Asus XT8 IPv6 bypasses pihole

[elias4444]

FYI, every time I search for a solution to this, it keeps taking me to the Merlin forum (which isn't available for Asus mesh routers). I'm running on an Asus XT8, which is not supported by Merlin. Stock firmware solutions only please.

If I turn off IPv6, and run DHCP on my Raspberry Pi, everything works as intended. However, as soon as I turn on IPv6 on the router, my PiHole is bypassed by all IPv6 capable clients on my network. It appears that when clients auto-configure IPv6 (SLAAC), the Asus router tells them to use the router's address for DNS lookups. I've told the router to use the PiHole (under IPv6 DNS settings).

Problem ONE is, even if that worked, all DNS requests on the PiHole will be logged as coming from the router. Basically making my log files near useless.
Problem TWO is, it doesn't work. Just like with IPv4 (when the Asus router is running a DHCP server), it still uses the WAN assigned DNS as a backup, bypassing any blocking the PiHole is trying to do.

As some recommend, I've tried setting the WAN DNS to the local PiHole, but that causes the router to not be able to connect to the internet (chicken and egg problem with the PiHole being on the local network under the router).

I know with IPv4, I can hard-code the dhcp_dns2_x nvram variable to solve the problem, but I can't find anything similar for IPv6.

Has anyone found a solution for this?

 

[JagoUK]

FYI, every time I search for a solution to this, it keeps taking me to the Merlin forum (which isn't available for Asus mesh routers). I'm running on an Asus XT8, which is not supported by Merlin. Stock firmware solutions only please.

If I turn off IPv6, and run DHCP on my Raspberry Pi, everything works as intended. However, as soon as I turn on IPv6 on the router, my PiHole is bypassed by all IPv6 capable clients on my network. It appears that when clients auto-configure IPv6 (SLAAC), the Asus router tells them to use the router's address for DNS lookups. I've told the router to use the PiHole (under IPv6 DNS settings).

Problem ONE is, even if that worked, all DNS requests on the PiHole will be logged as coming from the router. Basically making my log files near useless.
Problem TWO is, it doesn't work. Just like with IPv4 (when the Asus router is running a DHCP server), it still uses the WAN assigned DNS as a backup, bypassing any blocking the PiHole is trying to do.

As some recommend, I've tried setting the WAN DNS to the local PiHole, but that causes the router to not be able to connect to the internet (chicken and egg problem with the PiHole being on the local network under the router).

I know with IPv4, I can hard-code the dhcp_dns2_x nvram variable to solve the problem, but I can't find anything similar for IPv6.

Has anyone found a solution for this?

I use pi-hole on my n66u. I think there was something mentioned about "do not insert a dns in x box as you can't delete it afterward" thing. Meaning if you've filled that box in. Only way is to wipe and start again. Unless that nvram command does the same thing?

My WAN DNS goes to my pi-hole. Second box blank.
Works fine.
My Asus is the DHCP server.

I curently have a new pair of XT8s setup but my isp doesn't do ipv6 so can't help with that unfortunately.

 

[s0x]

I've got it somehow working on my end, still not perfect, but.

• on the Asus side of things:
  • IPv6 is in Native mode (since my ISP router is in Bridge mode)
  • IPv6 Auto DNS is disabled (Set Connect to DNS Server automatically to Disabled)
  • On IPv6 1st DNS (IPv6 DNS Server 1) entry I've inserted the local Rpi (pi.hole) IPv6 address fe80:: (...) (scope link if you do ip addr show on the Rpi)
    • The command ip addr show | grep -E 'inet6.*scope.link' should give you what you need
  • "DHCP-PD" is enabled as well as "Enable Router Advertisement"
  • "Auto Configuration Setting" was kept on Stateless
• On the Pi.Hole side of things:
  • Enabled the option "Enable IPv6 support (SLAAC + RA)"

My Pi.Hole is also the DHCPv4 server.

Don't forget to reboot the router afterwards, I've had better success that way after setting this configuration.

Not being able to use the local IP addresses of the Pi.Hole on the WAN DNS entries was broken a few firmware upgrades ago, but I've seen newer changelogs, for other routers, that have fixed this, so possibly when a new FW version comes out it should be possible to use the Pi.Hole local LAN IP's on the WAN DNS addresses.

 

[elias4444]

Thank you for your replies. I’ve tried the solutions you mentioned. Unfortunately though, the router continues to use the WAN DNS servers as its primary source. Causing my network to still load plenty of ads.

When I put my local DNS into the WAN field(s), the router is no longer able to perform its own lookups internally (via SSH to the router, and using nslookup for instance). The router then believes it’s no longer connected to the internet. I also tried the Network Monitoring settings to alleviate that, without success).

 

[JagoUK]

You are putting WAN DNS as pihole IP then on the pihole putting an external DNS right?

 

[elias4444]

You are putting WAN DNS as pihole IP then on the pihole putting an external DNS right?

Correct. At this point, I’ve also tried using an Adguard Home server as well. Issue persists.

 

[JagoUK]

These are my settings if it helps.

 

[JagoUK]

Sorry that other image looks a bit poor so here it is zoomed in.

 

[elias4444]

These are my settings if it helps.

Thank you for that. I’m guessing there’s a difference between our device’s firmwares. The XT8 firmware has been notoriously buggy until just recently, which was not the case with my older/non-mesh Asus router. Everything I’ve tried so far is pointing to a design flaw (feature?) with the current firmware. I was hoping there was a stray setting buried somewhere I could try, but it’s not looking likely. Which is really unfortunate, seeing as the hardware itself had been great.

For those looking for only an adblocking solution with the XT8 with IPv6 enabled, I recommend setting your WAN DNS to the Adguard servers. You can still specify your own DNS in the IPv6 and DHCPv4 settings, just know that it will only be used as a secondary or tertiary lookup (which can be verified by looking at the router’s resolv.conf file). At this time, the XT8 will always push itself as A DNS proxy to all IPv6 clients (as well as IPv4 unless you turn off DHCP and run your own).

Hopefully Asus will change their minds and fix this in the stock firmware someday. Or maybe, dream of dreams, Merlin will start supporting Asus mesh kits (XT8 and the new ET8). Aside from that, I’m probably going to have to buy a more configurable router to put in front of my expensive Asus mesh router.

 

[JagoUK]

Those setting were from my RT-N66U running very old Merlin firmware. I haven't tried in on my XT8 yet and I don't have IPv6.

Was just showing what works for me.