Dual Stack home network pros and cons

[sfx2000]

If something about IPv6 is broken in Asuswrt, they must know.

Don't assume that - I lead/manage a SW team - we work on things we know, not on unknowns...

If people don't test and report, the bugs won't be discovered or fixed...

And with recent experience on AsusWRT 386 on RT-AC68U, there is a lot of undiscovered country...

 

[Tech9]

If people don't test and report, the bugs won't be discovered or fixed.

Someone bumped this thread. I have to read it again and see what you have replied to.

 

[Kingp1n]

So how are things looking a year after this thread was created? Will the new firmware RC3 or whatever is called fixed previous IPV6 issues? @Tech9 Will you test IPV6 again with new fw?

 

[SomeWhereOverTheRainBow]

So how are things looking a year after this thread was created? Will the new firmware RC3 or whatever is called fixed previous IPV6 issues? @Tech9 Will you test IPV6 again with new fw?

The true irony is that for some one who doesn't turn on ipv6, @Tech9 is probably an expert at using it from all that testing.

 

[Kingp1n]

The true irony is that for some one who doesn't turn on ipv6, @Tech9 is probably an expert at using it from all that testing.

Speaking from my own trial/testing, I did have it enabled at one point to test it, but at the time I was also using a VPN service. In the end, I disabled it due to DNS leaks.

Another reason why it's disabled now is due to Skynet. Maybe in the future I'll try it again but I honestly haven't noticed any differences whether it's enabled or not except while/when using a VPN.

I can see for those who don't use a VPN/Skynet, and/or other scripts might have it enabled but for me personally, I haven't noticed any difference on or off (with those exceptions mentioned above)! Guess time will tell with a future update.

 

[Tech9]

@Tech9 Will you test IPV6 again with new fw?

Very little from what was discussed above is firmware related. Pros and cons are still the same even for non-Asus hardware. I still recommend keeping IPv6 at default Disabled, if not needed. It saves lots of potential trouble for folks with working IPv4, especially if VPN tunnels are in play. I won't be able to test anything in next 4 weeks. My test routers are some 6000km away from me.

I haven't noticed any difference on or off

You may notice some web browsing slow downs, if your browser is trying IPv6 first and failing back to IPv4. Other than that there is no user noticeable differences whatsoever. As @SomeWhereOverTheRainBow mentioned, it's hard to convince someone to use a new technology with no obvious benefits for the user. IPv6 is an option for folks in countries with not enough IPv4 addresses or behind NAT with no port forwarding.

 

[Tech9]

The true irony...

The true irony is you enable IPv6 on your router to see for yourself all the goodness some people talk about in public forums like our own SNB Forms and then popular commercial VPN services like ExpressVPN and NordVPN assure you their apps block efficiently IPv6 connections to protect you.

 

[SomeWhereOverTheRainBow]

The true irony is you enable IPv6 on your router to see for yourself all the goodness some people talk about in public forums like our own SNB Forms and then popular commercial VPN services like ExpressVPN and NordVPN assure you their apps block efficiently IPv6 connections to protect you.

Strange how that works, but also so true.

 

[Tech9]

The thing is, if I explain briefly to my wife what happens, she's going to ask me right away "Why did you enable this in first place?". She has no idea what IPv6 is. This is why I ask the same question often and very few people actually had valid reasons on this forum. I perfectly understand we are kind of privileged in the countries we live in. My position/advice would be totally wrong, if the forum was visited mostly by folks from countries with less than 10 IPv4 addresses available per 1000 residents. And there are a lot of countries with a lot of people living there. If someone is curious - more people than the population of entire Europe and North America combined.

 

[SomeWhereOverTheRainBow]

The thing is, if I explain briefly to my wife what happens, she's going to ask me right away "Why did you enable this in first place?". She has no idea what IPv6 is. This is why I ask the same question often and very few people actually had valid reasons on this forum. I perfectly understand we are kind of privileged in the countries we live in. My position/advice would be totally wrong, if the forum was visited mostly by folks from countries with less than 10 IPv4 addresses available per 1000 residents. And there are a lot of countries with a lot of people living there. If someone is curious - more people than the population of entire Europe and North America combined.

I have been kind of curious but haven't actually investigated about this question enough - does AI-Protect actually block malicious connections from ipv6 sources, or is it strictly ipv4 in design. I remember skynet is only ipv4, but I do not recall if the AI-protect was deemed only ipv4.

 

[Tech9]

AiProtection has a chance to react to known bad URL only. It doesn't see https encrypted traffic and it doesn't really do true packet inspection on http. To achieve acceptable speeds on this weak hardware it perhaps does beginning of the packet check only, if that. True packet inspection at Gigabit speed needs Suricata multi-core on Core i3 6th Gen 3.3GHz or faster. My firewall with 4x Deverton 2.2GHz cores can do about 800Mbps.

