hello i executed all the following commands on my router
but my endpoint device Amazon fire HD10 is still getting somehow some ipv6 address... any idea why?
thanks!
- Did you follow an OpenWrt guide?
- Did you disable IPv6 on the client?
@lleachii what openwrt guide?
the problem is .. that i cant see where i can disable ipv6 on Amazon Fire HD10
let's see the text configs:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
@psherman is there anything specific that i should look for in these files?
thanks!
well, in the DHCP file, we're looking to see if there are any IPv6 related entries of the lan server. in the network file, we want to see if there is a wan6 defined.
Post them and we can probably quickly identify anything in these files that would be related to your issue.
Every IPv6 compatible interface should assign itself a link-local IP (starts with fe80). That is done locally in the device. The question of how to prevent an Amazon Fire from doing that is outside the scope of this forum.
1 Like
hello,
root@OpenWrt-main-router:~# cat /etc/config/network | grep wan
option name 'wan'
config interface 'wan'
option device 'wan'
dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option start '160'
option limit '80'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
@mk24
i can see fe80:: add and for dns
fddc:...
the problem is that while there is ipv6 address assigned to the device; i am not able to resolve my "hairpinning ips" which i defined
inside /etc/dnsmasq.conf
address=/xxxx.duckdns.org/10.0.1.104
In case ipv6 is disabled on device interface all works fine.
When the Fire looks up a name, it doesn't use your router's DNS server?
That is often by design in IoTs. They go to an external DNS that the manufacturer controls.
@mk24 it shows 3 dns ips,
ipv6 address, my router ip, and 8.8.8.8
no idea how/from where it gets ipv6 address and 8.8.8.8
But this is happening on fire hd10 2019 , on the same one but from 2017 where is no ipv6 addr - all works fine.
Well it sounds crazy - ie i cant control dns ... ;-( so assuming there is no hack for that?
You can do more to disable IPv6 in openwrt, compared to what is written in the article from 3os.org, you linked.
Impossible to build image without IPV6
maybe its really as @mk24 said DNS issue, the fire from 2017 also has ipv6 addr assigned, just cant see DNS address..its android v5
maybe with never android version they "messed up" dns - so question would be ... how to force all devices to use my own local DNS server instead of hardcoded dns's from device vendor.
@reinerotto i think i already tried that - as i had similar issue with android phone...but didnt work to me.
Strange. I do something very similar, but using "raw" iptables commands, and this works for Android, at least. "Raw" iptables cmds, because I never use the openwrt firewall, but simple iptables, which is much easier to maintain, and very well documented. Only possible in self compiled openwrt, though. The starting part is the REDIR of destination port 53 to your listening dnsmasq. Android often uses fixed 8.8.8.8 for DNS, so this will be hijacked. Because of DoH and DoT this might be not enough, but you can test this by disabling in your PCs browser. In worst case, you need to blockk the IPs of all well-known DoH and DoT servers, to force the usage of simple DNS. This is also done in the article referenced, using ipset. Reading the article, I must agree, that it should work, because I do the same, only with native iptables firewall. Only method, to circumvent, is a VPN. Or usage of a DoH-server, not (yet) in the list.
hello,
maybe article is out of date? As far as i can remember these doh/dot ips are old (when i was trying ipset)
Do you mind to share your iptables rules?
Do you mean to install my own DoH-server? Still android/amazon fire will try to find their own DoH server, i assume?
Could you elaborate on this > "Because of DoH and DoT this might be not enough, but you can test this by disabling in your PCs browser. "
No. Your router must only block the ip of the DOH-server(s), the Android/Fire uses. Which should force a fallback to simple DNS. In most Win browsers, now DoH/DoT is enabled, and used as default. But using config options, you can disable it.
The real challenge here is the completenes of the list of DoH-IPs. '1.1.1.1' for shure is not good enough 
Also, IPv6 has to be taken into consideration; to be disabled, if not really required.
Show us the first 64bit of the ipv6 address. If it's private there's nothing you can do about it.
1 Like