Hi everyone,
I have OpenWRT on my router which creates several wifi subnetworks at home, for which I block unwanted connections via pi-hole.
Often, I see devices identified by an ipv6 address or PTR requests made by pi-hole that include ipv6 addresses.
Since this is just on a local network, I wonder whether I need ipv6 at all. I am not well versed in networking but I do not see a benefit to it and it seems like it just makes the pi-hole blocking a tad more complicated.
Would you recommend just disabling ipv6 on the local network entirely? And, if so, are there drawbacks? and, most importantly, how do I do this for the various wifi networks I have?
Thanks!
Then don't fiddle with it.
2 Likes
Thanks @_bernd, but that's not quite the type of guidance and advice I was looking for.
Those are the pihole asking if its local IP has a name. (Local IPs start with fe80 or fd; read reverse DNS backwards).
Your router can't stop the fe80 ones at all since they are internally set by most OS regardless of whether the network supports v6.
The fd ones (ULAs) were issued by your router and you can remove them by removing the ULA prefix or setting ip6assign to blank on lan.
It is also completely harmless to let it go as it is though.
Ok. I will try and find a way to do that. Is that a per-wifi setting?
Can this be solved directly in pi-hole, then? By assigning a name to that address?
I don't need it and turn it off completely. It's as simple as editing /etc/config/network to add two lines about ipv6. Too bad not all interfaces take it:
config interface 'lan'
option device 'eth0'
option ipv6 '0'
config interface 'wan'
option device 'eth1'
option ipv6 '0'
- Delete the IPV6 interface
- Disconnect in the network adapter LAN and WAN everything related to IPV6
- Add to Sysctl
echo "net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.icmp.echo_ignore_all=1
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0" > /etc/sysctl.conf
- Reload the router
Thanks @ppmm. Does the same apply to all interfaces?
Then study ipv6 first and decide /later/. Ipv4 is an escaped lab rat and the Internet knew about the fuckup in the early 1990s. IPv6 is the successor of ipv4 for short or long. Yes you can keep the lights on in the legacy Internet but the Internet NG uses ipv6. You have to somehow deal with it anyway sooner or later.
Yes it can be hidden from the dashboard, It will not stop the the queries though.
Edit this file
sudo nano /etc/pihole/pihole-FTL.conf
And add this: you may have to reboot pihole.
ANALYZE_ONLY_A_AND_AAAA=true
Why did you ask here for a solution to pihole I was tempted not to reply, Pihole is on Version 6 now so it may have changed go to the pihole forums if it does not work.
EDIT:
Just checked it has changed go to the pihole forums to figure it out
That's all nice and well for the internet as a whole, but that doesn't really tell me why I need it for my local network. And, if I might say, by sticking to don't change anything and go read about it, you're not making a very compelling case either.
Thanks @digital-living. the replies above seems to confirm that this can actually be disabled on the local network, and not just hidden from the pi-hole dashboard (which is why I write here and not on the pi-hole forum). I am just not seeing what benefit I have to handle ipv6 alongside ipv4 on the local network and I am not reading arguments in favour of it, so indeed I am tempted to disable it. This is not to say it's not a good technology overall, but from the point of view of my network and ad blocking, it just seems to complicate things.
To make it even more easier you can completely disable IPv4 too and get no complications.
IPv6 is more efficient and faster in networks and uses less CPU cycles and easy on routers.
Why am I often reminded in such discussions about the perceived lack of merits for IPv6 on the old days, when similar arguments were brought, only then IPv4 was the "too complicated novel contender"...
One IMHO definitive argument for IPv6 is that parts of the internet can only be reached via IPv6... and that part likely is getting bigger over time, that is however not the part we typically interact with most often so ATM this is not something that is obvious in daily use for most folks.
If you want to have access to the Internet NG and not only to the legacy Internet, for sure you need ipv6.
Come on boy. Youve started. You said you have no clue but wanted to disable it right away. Yeah good luck.
1 Like
If your Internet provider does not provide the IPV6 protocol, then you don't need it
IPV6 disconnection for security is a good undertaking
When to turn off IPV6:
Problems with the network : it happens that devices or applications are trying to use IPV6, which is not, because of which delays or errors may occur (for example, slow loading pages).
Simplification of the configuration : if you know exactly that IPV6 is not needed now and in the future, the shutdown can simplify the settings of the router.
These are my thoughts, and they may not coincide with other participants
In general, if performance and safety are more important for you, then of course it is better to turn off this vulnerable IPV6 protocol 
You can also add this to Sysctl
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.secure_redirects=0
There will be less flood on the LAN network
on the example of Windows 10:
she sends packets using the igmp protocol to record all the mac addresses and send them to her office
therefore, if you do not use the igmp protocol, it is better not just to turn it off, but to block it
the oldest and probably the most dangerous protocol is icmp
consider disabling this protocol as well
This is the most dangerous and vulnerable protocol.
Maybe, maybe not, even if your ISP does not offer IPv6 does not need you can not use it:
https://tunnelbroker.net
That is arguable, sure any reduction in attack surface will reduce the risk, but the question is one of trade-offs not of absolutes.
If you consider this a good trade-off, go for it, I am not sure however whether one should "market" disabling IPv6 generally as a worth-while step in increasing security.
This is actively dubious advice... ICMP is the control companion for IP and needed to signal some on path error conditions back to the sender.
1 Like
Do you know why this is a dubious advice for you?
because you did not try to turn it off
I blocked it at my place 15 years ago
In all these years, the router has never been frozen.
for example, you will run the cod2 server and then tell us how long you were able to hold out
Yes, because ICMP is used for feedback about fragmentation (e.g. the need to fragment a packet with the do not fragment bit set, causes an error message telling the source about the issue) this is e.g. used for path MTU discovery. Also traceroute tends to use Time Exceeded (Zeitablauf) messages to locate the individual hops...
I do not need to, as I have a basic understanding where ICMP is needed, and what the consequences of disabling/dropping all icmp packets would be.
Which I do not doubt, but that is not the failure mode you would to expect from disabling ICMP. But hey, your network, your rules, so if that works for you, by all means stick to it. For everyone else maybe consider the consequences first (even if you follow @fkl7834456's lead, at least do it knowing what to expect).
1 Like
I know how ICMP works and I know what it is capable of in practice
Am I ready to sacrifice something for the sake of turning it off? Of course ready
And you thought that the answer ICMP may not come, what will cause a large delay?
Or your phone will answer through ICMP an undesirable IP address and what happens then