No idea what AiProtection does with NAT acceleration enabled. Perhaps nothing much. The packets are not actually processed by the CPU. I have a theory AiProtection serves a little different purpose on Asus routers. The crashing Data Collection Daemon, the Web History going through TrendMicro engine, the wide open User Agreement... I don't know. TrendMicro's way to improve the paid products, perhaps.

 

[SomeWhereOverTheRainBow]

AiProtection has a chance to react to known bad URL only. It doesn't see https encrypted traffic and it doesn't really do true packet inspection on http. To achieve acceptable speeds on this weak hardware it perhaps does beginning of the packet check only, if that. True packet inspection at Gigabit speed needs Suricata multi-core on Core i3 6th Gen 3.3GHz or faster. My firewall with 4x Deverton 2.2GHz cores can do about 800Mbps.

Now that is a solid answer. What router OS environment do you recommend for a truly superb setup? I have been playing with a few different ones. I have pretty new generation equipment shells I can build up at anytime, but I am still playing detective for determining what I like at my main setup.

 

[Tech9]

I recommend hardware/software according to the needs, budget and knowledge. For you - good platform to play with is perhaps OpenWRT on x86. It's actively developed, powerful and you have the knowledge and interest to learn more. I believe we've lost a developer to this already. For average home users the starting knowledge is a limitation - Asus routers are okay. Asuswrt-Merlin as added challenge.

I personally use pfSense because it has to be something standard. IPS/IDS is not very effective today and I don't want to run a proxy. Had some bad results experimenting with this idea. What I have is automatic IP ban, paid subscriptions for DNS/IP rules, Suricata on LAN for the obvious. Community rules are okay for home, but not for business. You can't fight your own war, basically. You have to rely on someone big who does this for a living. Even TrendMicro, they are good reputation company. AiProtection is good for home, if you agree to pay with your data. Don't forget the clients as well, perhaps the most important security part. Statistically >90% of the threats are initiated from inside the network. I use lots of Chromebooks for a reason. Desktops are identical configurations with restricted user accounts, no USB ports. Servers backup data locally and off-site. Not on a Cloud, to my own servers elsewhere. I also have my own VPN servers in 3 different countries.

Nothing IPv6 related, just some ideas. As "part of the furniture" I may get away with some off-topic.

 

[Kingp1n]

Man I love this site...so many well knowledge individuals sharing different ideas in a respectful way!!! Let's go!!!!

 

[Tech9]

Let's go!!!!

Let's go enable IPv6?

 

[Kingp1n]

Let's go enable IPv6?

I'll pass on that for now...haha ...I meant let's go IPV4!!!

 

[sfx2000]

Let's go enable IPv6?

I yes - enable it, and see what works...

report what doesn't...

There's no real downside for most vendors, and one reaps the benefit of better routing.

The AsusWRT community with their scripts might need some work, but if people run and test...

 

[sfx2000]

I personally use pfSense because it has to be something standard.

Not an attack - but you seem to use a lot of things, and... perhaps that is confusing the issue at hand.

 

[Tech9]

Not an attack - but you seem to use a lot of things, and... perhaps that is confusing the issue at hand.

This is correct. Flipping the on/off switch on a home router is easy, fast and low risk. If it works - good. If it doesn't - turn it off and try again later. I use tested working hardware/software on interconnected networks and there is "no touch" policy in place. I may know many things about my own equipment, but I also have service contracts. Flipping a switch somewhere may cost a lot of money. It's different indeed.

I used to deal with banks before. I'm sure you have your own experience with large businesses. They have upgrade cycles and everything is service contracts from big name providers. Any small change in hardware/software may need years long review and approval process and it may not happen even on next few upgrade cycles. This is one of the reasons there are still many ISPs with no IPv6 implementation - the business is running and generating income. There is no invest in new equipment, test and report option.

Attack? I know enough to see who's who on this forum. Respect. I know you're right. See post #249.

 

[Jeffrey Young]

Canada / Canadian ISPs aren't in any danger of running out of IPv4 addresses anytime soon, so don't expect us to try to become another Japan in terms of IPv6 adoption

If only that were true. I am stuck behind a CGNAT in Canada with no option of a public IP. If public IPs were plentiful, they would be offered freely and with low cost. The best my ISP can offer is to forward a couple of ports. Although solving my issue, using a web server on a non standard port still causes some browsers to have headaches. I wish I could get an ipv6.

Following along with this thread as I find it interesting.

Cheers all