Disabling IPv6 on OpenWrt

I use openWrt on a router, in a straightforward router mode (behind ISP’s modem in bridge mode).
It seems that by default openWrt enables IPv4 and IPv6 for both WAN and LAN. I know very little on the subject, so I wanted to run a few questions by you guys before I do something stupid with my config.

I feel IPv6 on LAN complicates the configuration, and I see very little benefit to it. I was thinking of disabling it to simplify, and was trying to think through what advantage I would give up in doing so.

On the LAN, I will clearly never reach the limit on IPv4 addresses, so I do not see much benefit in enabling IPv6 on the LAN. The only things I can think of, is:

  1. if I wanted to have an internal device to display its IPv6 address publicly. But port forwarding should do the trick with an internal IPv4 address. And this is not my use case anyway.
  2. if someone was keen on getting rid of NAT. But I don’t think this does it, since LAN seems to be configured for both IPv4 and IPv6.

So I see very little benefits in enabling IPv6 on LAN, and non-trivial complexity increase because of it.

Given my lack of experience, I assume there are good reasons that I am missing on why the openWrt community decided to make it the default. Can anyone let me know:

  1. what is the rational for enabling IPv6 on LAN?
  2. is it reasonable in my case to disable IPv6 on LAN?
  3. what is the correct way to disable IPv6 on LAN?

For the WAN, i have the exact same questions:
4) what is the rational for enabling IPv6 on WAN?
5) is it reasonable in my case to disable IPv6 on WAN?
6) what is the correct way to disable IPv6 on WAN?

Thanks!

1 Like
5 Likes

Well, the IPv6 net consistently performs better for me, most likely since there are a whole lot less people using it. It's also a bit better on privacy as your clients (Windows in particular) will use different addresses and so it makes tracking you harder

But it's also not complex. Don't let the complicated looking addresses fool you. Everything autoconfigures itself with no real effort required on your part.

Windows 10 and Linux distros ship out the box with ipv6 enabled. It should just work with no effort on your part.

4 Likes

To disable IPv6 completely, in my opinion the only option is to compile from source and roll your own image. I wish this kind of build were available.

Disabling v6 is safe and will not break any application generally speaking.

Wow. I've just unchecked "Use builtin IPv6-management" on all interfaces, thinking that would disable IPv6. Turns out some of my devices have been on IPv6 for years, that's reassuring...

Were you happy with the answers because we saw no response? The short story is, there is no reason not to use IPv6. If you face any issue, we love to help! Furthermore, the defaults in OpenWrt should do the trick automatically. If not, again, we love to hear!

1 Like

So I have disabled IPv6 in the end. While I appreciate the advice was generally to enable it, I just found it easier to deal only with IPv4. In terms of setting firewall, IP, etc it was just easier to deal only with one protocol.

It all worked fine. Thanks for all the help!

1 Like

How do you accomplish this?

1 Like

I removed the wan6 zone from the firewall configuration. Basically, I am not forwarding IPv6 packets in the network.

As already mentioned on the Forum there is a more elegant way to block IPv6 without disabling it at a system level (via sysctl) or by recompiling your image from source.

This is not a universal solution, of course, but in most cases this method eliminates the need to completely disable IPv6.

Just add the following traffic rules to the /etc/config/firewall:
Note: These rules should be added prior to any other traffic rules!

config rule
	option	name		'[IPv6] [ANY] to [DEVICE] - ALL - DROP'
	option	family		'ipv6'
	option	src			'*'
	list	proto		'all'
	option	target		'DROP'
	option	enabled		'1'

config rule
	option	name		'[IPv6] [ANY] to [ANY] - ALL - DROP'
	option	family		'ipv6'
	option	src			'*'
	option	dest		'*'
	list	proto		'all'
	option	target		'DROP'
	option	enabled		'1'

Next apply new configuration by reloading firewall:

/etc/init.d/firewall reload

Verify results to ensure the created rules are prepending all other FW3-autogenerated chains (zone_xxx_input, zone_xxx_forward etc.):

ip6tables -nvL INPUT && ip6tables -vS INPUT
ip6tables -nvL FORWARD && ip6tables -vS FORWARD
2 Likes

Another way is to make sure there's no ipv6 address anywhere

root@WNDR4300-2:~# ip add | grep t6
root@WNDR4300-2:~#
1 Like

Ah thanks for that. I will revisit this when I have more time.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.