Dual Stack home network pros and cons

[john9527]

Anyone still running IPv6 on Asus, please refresh my memory if your LAN addresses show a lifetime other than forever. I seem to think there was not proper handling of the prefix delegation lifetimes, but I might be wrong.

ip -6 addr show dev br0 scope global

Don’t post your real global address.

One more from OpenWRT....
4 vlans with channel bonding and IPv6 suffix

 -----------------------------------------------------
 OpenWrt orion-21.02, dev-21.364.58947-17bdf85
 -----------------------------------------------------
root@OpenWrt-851B:~# ip -6 addr show dev bond0.110 scope global
23: bond0.110@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet6 2600:xxxx:xxxx:xxx1:ae1f:6bff:feyy:yyyy/64 scope global dynamic noprefixroute 
       valid_lft 47003sec preferred_lft 47003sec
root@OpenWrt-851B:~# ip -6 addr show dev bond0.120 scope global
24: bond0.120@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet6 2600:xxxx:xxxx:xxx2:ae1f:6bff:feyy:yyyy/64 scope global dynamic noprefixroute 
       valid_lft 46996sec preferred_lft 46996sec
root@OpenWrt-851B:~# ip -6 addr show dev bond0.130 scope global
25: bond0.130@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet6 2600:xxxx:xxxx:xxx3:ae1f:6bff:feyy:yyyy/64 scope global dynamic noprefixroute 
       valid_lft 46992sec preferred_lft 46992sec
root@OpenWrt-851B:~# ip -6 addr show dev bond0.140 scope global
26: bond0.140@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet6 2600:xxxx:xxxx:xxx4:ae1f:6bff:feyy:yyyy/64 scope global dynamic noprefixroute 
       valid_lft 46987sec preferred_lft 46987sec

 

[heysoundude]

I mean, I see performance issues and strange behavior on day one after enabling IPv6. Asus router, IPv6 enabled, IPv6 score of 19/20. My question is if there is a way to improve this. I don't mind transparent IPv4 + IPv6, but the Internet experience have changed to worse. OpenDNS sends me to correct local servers, but user categories are not supported with IPv6. NextDNS and Cleanbrowsing offer custom categories with IPv6, but with paid service.



The only enjoyment or to say better satisfaction so far it the IPv6 assessment score of 19/20. Testing with different DNS servers now to see if the experience improves. OpenDNS and Google DNS are all local - a good thing. Cleanbrowsing is 10000km away, Quad9 is 2000km away. Both have local servers in Toronto, but not used with IPv6 enabled for some unknown reason. Trying to figure out what's wrong and it takes time. Teksavvy on Rogers Cable.

Google and cloudflare (Apple may as well...but something is tickling my brain that they're up in Markham/Richmond Hill...possibly at the old IBM campus on Steeles?) have their servers colocated where TSI does (on Front Street? Equinix or Torix, who have 3 locations) in Toronto, and Rogers may as well unless they've a datacenter of their own up at Bloor/Mt Pleasant.

Improved DNS - may I suggest your own? unbound is quite wonderful...and sovereign rather than relying on 3rd parties (other than the Auth servers those services reference...) you can blacklist anything you want with diversion too... I think @Martineau and @thelonelycoder have worked together to make their software extensively complimentary.
(if you're exploring new paths in the forest....why not take the full plunge? lots of us are out here doing it happily and successfully for quite a while now...)

 

[RMerlin]

There’s too much FUD being spewed in this thread to take it seriously. If there are firewall deficiencies, point them out. The firewall allows inbound ICMPv6 for RFC reasons.

Adaptive QoS works fine with IPv6.

DNSFilter is less robust for IPv6 since IPv6 NAT is not included in the kernel.

Skynet is IPv4-only.

BTW, I wrote the original Asuswrt IPv6 firewall implementation. Before that there wasn't any, the whole LAN was left wide open.

 

[RMerlin]

It identifies the client, but does it identify the traffic?

bwdpi does support IPv6. You can see for yourself by enabling Adaptive QoS then going to tthe QOS Stats page (if running Asuswrt-Merlin). You can see classified IPv6 tracked connections.

 

[RMerlin]

How is the request interception done? @RMerlin

None at the moment for IPv6, it's only done at the dnsmasq level (I based that part on Asus' Yandex DNS implementation).

I might eventually look at implementing NAT6 to also intercept these, but that's a low priority at the moment due to the amount of work involved only in testing anything.

 

[Tech9]

Improved DNS - may I suggest your own?

