Menu
What's new
By:
Filters Better Search

IPv6 Network Services Filter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

After playing a bit with the system now I noticed the following issues:

- VPN server only listens on IPv4
- Local vpn server address pool is IPv4 only
- Connected vpn clients using IPv4 only - thats good, no bypass of IPv6 traffic by the browser
- Router itself is only via IPv4 accessable (web + ssh)
 
IPv6 firewalls on the ASUSWRT with dynamic DHCPv6-PD subnets has never been workable for me. So I just use a cheapo EdgerouterX as my main router, and use all the Asus routers as APs/Mesh units, which is a shame.......

EdgeOS has shown that implementing this is definitely possible.........
 
dave14305 said:
I’ve enabled IPv6 on Merlin and I see now that the GUI fields won’t accept IPv6 addresses. And further looking at the code, it’s not writing IPv6 rules like I thought since I don’t understand bitwise operations in C.

So maybe you can develop an IPv6 rule for ip6tables based on source MAC address and destination port, if you choose to run Merlin firmware.

Example to block one device from going to port 443/tcp:
Code: 
ip6tables -I FORWARD -m mac --mac-source D0:D2:B0:AD:6D:1A -p tcp -m tcp --dport 443 -j logdrop
You would add that to the end of /jffs/scripts/firewall-start on Merlin.
Click to expand...
Hi, I have found this thread appears relevant to me. DNSFilter ON with Global Filter Mode=Router appears to be working only for IPv4 DNS.

For example on Windows client the second line will stop working when filter on.
Code: 
nslookup google.com 8.8.8.8
nslookup google.com 2001:4860:4860::8888
This indicates that filter is on indeed, but does not direct DNS call over IPv6 to router.
I have tried this with unbound and without, clearly some ip6table setting is required, please help...
 
Slawek P said:
Hi, I have found this thread appears relevant to me. DNSFilter ON with Global Filter Mode=Router appears to be working only for IPv4 DNS.

For example on Windows client the second line will stop working when filter on.
Code: 
nslookup google.com 8.8.8.8
nslookup google.com 2001:4860:4860::8888
This indicates that filter is on indeed, but does not direct DNS call over IPv6 to router.
I have tried this with unbound and without, clearly some ip6table setting is required, please help...
Click to expand...
DNSFilter for IPv6 works by pushing the chosen DNS to the IPv6 clients over DHCP and using firewall rules to drop IPv6 traffic toward any other DNS IPv6 address. It doesn’t redirect DNS traffic like IPv4 can because there is no nat table for ip6tables.

So in your two nslookup examples, the first one will be silently redirected to the router, but the second one will be dropped by the firewall and fail.
 
dave14305 said:
DNSFilter for IPv6 works by pushing the chosen DNS to the IPv6 clients over DHCP and using firewall rules to drop IPv6 traffic toward any other DNS IPv6 address. It doesn’t redirect DNS traffic like IPv4 can because there is no nat table for ip6tables.

So in your two nslookup examples, the first one will be silently redirected to the router, but the second one will be dropped by the firewall and fail.
Click to expand...
Yes indeed. With a timeout of 2s. Which matters for some apps that are strongly insisting on DHCPv6 they have hard wired.
Would there be a way to define nat able for ipv6 in Asuswrt 386 version perhaps or Merlin?
 
Slawek P said:
Yes indeed. With a timeout of 2s. Which matters for some apps that are strongly insisting on DHCPv6 they have hard wired.
Would there be a way to define nat able for ipv6 in Asuswrt 386 version perhaps or Merlin?
Click to expand...
This is just a wild guess because my router doesn't have the necessary modules included. Your router may have them though.

As an experiment can you confirm that the following doesn't work?
Code: 
ip6tables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to-destination 2620:fe::fe
Assuming it fails try this and then repeat the previous command:
Code: 
insmod ip6table_nat
 
ColinTaylor said:
This is just a wild guess because my router doesn't have the necessary modules included. Your router may have them though.

As an experiment can you confirm that the following doesn't work?
Code: 
ip6tables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to-destination 2620:fe::fe
Assuming it fails try this and then repeat the previous command:
Code: 
insmod ip6table_nat
Click to expand...
Curse our ancient 2.6.26 kernels! :mad:
 
You must log in or register to reply here.

Similar threads

A
Which DDNS services support ipv6 address updates?
Replies
13
Views
991
sfx2000
sfx2000
I
Router have connectivity but client doesn't
Replies
1
Views
286
iTheMask
I
R
Guest network MAC address white listing limit
Replies
5
Views
257
Ryo
R
B
ASUS LAN subnet filtering/isolation
Replies
9
Views
452
BubbleOBill
B
B
How to setup IPV6 static route for Docker IPVLAN
Replies
0
Views
372
BigScream
B
Similar threads
Thread starter Title Forum Replies Date
K Ipv6 connection ASUS Wireless 1
C Issues with IPv6 IPTunnel on Asus (blocked connection) ASUS Wireless 0
A Which DDNS services support ipv6 address updates? ASUS Wireless 13
netmik3 How do I ping ipv6? ASUS Wireless 1
M ASUS XT8 not getting IPv6 from WAN (using 5G modem) ASUS Wireless 1
C Asus IPv6 Tunnel 6to4 question ASUS Wireless 21
L Possible to have one drive formatted as two partitions, mounting as two network drives (for backups)? ASUS Wireless 6
H Asus Network design ASUS Wireless 13
R Correct setup of network devices ASUS Wireless 12
S PCVR Asus XT8 AiMesh local network traffic path ASUS Wireless 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 929 (members: 23, guests: 906)
Top