[Fork] Asuswrt-Merlin 374.43 LTS releases (V44EA)

luni

New Around Here
Hmmm....the last change to ipv6 was the radvd update back in April....and @dave14305 tested after that change. I wonder if Comcast changed something on their end recently? Cox ipv6 is still working fine for me.

One quick thing to try is to set the 'Prefix delegation requires address request' option to Yes (last option on the ipv6 page)
Tried all your ideas, came up empty. Thanks for the suggestions.

This might have some legs unless I've gotten myself way too far into the weeds...

First I stopped dhcp6c. Then I ran:
dhcp6c -c /etc/dhcp6c.conf -f -D -T LL eth0
...
Jul/16/2020 23:03:27: copyin_option: get DHCP option IA address, len 24
Jul/16/2020 23:03:27: copyin_option: IA_NA address: 2001:.......... pltime=251119 vltime=251119
Jul/16/2020 23:03:27: dhcp6_get_options: get DHCP option IA_PD, len 72
Jul/16/2020 23:03:27: IA_PD: ID=650136, T1=0, T2=0
Jul/16/2020 23:03:27: copyin_option: get DHCP option status code, len 56
Jul/16/2020 23:03:27: status code: no prefixes
Jul/16/2020 23:03:27: dhcp6_get_options: get DHCP option DNS, len 32

Does this mean Comcast just isn't giving me a prefix to begin with? That would explain why dhcp6c cannot pass the prefix to br0 and radvd cannot give my clients global ipv6 addresses (if this is even how it's supposed to work.....).


[edit] People online report that sometimes resetting the DUID helps (pfsense forums), can we just rm /var/dhcpc_duid and it gets regenerated? Or will it always be MAC address based... I guess I could factory reset my router and assign it a different mac address in the startup wizard?
 
Last edited:

john9527

Part of the Furniture
@luni - It's easy to get into the weeds with ipv6.....it gives me a headache.

Two other guesses....
Try a different prefix length....60 or 56

ssh to the router and enter
nvram set ipv6_isp_opt=4
nvram commit

then reboot....

There are some other 'ipv6_isp_opt' settings' you could try....doc is in Merlin_Fork_Options.txt
That these options exist at all tells you how much of a mess ipv6 can be.....although things in general seem to have gotten better.
 
Last edited:

jrmwvu04

Very Senior Member
Hmmm....the last change to ipv6 was the radvd update back in April....and @dave14305 tested after that change. I wonder if Comcast changed something on their end recently? Cox ipv6 is still working fine for me.

One quick thing to try is to set the 'Prefix delegation requires address request' option to Yes (last option on the ipv6 page)
Well it has been quite a while since I last used it successfully, many many builds ago. I know it’s sorta crappy to say oh hey this doesn’t work and give no details, so sorry about that on my end. For what it’s worth Comcast’s implementation of ipv6 even when it worked was pretty wonky and is part of why I stopped using it. But I’ll try your recommendations over the weekend.
 

Raul_77

New Around Here
Hey Guys, anyone found a way to effectively forward DoH to another provider. ?
I have PiHole installed and to do some testing, I changed my PC DNS to be 9.9.9.9 then in my router (RT-N66U) changed the setting "Prevent Client auto DoH" to YES
Parental Control --> DNS Filtering , enabled it, and fwd all traffic to to my PiHole

To test it, I blocked Instagram in Pihole , in PC command line, pinged insta, no result, disabled my Pihole, ping again, got result, so I know its working, However, in Chrome, I can visit Instagram and all the ads show, which shows Chrome has found a way to bypass Pihole and is using PC DNS directly. Looks like Chrome is using DoH, is there anyway I can fix this? I am trying to block ALL devices on my network to use Pihole.

Thanks,
 

dave14305

Part of the Furniture
Hey Guys, anyone found a way to effectively forward DoH to another provider. ?
I have PiHole installed and to do some testing, I changed my PC DNS to be 9.9.9.9 then in my router (RT-N66U) changed the setting "Prevent Client auto DoH" to YES
Parental Control --> DNS Filtering , enabled it, and fwd all traffic to to my PiHole

To test it, I blocked Instagram in Pihole , in PC command line, pinged insta, no result, disabled my Pihole, ping again, got result, so I know its working, However, in Chrome, I can visit Instagram and all the ads show, which shows Chrome has found a way to bypass Pihole and is using PC DNS directly. Looks like Chrome is using DoH, is there anyway I can fix this? I am trying to block ALL devices on my network to use Pihole.

Thanks,
Prevent Client auto DoH was meant for Firefox browsers. Chrome takes a different approach of upgrading to DoH if it detects the OS DNS is using a DNS provider that also offers DoH. If you point the PC DNS to the router, does it still use DoH? I don’t use Chrome, so I can’t test this.
 

ColinTaylor

Part of the Furniture
Thanks, however I am looking to see if possible to do this at the router level as oppose to disabling it on Chrome. the main reason is, I am trying to prevent ANY device (some that I might not know) to use any DNS other than my PiHole.
That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.
 

Raul_77

New Around Here
That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.
Thanks, well that sucks lol ! I am just wondering if more and more apps/devices use what Chrome is doing, then I guess PiHole is going to be less relevant.
 

RMerlin

Asuswrt-Merlin dev
That's not possible. The whole point of DoH is that it is indistinguishable from regular HTTPS traffic.
Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.
 

dave14305

Part of the Furniture
Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.
Perhaps a feature for the firmware as an enhanced "Prevent client DoH" (without the auto)?
 

ColinTaylor

Part of the Furniture
Actually, it's possible. Block port 443 for any known DoH server. There is no website on 1.1.1.1 or 9.9.9.9, so no reason they need to be reachable over port 443.
I did think about suggesting that but he did say he wanted to block all clients. In which case he'd have to block all possible DoH servers that may be used now and in the future - and hope that they don't share the same IP address as a web site they need to access.

EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date. That sounds like a task more suited to Skynet.
 
Last edited:

john9527

Part of the Furniture
EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date.
And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.
 

ColinTaylor

Part of the Furniture
And hope the client will fall back to standard DNS on port 53 if DoH is unavailable.
If the endgame of the DoH evangelists is to replace DNS with DoH, how long I wonder before IoT devices from the likes of Android, Amazon, Roku, Samsung, LG, etc. come with DOH addresses hard-coded (like they do with 8.8.8.8 today) with no fall back. Meh, I'll probably be beyond caring by then.:rolleyes::D
 

jrmwvu04

Very Senior Member
@luni - It's easy to get into the weeds with ipv6.....it gives me a headache.
I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.
Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.
 

joe a

Regular Contributor
Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.
Sorry I responded to my post on different page. Sorry for the confusion.
 
Last edited:

john9527

Part of the Furniture
I cleared some cookies, uploaded settings, and restarted and it seems fine now. Something similar has happened before. My router may be a bit wonky. Sorry for the false alarm.
Thanks for taking the time to report back and happy it's resolved.
Now, just need to figure out what happened to Comcast IPv6 :confused:
 

john9527

Part of the Furniture
Well I didn’t do any of that, just retried enabling it since I saw your message and it’s working. Something must have been malfunctioning on Comcast’s end yesterday.
Now I'm confused (I'm beginning to think that's my normal state) :)
Just to double check.....Comcast IPv6 now working for you?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top