played with ip6tables (on Merlin or elsewhere) can you suggest what I would need to put in which file?
Presumably it might be ip6tables commands in /jffs/scripts/nat-start or /jffs/scripts/firewall-start or the like ?

try dnsmasq.postconf that would probably be best as the IPV6 routed addresses may be purged if dnsmasq gets restarted i believe.

 

[SomeWhereOverTheRainBow]

also you can check out this site for other Netflix workarounds that go even deeper
https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6

i don't know the depths of merlins IPtables support with ipv6, but here are some IPV6 table rules that can be added to /jffs/scripts/firewall-start

ip6tables -I OUTPUT -d 2620:108:700f::/48 -j REJECT
ip6tables -I FORWARD -d 2620:108:700f::/48 -j REJECT
ip6tables -I OUTPUT -d 2a01:578:3::/64 -j REJECT
ip6tables -I FORWARD -d 2a01:578:3::/64 -j REJECT

You may have to experiment with additional ranges in order to stop Netflix using IPv6 for your geolocation

UPDATED to add a couple more address.

 

[SomeWhereOverTheRainBow]

key netflix domains to block IPV6 to netflix

netflix.com
netflix.net
nflxvideo.net
nflximg.net
nflxext.com
nflxso.net

dnsmasq.conf.add
to block ipv6 appropriately

server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/nflximg.net/#
address=/nflximg.net/::
server=/nflxvideo.net/#
address=/nflxvideo.net/::
server=/nflxso.net/#
address=/nflxso.net/::

then assign your own look up address.

server=/netflix.com/127.0.0.1
server=/netflix.net/127.0.0.1
server=/nflxext.com/127.0.0.1
server=/nflximg.com/127.0.0.1
server=/nflxvideo.net/127.0.0.1
server=/nflxso.net/127.0.0.1

the 127.0.0.1 would be the DNS address of your DNS service used that provides your GEOlocated support, so replace it with whatever address that maybe.

 

[Adamm]

@Adamm, thanks that's useful info, but my setup is a bit more complex than that.
I have multiple geo-blocked streaming providers in the USA and UK.

I feel your pain as I also live in Australia, the same method applies to other streaming services, just need to find the right domains with a quick google search.

key netflix domains to block IPV6 to netflix

netflix.com
netflix.net
nflxvideo.net
nflximg.net
nflxext.com
nflxso.net

dnsmasq.conf.add
to block ipv6 appropriately

server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/nflximg.net/#
address=/nflximg.net/::
server=/nflxvideo.net/#
address=/nflxvideo.net/::
server=/nflxso.net/#
address=/nflxso.net/::

then assign your own look up address.

server=/netflix.com/127.0.0.1
server=/netflix.net/127.0.0.1
server=/nflxext.com/127.0.0.1
server=/nflximg.com/127.0.0.1
server=/nflxvideo.net/127.0.0.1
server=/nflxso.net/127.0.0.1

the 127.0.0.1 would be the DNS address of your DNS service used that provides your GEOlocated support, so replace it with whatever address that maybe.

From first hand experience I can assure you this only needs to be done for the main netflix.com domain as I posted above, the other domains are unnecessary.

 

[SomeWhereOverTheRainBow]

I feel your pain as I also live in Australia, the same method applies to other streaming services, just need to find the right domains with a quick google search.





From first hand experience I can assure you this only needs to be done for the main netflix.com domain as I posted above, the other domains are unnecessary.

I just recommended it to completely strip all IPV6 from netflix and fall back to IPV4.

 

[SomeWhereOverTheRainBow]

If none of these work, You can also try

dhcp-mac=set:red,MACADDRESSOFDEVICE
dhcp-option-force=tag:red,option6:dns-server,::

This would null out ipv6 dns for specific mac address but would only be offered as suggestion the device may still overrule it.