I'm going to test again when Asus officially releases what is now beta RC3 firmware. Expected improvements are more firmware functions with IPv6 support (Asus DDNS, more available perhaps), DNS intercept equivalent function (DNSFilter renamed for trademark issues, I guess), VPN client profiles to non-GT models and VPN server with IPv6 support, plus improved security across the board. I would like to see how easy is for a regular user to switch from IPv4 only to dual stack IPv4+IPv6 using the tools provided by Asus and connecting to current ISP's with IPv6 support claims. I can do that on 3x different local ISP's. I will be using RT-AX88U model next time.

Unbound is the default DNS resolver in pfSense, @heysoundude. It runs on my firewall. Asuswrt-Merlin firmware is required on Asus routers. The latest stable Asuswrt-Merlin is from 06/2021 and based on even older Asuswrt. The latest Asuswrt is an official release, but what I see in RC3 beta thread isn't available yet. Everything new is basically beta testing at the moment. I realized my experiments were actually all on beta firmware. Asus released official Asuswrt because of security patches, not because RC3 is ready for prime-time.

bwdpi does support IPv6.

Adaptive QoS in current Asuswrt is perhaps broken, at least for AC86U/AC68U. When set to Manual Bandwidth I could still see full ISP speed up/down.

 

[Tech9]

BTW, I wrote the original Asuswrt IPv6 firewall implementation. Before that there wasn't any, the whole LAN was left wide open.

What Asuswrt firmware was the first using your code, @RMerlin?

 

[PR3MIUM]

To me, its not a matter of pro or con. If you are in a situation where you need IPv6 and you also need to access local devices that only support IPv4, then dual stack is your answer. You will still need IPv4 connectivity to the internet unless you use other technologies such as DNS64/NAT64. Without that, dual stack is your answer.

My problem with the discussion has been with statements that are made saying there is no reason for anyone to enable IPv6, so don't do it. Or statements that say, if you enable IPv6 you are at risk. Neither of these are true. With that said, I agree 100% if you have no reason to to enable IPv6 you probably should not enable it. Thats why I didn't have it enabled until recently. Anything extra running on your router is just another entry point for an intruder. So, of course you shouldn't enable anything on your router that you do not need.

Finally, after I enabled IPv6 earlier this year, I was surprised how much of my traffic is IPv6. In fact, most of it is.

even a browser like firefox can check your battery stats of your mainboard if not turned off to identify you with a vpn on like all that 2fa and captcha too, sad ^^

 

[RMerlin]

What Asuswrt firmware was the first using your code, @RMerlin?

I don't remember, this was somewhere around 2013 or 2014 I suppose.

 

[RMerlin]

Adaptive QoS in current Asuswrt is perhaps broken, at least for AC86U/AC68U. When set to Manual Bandwidth I could still see full ISP speed up/down.

You need to test it with concurrent streams with competing priorities. That value isn't used as a bandwidth limiter, it's used to calculate allocation to each classes. I suspect if there is no higher priority stream at the moment, then it will probably allocate unlimited bandwidth to the current ones.

 

[Frank Monroe]

None at the moment for IPv6, it's only done at the dnsmasq level (I based that part on Asus' Yandex DNS implementation).

I might eventually look at implementing NAT6 to also intercept these, but that's a low priority at the moment due to the amount of work involved only in testing anything.

To clarify, if a client has manually set the DNS server(s) on their device to only IPv6 address and DNS filtering is enabled for the client, the client doesn't get the filter and DNS on the client will not work at all. If the client has any IPv4 DNS servers defined, the filtering will work. Does this sound accurate? This has always been the behavior I have experienced.

 

[john9527]

What Asuswrt firmware was the first using your code, @RMerlin?

The IPv6 firewall is in my LTS fork....so sometime before or at 374....

 

[Tech9]

You need to test it with concurrent streams with competing priorities. That value isn't used as a bandwidth limiter, it's used to calculate allocation to each classes. I suspect if there is no higher priority stream at the moment, then it will probably allocate unlimited bandwidth to the current ones.

I actually run your beta 2 firmware and with Adaptive QoS enabled up/down speeds were as per manual settings. My test "network" is the same 2 clients - one wired and one wireless. Adaptive QoS in older Asuswrt versions also obey manual settings, Asuswrt 44470 for AC86U for example. I'm not interested in QoS testing, but the change in behavior caught my attention.

