I use openWrt on a router, in a straightforward router mode (behind ISP’s modem in bridge mode).
It seems that by default openWrt enables IPv4 and IPv6 for both WAN and LAN. I know very little on the subject, so I wanted to run a few questions by you guys before I do something stupid with my config.
I feel IPv6 on LAN complicates the configuration, and I see very little benefit to it. I was thinking of disabling it to simplify, and was trying to think through what advantage I would give up in doing so.
On the LAN, I will clearly never reach the limit on IPv4 addresses, so I do not see much benefit in enabling IPv6 on the LAN. The only things I can think of, is:
if I wanted to have an internal device to display its IPv6 address publicly. But port forwarding should do the trick with an internal IPv4 address. And this is not my use case anyway.
if someone was keen on getting rid of NAT. But I don’t think this does it, since LAN seems to be configured for both IPv4 and IPv6.
So I see very little benefits in enabling IPv6 on LAN, and non-trivial complexity increase because of it.
Given my lack of experience, I assume there are good reasons that I am missing on why the openWrt community decided to make it the default. Can anyone let me know:
what is the rational for enabling IPv6 on LAN?
is it reasonable in my case to disable IPv6 on LAN?
what is the correct way to disable IPv6 on LAN?
For the WAN, i have the exact same questions:
4) what is the rational for enabling IPv6 on WAN?
5) is it reasonable in my case to disable IPv6 on WAN?
6) what is the correct way to disable IPv6 on WAN?
Well, the IPv6 net consistently performs better for me, most likely since there are a whole lot less people using it. It's also a bit better on privacy as your clients (Windows in particular) will use different addresses and so it makes tracking you harder
But it's also not complex. Don't let the complicated looking addresses fool you. Everything autoconfigures itself with no real effort required on your part.
Windows 10 and Linux distros ship out the box with ipv6 enabled. It should just work with no effort on your part.
Wow. I've just unchecked "Use builtin IPv6-management" on all interfaces, thinking that would disable IPv6. Turns out some of my devices have been on IPv6 for years, that's reassuring...
Were you happy with the answers because we saw no response? The short story is, there is no reason not to use IPv6. If you face any issue, we love to help! Furthermore, the defaults in OpenWrt should do the trick automatically. If not, again, we love to hear!
So I have disabled IPv6 in the end. While I appreciate the advice was generally to enable it, I just found it easier to deal only with IPv4. In terms of setting firewall, IP, etc it was just easier to deal only with one protocol.
As already mentioned on the Forum there is a more elegant way to block IPv6 without disabling it at a system level (via sysctl) or by recompiling your image from source.
This is not a universal solution, of course, but in most cases this method eliminates the need to completely disable IPv6.
Just add the following traffic rules to the /etc/config/firewall:
Note: These rules should be added prior to any other traffic rules!
config rule
option name '[IPv6] [ANY] to [DEVICE] - ALL - DROP'
option family 'ipv6'
option src '*'
list proto 'all'
option target 'DROP'
option enabled '1'
config rule
option name '[IPv6] [ANY] to [ANY] - ALL - DROP'
option family 'ipv6'
option src '*'
option dest '*'
list proto 'all'
option target 'DROP'
option enabled '1'
Next apply new configuration by reloading firewall:
/etc/init.d/firewall reload
Verify results to ensure the created rules are prepending all other FW3-autogenerated chains (zone_xxx_input, zone_xxx_forward etc.):