Dual Stack home network pros and cons

[PR3MIUM]

for me with native ipv6 i dont have a dns leak on a running vpn-client
and with ipv6 passtrough (full ipv6 enabled) then you have a dns leak.

dont now what this issue causes, with just native ipv6 connection to my vpn-provider my ipv6 from the vpn-provider is shown up,
but not my real ipv6 like the dns leak.

 

[SomeWhereOverTheRainBow]

Better discussed in the DIY Routers thread.

I imagine so. The matter at hand is about Dual Stack home network pros and cons. I am not sure if any one has presented any pros yet.

 

[SomeWhereOverTheRainBow]

for me with native ipv6 i dont have a dns leak on a running vpn-client
and with ipv6 passtrough (full ipv6 enabled) then you have a dns leak.

dont now what this issue causes, with just native ipv6 connection to my vpn-provider my ipv6 from the vpn-provider is shown up,
but not my real ipv6 like the dns leak.

I imagine if you are running a VPN client on either asuswrt merlin or asuswrt, then you would want ipv6 turned off to prevent the potential for leaks outside the tunnel because neither firmware supports routing ipv6 internet through the tunnel. Even if your dns is not leaking there may be potential that your ipv6 address is leaking to your internet traffic. Basically sites you visit will see the ipv4 address of your vpn server while still being able to see your wan ipv6 address from your isp.

 

[Frank Monroe]

I imagine so. The matter at hand is about Dual Stack home network pros and cons. I am not sure if any one has presented any pros yet.

To me, its not a matter of pro or con. If you are in a situation where you need IPv6 and you also need to access local devices that only support IPv4, then dual stack is your answer. You will still need IPv4 connectivity to the internet unless you use other technologies such as DNS64/NAT64. Without that, dual stack is your answer.

My problem with the discussion has been with statements that are made saying there is no reason for anyone to enable IPv6, so don't do it. Or statements that say, if you enable IPv6 you are at risk. Neither of these are true. With that said, I agree 100% if you have no reason to to enable IPv6 you probably should not enable it. Thats why I didn't have it enabled until recently. Anything extra running on your router is just another entry point for an intruder. So, of course you shouldn't enable anything on your router that you do not need.

Finally, after I enabled IPv6 earlier this year, I was surprised how much of my traffic is IPv6. In fact, most of it is.

 

[Tech9]

Or statements that say, if you enable IPv6 you are at risk.

This is something we don’t know yet, on Asuswrt in particular. What we know so far is it eliminates some extra security features and adds another attack surface.

 

[Tech9]

I had to enable IPv6 earlier this year and my IPv6 traffic always exceeds my IPv4 traffic.

How do you measure your IPv6 traffic?

 

[Frank Monroe]

This is something we don’t know yet, on Asuswrt in particular. What we know so far is it eliminates some extra security features and adds another attack surface.

Yes. Like anything else you enable on your router. Its just another attack vector. However, if you need IPv6, there is no reason to scare people into not using it unless you know of a weakness in ASUS routers specifically. If there is a weakness in ASUS routers specifically, then the answer is to select another vendor.

 

[Frank Monroe]

How do you measure your IPv6 traffic?

I haven't measured it in a couple of months. But when I was doing so, I had a pfSense VM in-between to measure the traffic. I use over 2 1/2 TB a month. Most of it is IPv6.

 

[learning_curve]

I imagine if you are running a VPN client on either asuswrt merlin or asuswrt, then you would want ipv6 turned off to prevent the potential for leaks outside the tunnel because neither firmware supports routing ipv6 internet through the tunnel. Even if your dns is not leaking there may be potential that your ipv6 address is leaking to your internet traffic. Basically sites you visit will see the ipv4 address of your vpn server while still being able to see your wan ipv6 address from your isp.

I don't use VPN on my router. It's VPN on each device (separately) as and when it's necessary. Why? Much less setup & maintain work to do on the router itself, is the plus, but VPN subscription fee is the minus. Using Ethernet / 5G Wifi, via my router, the device's VPN Connection(s) are all sent through the VPN provider's firewall, they are all 100% hardcore anti-tracker enabled & DNS leak checked (my own setup choice is to exclusively use the VPN provider's DNS). You can use Multi-Hop Open VPN or Multi-Hop Wireguard (which is what I use). You can also have IPv4 VPN only or, IPv4 AND IPv6 VPN as you see fit and/or feel technically comfortable with (I always use the IPv4 AND IPv6 VPN option and I always use IPv4 AND IPv6 on my router too FWIW ). I've always triple checked everything i.e. https://ipleak.net / https://www.perfect-privacy.com/en/tests (I don't use Windows so the MS Leak test is N/A) / https://www.dnsleaktest.com / https://browserleaks.com/webrtc etc. There are many detailed online tests available as you'll probably know better then me, but the WebTRC Leak Test is perhaps the one, many people forget about when verifying their VPN for leaks.

There's never a perfect answer/ perfect solution @SomeWhereOverTheRainBow & lot's of people will stick with the router config option, but it does remove any of those ^ IPv6 'backdoor leak' issues.

 

[Tech9]

However, if you need IPv6, there is no reason to scare people into not using it unless you know of a weakness in ASUS routers specifically.

Well, looks like many people don’t know what’s going on in Asuswrt. Do you know? Answer the questions in post #12, please.

 

[Tech9]

Most of it is IPv6.

One site only can generate quite a bit of IPv6 traffic - YouTube. It works perfectly on IPv4, by the way.

 

[Frank Monroe]

One site only can generate quite a bit of IPv6 traffic - YouTube. It works perfectly on IPv4, by the way.

