IPv6 passthrough disadvantages?

Matthew Patrick

Senior Member
Hey guys so I'm currently using AC86U with the latest Merlin firmware. So I used to have an ISP which allows me to bridge the modem so that I can do PPPoE directly and do DHCP-PD for IPv6 native. Now, my new ISP doesn't allow bridging. So I'm stuck with a double NAT situation. Now IPv4 is fine like usual but with IPv6 I need to use passthrough mode . Now are there any disadvantages on using passthrough mode? I've searched for ages but it's inconclusive. Does it just disable NAT for IPv6 directly? Does it get processed by Merlin's IPv6 firewall, DoT, SkyNet, etc? Is it safe at all? Because the last thing I want is for me to just rely on the ONT's firewall etc for IPv6 and having the ISP to be able to directly see requests coming out from each of my local devices instead of looking like it coming out from just one device. Which is my router.

Thank you :)
 

Frank Monroe

Regular Contributor
Unless your ISP is doing something weird there shouldn't be any NATing with IPv6. The whole point of IPv6 is to no longer require NATing. You may be double NATing with IPv4 but there shouldn't be any NATing with IPv6. Also, don't confuse NAT with a firewall. They are not the same. Unless you have turned off the IPv6 firewall, yes there is an IPv6 firewall even with connection type set to Passthrough. With IPv6, each of your devices will communicate through your router individually. They will not communicate as a single address. Again, thats the whole point of IPv6.
 

Matthew Patrick

Senior Member
Unless your ISP is doing something weird there shouldn't be any NATing with IPv6. The whole point of IPv6 is to no longer require NATing. You may be double NATing with IPv4 but there shouldn't be any NATing with IPv6. Also, don't confuse NAT with a firewall. They are not the same. Unless you have turned off the IPv6 firewall, yes there is an IPv6 firewall even with connection type set to Passthrough. With IPv6, each of your devices will communicate through your router individually. They will not communicate as a single address. Again, thats the whole point of IPv6.
Yes that's the thing. I've seen some say that Asus Passthrough mode just pass it thru to the ONT or ISP provided modem to handle. AKA it bypasses Asus' IPv6 firewall apparently. That's why I'm wondering if that's true and if it is or isn't. Does DoT, scripts etc still work on IPv6 or not? And the last question was. Is it safe? Because I used to use native mode and everything was handled by the Asus. So every device gets an IPv6 address just fine and it's all processed by the Asus router first before going out
 

Frank Monroe

Regular Contributor
Yes that's the thing. I've seen some say that Asus Passthrough mode just pass it thru to the ONT or ISP provided modem to handle. AKA it bypasses Asus' IPv6 firewall apparently. That's why I'm wondering if that's true and if it is or isn't. Does DoT, scripts etc still work on IPv6 or not? And the last question was. Is it safe? Because I used to use native mode and everything was handled by the Asus. So every device gets an IPv6 address just fine and it's all processed by the Asus router first before going out
It does not bypass the firewall. I am currently running in that configuration. Your scripts and DoT settings will still work. And yes, its safe. BTW, even under your prior configuration under Native connection type, each device had a separate IPv6 address that passes through the firewall as separate addresses. Like I said, there isn't NATing with IPv6 regardless of the IPv6 connection type. The main difference between Passthrough and Native connection types is how your devices receive the IPv6 configuration. The difference isn't security or how the traffic is processed.
 

Matthew Patrick

Senior Member
It does not bypass the firewall. I am currently running in that configuration. Your scripts and DoT settings will still work. And yes, its safe. BTW, even under your prior configuration under Native connection type, each device had a separate IPv6 address that passes through the firewall as separate addresses. Like I said, there isn't NATing with IPv6. The main difference between Passthrough and Native connection types is how your devices receive the IPv6 configuration. The difference isn't security or how the traffic is processed.
Yeah I know there isn't really a NAT on IPv6 since every devices have a unique IPv6 address that change overtime.

Oh i see so it does just pass through the IPv6 addresses from the ONT/ISP Modem DHCP to our devices huh? Welp. As long as it doesn't bypass anything like Asus' IPv6 firewall and scripts etc. I'll enable it then. Thanks for the info! I appreciate it!!
 
D

Deleted member 22229

Guest
Passthrough is just that. There will be no firewall on the asus router for IPv6 its just letting it pass through. However your isp provided router may do the firewalling for you and then send it along to the asus router not 100% sure of this but it's possible.
 

Treadler

Very Senior Member
Hey guys so I'm currently using AC86U with the latest Merlin firmware. So I used to have an ISP which allows me to bridge the modem so that I can do PPPoE directly and do DHCP-PD for IPv6 native. Now, my new ISP doesn't allow bridging. So I'm stuck with a double NAT situation. Now IPv4 is fine like usual but with IPv6 I need to use passthrough mode . Now are there any disadvantages on using passthrough mode? I've searched for ages but it's inconclusive. Does it just disable NAT for IPv6 directly? Does it get processed by Merlin's IPv6 firewall, DoT, SkyNet, etc? Is it safe at all? Because the last thing I want is for me to just rely on the ONT's firewall etc for IPv6 and having the ISP to be able to directly see requests coming out from each of my local devices instead of looking like it coming out from just one device. Which is my router.

Thank you :)
Skynet watches for IPv4 IP’s only.
 

Frank Monroe

Regular Contributor
Passthrough is just that. There will be no firewall on the asus router for IPv6 its just letting it pass through. However your isp provided router may do the firewalling for you and then send it along to the asus router not 100% sure of this but it's possible.
I''m sorry. Respectfully, thats not true. The IPv6 firewall is enabled whether you use passthrough or not. I can prove that with my own AC5300. I am running in passthrough mode, inbound IPv6 traffic is blocked (by default). Once I turn off the IPv6 firewall or allow exceptions through it, inbound traffic will flow. Really, the only difference I have seen between native and passthrough are the command line switches on 6relayd when it is launched which is how IPv6 configuration information is passed between the outside network and the inside network. If the router behaved as you are saying, that wouldn't even need to run at all.
 
Last edited:

Crimliar

Senior Member
Passthrough is just that. There will be no firewall on the asus router for IPv6 its just letting it pass through. However your isp provided router may do the firewalling for you and then send it along to the asus router not 100% sure of this but it's possible.
Not according to: https://www.asus.com/uk/support/FAQ/1013638/

That page suggests that unless you allow specific connections then there would be a basic firewall that filters none-originated connections!
 

Tech9

Part of the Furniture
So I'm stuck with a double NAT situation. Now IPv4 is fine like usual but with IPv6 I need to use passthrough mode

What IPv6 advantages you expect to get is the more important question. Read the thread below and decide what to do.

 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top