Dual Stack home network pros and cons

[heysoundude]

@heysoundude, with IPv6 disabled you can do exactly the same thing without I think and I hope part. If you have one of those Rogers modem/routers in bridge mode, LAN ports 3/4 provide IPv6 address only. Plug in your router there and see how much your network depends on IPv4. In Canada, you have opened just another path in/out of your network with own issues you have to deal with. There is no speed benefits, just the opposite - your DNS queries may be delayed as a result. What Diversion, Skynet and AiProtection are doing with IPv6 enabled? I don’t know. Do you know?

I don't, but nothing is "broken" as best I can tell.
TSI DSL here...native v6. bridged their modem/router and rely on Merlin/asus and scripts - the people who build these are much smarter than I'll ever be

Canada / Canadian ISPs aren't in any danger of running out of IPv4 addresses anytime soon, so don't expect us to try to become another Japan in terms of IPv6 adoption

My signature is out of date; currently I have dual-stack enabled on my Teksavvy/RCable connection - but that's more for "fun" and to "play with" rather than actually use.
In other words, I have IPv6 disabled on my mother's router.

see my "we have the technology..." quote. Having is one thing, using it is quite another. Frankly, we should be using it else we're in danger of appearing to be luddites - hewers of wood and drawers of water; we're better than that. let's stop being boring here. let's get on the train, or ahead of the curve.

 

[Tech9]

let's stop being boring here.

@heysoundude, you run DNS/IP-blocking scripts not really necessary for average user security and in the same time you have opened another access to your network without knowing if your IPv4 level of security applies to IPv6. There are smarter people out there indeed. Someone may come see you uninvited. Is your Internet experience any different with IPv6 enabled?

 

[Christos]

Off topic: If your internet connection is behind CG-NAT and you still need to access your computers behind it, you can use a solution like Tailscale or Zerotier

 

[Jaime Alvarez]

@heysoundude, you run DNS/IP-blocking scripts not really necessary for average user security and in the same time you have opened another access to your network without knowing if your IPv4 level of security applies to IPv6. There are smarter people out there indeed. Someone may come see you uninvited. Is your Internet experience any different with IPv6 enabled?

Thank you for bringing this up. I was naively playing around having IPv6 enabled without thinking much about it. IPv4 works pretty well for me, so now that I'm aware of security and privacy concerns of IPv6, I've disabled it.

 

[SomeWhereOverTheRainBow]

This is the major concern - we don't know what's broken. I did enable IPv6 on AC86U router yesterday to test, stock Asuswrt firmware. The router is in double NAT behind my ISP router, so IPv6 Passthrough configuration. OpenDNS IPv4 servers, OpenDNS IPv6 servers. The syslog was filled immediately with "kernel protocol 0800 is buggy", non-stop. I had to Google to find how to stop it. Turns out NAT acceleration is the issue. With NAT acceleration disabled the syslog is quiet. I don't know what exactly is buggy. Now I have a Gigabit router limited to 300Mbps WAN-LAN with IPv6.

There is a lack of kernel support in regards to nat and ipv6 with many of these older kernel setups. Any newer routers that have the newer kernels that support the extra ipv6 support do not have the options enabled and lack the internal integration as well.

 

[Tech9]

Is this the case with newer HND platform routers with 4.1.x kernel, @SomeWhereOverTheRainBow?

 

[SomeWhereOverTheRainBow]

Is this the case with newer HND platform routers with 4.1.x kernel, @SomeWhereOverTheRainBow?

Correct. The options can be enabled and the correct iptables versions can be used. All of it would require testing. The problem, and the hesitancy of asus would be the need to over-hall alot of the internals. I can see why this has yet to happen. Codebase consistency with older kernels. Why change something that may bring more security concerns.

 

[Tech9]

I was naively playing around having IPv6 enabled without thinking much about it.

I'm not saying the security is not working. I'm saying I don't know if it's working. Questions in post #12 not answered yet.

Correct. The options can be enabled and the correct iptables versions can be used.

Okay, and what enabling IPv6 means in current Asuswrt firmware? Sounds like basic compatibility and hope for the best to me.

 

[SomeWhereOverTheRainBow]

I'm not saying the security is not working. I'm saying I don't know if it's working. Questions in post #12 not answered yet.



Okay, and what enabling IPv6 means in current Asuswrt firmware? Sounds like basic compatibility and hope for the best to me.

Yep, not all kernel options are used for ipv6. It is implemented in the way the original thinkers of ipv6 would have done it. Turn it on and forget it.

 

[Wisiwyg]

This thread is why I've disabled IPv6 since day 1.

 

[SomeWhereOverTheRainBow]

This thread is why I've disabled IPv6 since day 1.

It is good you are one of the fortunate ones that can get by with it turned off. The reason why I use the word fortunate is because some people may not have such a choice. Most people should have such a choice though.

 

[Tech9]

Turn it on and forget it.

I don't know what's enabled on FreeBSD 12.2, the pfSense base. IPv6 is an entire chapter in Netgate Docs with Warnings, Notes and See Also. There is no turn on and forget about it. There is only turn off and forget about it. This is what I'm using currently.

 

[Jaime Alvarez]

I'm not saying the security is not working. I'm saying I don't know if it's working. Questions in post #12 not answered yet.

Yes, that's what I understood from post #12. Not knowing if it is working qualifies as concerning for me.

 

[SomeWhereOverTheRainBow]

I don't know what's enabled on FreeBSD 12.2, the pfSense base. IPv6 is an entire chapter in Netgate Docs with Warnings, Notes and See Also. There is no turn on and forget about it. There is only turn off and forget about it. This is what I'm using currently.

I have had fun playing around with it on openwrt. I just prefer not to have to redo my entire setup every time there is a firmware upgrade.

 

[Crimliar]

I'm kinda surprised no one referenced https://www.asus.com/uk/support/FAQ/1013638 on setting up the IPv6 firewall.

 

[SomeWhereOverTheRainBow]

I'm kinda surprised no one referenced https://www.asus.com/uk/support/FAQ/1013638 on setting up the IPv6 firewall.

That is basically the case the ipv6 firewall is only good at filtering inbound outbound traffic. Nothing is truly blocked unless the user specifies directly everything else is subject to a light drop policy. This form of ipv6 management is stateless firewalling as apposed to stateful firewalling.

 

[Frank Monroe]

That is basically the case the ipv6 firewall is only good at filtering inbound outbound traffic. Nothing is truly blocked unless the user specifies directly everything else is subject to a light drop policy. This form of ipv6 management is stateless firewalling as apposed to stateful firewalling.

This of course doesn't mean that unsolicited inbound traffic isn't being blocked by default.

 

[SomeWhereOverTheRainBow]

This of course doesn't mean that unsolicited inbound traffic isn't being blocked by default.

it is very light in this regards.

 

[Frank Monroe]

it is very light in this regards.

I guess the point I am trying to make is, even though the IPv6 firewall may be "very light," your internal devices are not accessible from the outside with IPv6 enabled.

 

[sfx2000]

will be good for everyone enabling IPv6 on Asus routers to know what happens with:

I would think at a minimum that the Broadcom SDK for HND should be ok with IPv6 - it would be more the verticals (AIProtect, OpenVPN, AI Cloud, Adaptive QOS, Samba, etc..) that might be more of a challenge, and also perhaps the Script contributions...

With the HND platform, Asus is not the only player using it, there are others, and not a lot of chatter either for or against dual-stacking so far - if there were a significant issue, the regulars here would know of it.

If AsusWRT is solid enough, there still is the need for more testing on the scripting contribs so that folks can gain confidence in the IPv6 space.