Understood. Most of the traffic from my house is TV streaming, YouTube, gmail, DNS. All of that is IPv6. But thats not the point. The point is, I have a reason to have IPv6 enabled. Once I enabled it, most of my traffic is IPv6. Statements were made earlier that most of your traffic will not be IPv6 which, in my case, is not true.

 

[Frank Monroe]

Well, looks like many people don’t know what’s going on in Asuswrt. Do you know? Answer the questions in post #12, please.

I don't use every feature in Merlin. But let me answer what I do use:

-Parental Controls: This works with IPv6. I wouldn't expect it to break since ASUS uses MAC address for enforcement and not IP
-Adaptive QOS: works as normal
-DNS Filter: Works as normal except the DNS server to use must be IPv4.
-VPN server/client: Work as normal. However, I am only using IPv4 clients.
-Guest Network: Works as normal.
-NAT acceleration: Works as normal. But, I wouldn't expect this to break away since one of the points of IPv6 is to remove NAT. IPv6 does not use NAT.

 

[dave14305]

-DNS Filter: Works as normal except the DNS server to use must be IPv4.

Only the Custom servers must be IPv4. Predefined options that support IPv6 are provided via DHCPv6 to the clients (e.g. Yandex, Quad9, CleanBrowsing). Any DNS requests that do not match the chosen IPv6 DNS address are dropped by the firewall since a NAT redirect is not possible. Not quite the same experience as IPv4.

I may be naïve but I believe I leave less of an internet trail when my devices browse the web using their temporary IPv6 SLAAC addresses instead of always using my relatively stable public IPv4 address from my ISP.

 

[SomeWhereOverTheRainBow]

I don't use VPN on my router. It's VPN on each device (separately) as and when it's necessary. Why? Much less setup & maintain work to do on the router itself, is the plus, but VPN subscription fee is the minus. Using Ethernet / 5G Wifi, via my router, the device's VPN Connection(s) are all sent through the VPN provider's firewall, they are all 100% hardcore anti-tracker enabled & DNS leak checked (my own setup choice is to exclusively use the VPN provider's DNS). You can use Multi-Hop Open VPN or Multi-Hop Wireguard (which is what I use). You can also have IPv4 VPN only or, IPv4 AND IPv6 VPN as you see fit and/or feel technically comfortable with (I always use the IPv4 AND IPv6 VPN option and I always use IPv4 AND IPv6 on my router too FWIW ). I've always triple checked everything i.e. https://ipleak.net / https://www.perfect-privacy.com/en/tests (I don't use Windows so the MS Leak test is N/A) / https://www.dnsleaktest.com / https://browserleaks.com/webrtc etc. There are many detailed online tests available as you'll probably know better then me, but the WebTRC Leak Test is perhaps the one, many people forget about when verifying their VPN for leaks.

There's never a perfect answer/ perfect solution @SomeWhereOverTheRainBow & lot's of people will stick with the router config option, but it does remove any of those ^ IPv6 'backdoor leak' issues.

Yep this was geared for someone using ipv6 and vpn locally on the router. Running it from clients individually on the device should be fine provided the vpn provider supports ipv6.

 

[SomeWhereOverTheRainBow]

Only the Custom servers must be IPv4. Predefined options that support IPv6 are provided via DHCPv6 to the clients (e.g. Yandex, Quad9, CleanBrowsing). Any DNS requests that do not match the chosen IPv6 DNS address are dropped by the firewall since a NAT redirect is not possible. Not quite the same experience as IPv4.

I may be naïve but I believe I leave less of an internet trail when my devices browse the web using their temporary IPv6 SLAAC addresses instead of always using my relatively stable public IPv4 address from my ISP.

Slaac addressing still has a part of the device identifier generated per device and part of the isp identifier in the address. Not that you are wrong though.

 

[thelonelycoder]

What Diversion, Skynet and AiProtection are doing with IPv6 enabled? I don’t know. Do you know?

Diversion automatically enables or disables IPv6 support when the router settings change, there is no user action required within Diversion when that happens.

Diversion is only tested with a dual stack IPv4/6 combination. I have no idea what happens if only IPv6 is enabled. I'm not even sure that's possible on our routers.
My current ISP supplied cable modem only supports IPv4, I can only do limited testing for Diversion. Though I could get the newer modem that supports IPv6, I see no need to do that as I have no use of that functionality at the moment.

Skynet does not support IPv6.

 

[Frank Monroe]

I may be naïve but I believe I leave less of an internet trail when my devices browse the web using their temporary IPv6 SLAAC addresses instead of always using my relatively stable public IPv4 address from my ISP.

This has been my understanding as well. Unfortunately, this also makes it more difficult to construct firewall rules using the web GUI.

 

[Frank Monroe]

Also, DoT works without issue with IPv6 enabled. You can even use IPv6 address as your DNS servers.

 

[CriticJay]

I'm going to play devil's advocate with this thread's premise for a moment...

The problem with the blanket argument of "I don't know everything about how my Asus router handles IPv6; therefore it must be a security risk" (and the probable reason why some people in this thread have referred to this topic as FUD) is that it's remarkably similar to the argumentative technique used by anti-vaxxers on sites such as reddit.

Observe:

1. I don't know everything about all the ingredients in the Pfizer COVID-19 vaccine; therefore I won't take it, since it'll probably harm me and cause infertility or something.

2. I don't understand what all these ingredients are in the Moderna vaccine; maybe Joe Rogan is right, and nanotech microchips are in it. Better be safe by not taking it!


This is (probably) why various SNB developers and regulars have asked for IPv6 vulnerabilities to be posted, rather than FUD-like statements to be made. Unless you see nothing wrong with the two anti-vaxxer statements above, in which case you probably have bigger problems than which network layer communications protocol your home network's wireless router uses by default.