 

[Tech9]

By the way @RMerlin, I believe you also have TekSavvy ISP. I know in your area they perhaps use Videotron network. Does it make sense to test IPv6 capabilities with TekSavvy on Rogers Cable and Rogers Ignite separately as well as with TekSavvy DSL and Bell Fibe? I have access to all four flavors. The network paths are different, the infrastructure is shared. I believe TekSavvy is limited to what the infrastructure is capable of. Is this correct?

 

[CriticJay]

BTW, I wrote the original Asuswrt IPv6 firewall implementation. Before that there wasn't any, the whole LAN was left wide open.

No doubt this is why my machines are all passing this IPv6 Port Scanner with flying colors, even if the OS firewall is turned off!

 

[CriticJay]

By the way @RMerlin, I believe you also have TekSavvy ISP. I know in your area they perhaps use Videotron network. Does it make sense to test IPv6 capabilities with TekSavvy on Rogers Cable and Rogers Ignite separately as well as with TekSavvy DSL and Bell Fibe? I have access to all four flavors. The network paths are different, the infrastructure is shared. I believe TekSavvy is limited to what the infrastructure is capable of. Is this correct?

Rogers cable "direct" customers actually had IPv6 enabled before Teksavvy-on-Rogers customers did. So either TSI has independent control of IPv6 on their network, or (more likely) Rogers themselves chose when to grant IPv6 access to the TPIA's using their infrastructure.

 

[CriticJay]

Google and cloudflare (Apple may as well...but something is tickling my brain that they're up in Markham/Richmond Hill...possibly at the old IBM campus on Steeles?) have their servers colocated where TSI does (on Front Street? Equinix or Torix, who have 3 locations) in Toronto, and Rogers may as well unless they've a datacenter of their own up at Bloor/Mt Pleasant.

You must be thinking of the legendary 151 Front Street West data center ("TOR1") in d/t Toronto.

It's a "carrier hotel" - pretty much every floor of that building has a different data center/colocation site for different corporation(s). Plus TORIX is located there too, on one of the floors.

All the companies you mentioned have a presence at TOR1

 

[CriticJay]

For those who want to spend New Year's Eve testing their dual-stack network rather than drinking champagne, here's a global IPv6 ping tool if you want to ensure your PC is ICMPv6 pingable from anywhere in the world, lol.

 

[RMerlin]

To clarify, if a client has manually set the DNS server(s) on their device to only IPv6 address and DNS filtering is enabled for the client, the client doesn't get the filter and DNS on the client will not work at all. If the client has any IPv4 DNS servers defined, the filtering will work. Does this sound accurate? This has always been the behavior I have experienced.

That's correct. By dnsmasq level, I mean DHCP/RA. There's no active filtering done at the firewall level, unlike with IPv4 that DNAT DNS connections.

By the way @RMerlin, I believe you also have TekSavvy ISP. I know in your area they perhaps use Videotron network. Does it make sense to test IPv6 capabilities with TekSavvy on Rogers Cable and Rogers Ignite separately as well as with TekSavvy DSL and Bell Fibe? I have access to all four flavors. The network paths are different, the infrastructure is shared. I believe TekSavvy is limited to what the infrastructure is capable of. Is this correct?

I'm indeed with Vcable. Vidéotron started quietly adding native IPv6 support to some of their Helix customers as part of a test rollout. I'm not holding my breath to see them provide it to TPIAs anytime soon however.

IPv6 in general is something I don`t really touch in the firmware since I'm largely flying blind, so I leave that to Asus themselves, unless something is really obvious. A few months ago I did setup a Linux VM that can take my Tunnelbroker /48, and delegate a /64 prefix out of it to any router plugged to a second interface, allowing me finally to simulate a typical Native PD ISP setup. Doing any test on that setup is always a lot of work as it requires powering on the VM host, the VM itself, plugging a router to the VM's "ISP side" interface, and a client to the router's LAN (which can`t be my primary work machine that sits on my main LAN). I did it while working on the OpenVPN IPv6 support (as I wanted to have at least feature parity with Asus who had recently added it to their own OpenVPN code), but it's not something I can do in five minutes to quickly test/investigate any issues. My own knowledge of IPv6 is also limited, and the person who used to be my specialist for anything tied to IPv6 no longer has time to be actively involved due to a job change on his end.

And considering how complicated the whole WAN handling code in Asuswrt is (both for IPv4 and IPv6), and the number of different, sometimes custom or broken ISP implementations, it's not a workload I have any intention to take upon myself at this time.

 

[RMerlin]

The IPv6 firewall is in my LTS fork....so sometime before or at 374....

Asus didn`t immediately integrate my code into their own codebase, so you might possibly have had it before them.