How to disable IPv6 entirely in 18.06.1 build for Ubiquiti Edgerouter-X (ER-X)


#1

Let me appreciate the entire OpenWrt community including management, developer, support staff and of course forum member for an outstanding job. Thank you for your hard work and dedication for making a network world much safer place for everyone.

I am new to OpenWrt and keep learning as well. My ISP doesn’t support IPv6 and I would to disable IPv6 entirely in OpenWrt 18.06.1 (stable) version. BTW, device is Ubiquiti Edgerouter-X (ER-X) with OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152). There are numerous forum post suggesting different way to disable/remove IPv6 entirely from the router. Unfortunately I am unable to disable IPv6 from eth0 interface.

Following steps have been already implemented per old forum suggestion with no success:->
#On Luci Web UI –
Network> Interfaces> {lan}> Edit> DHCP Server> IPv6 Settings>Router Advertisement-Service: disabled
DHCPv6-Service: disabled
NDP-Proxy: disabled
#Deleted the WAN6 default interface -
Network> Interfaces> WAN6: Delete

#Via CLI ( SSH) -
vi /etc/sysctl.conf #Following two line has commented out and rest 7 interfaces is added per router actual interface viewed using cat /etc/config/network
#net.ipv6.conf.default.forwarding=1
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.lan.disable_ipv6=1
net.ipv6.conf.lan_dev.disable_ipv6=1
net.ipv6.conf.wan.disable_ipv6=1
net.ipv6.conf.wan_dev.disable_ipv6=1
option ipv6 0 # added this option in the appropriate interface to disable IPv6

#Via uci –
uci delete dhcp.lan.ra
uci delete dhcp.lan.dhcpv6
uci set firewall.@defaults[0].disable_ipv6=1
sed -i '/net.ipv6.conf.all.forwarding=1/a net.ipv6.conf.all.disable_ipv6=1' /etc/sysctl.conf
uci commit dhcp
uci commit firewall

#IPv6 ULA-Prefix removed
Network> Interfaces> IPv6 ULA-Prefix: blank

#Remove the IPv6 address and prefix from all interfaces
Network> Interfaces> Interface Overview> {lan}> Edit> Common Configuration> General Setup> Request IPv6-address: disabled
IPv6 assignment length: blank
IPv6 assignment hint: blank
IPv6 suffix: blank
Advanced Settings> Use builtin IPv6-management: Unchecked

#Test performed:-
cat /proc/sys/net/ipv6/conf/all/forwarding # return 0 means IPv6 is disabled

cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ipv6 '0'
option delegate '0'

config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
option macaddr 'xx:xx:xx:xx:xx:xx'

config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'

cat /etc/sysctl.conf

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

#net.ipv6.conf.default.forwarding=1
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.lan.disable_ipv6=1
net.ipv6.conf.lan_dev.disable_ipv6=1
net.ipv6.conf.wan.disable_ipv6=1
net.ipv6.conf.wan_dev.disable_ipv6=1
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

#disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

Finally:->
Ifconfig -a
br-lan Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
TX packets:11781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1223750 (1.1 MiB) TX bytes:1602206 (1.5 MiB)

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
TX packets:22699 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1429742 (1.3 MiB) TX bytes:5511049 (5.2 MiB)
Interrupt:10

eth0.1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
TX packets:11781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1223750 (1.1 MiB) TX bytes:1602206 (1.5 MiB)

eth0.2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10830 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3703860 (3.5 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:26737 errors:0 dropped:0 overruns:0 frame:0
TX packets:26737 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1745072 (1.6 MiB) TX bytes:1745072 (1.6 MiB)

root@LEDE:~# sysctl -a | grep disable_ipv6
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.br-lan.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.default.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.eth0.disable_ipv6 = 0
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.1.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.eth0.1.stable_secret': I/O error
net.ipv6.conf.eth0.2.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.eth0.2.stable_secret': I/O error
net.ipv6.conf.lo.disable_ipv6 = 0
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error

root@LEDE:~# sysctl -p
kernel.panic = 3
kernel.core_pattern = /tmp/%e.%t.%p.%s.core
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.ip_forward = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.igmp_max_memberships = 100
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_checksum = 0
net.netfilter.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_tcp_timeout_established = 7440
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 180
sysctl: error: 'net.bridge.bridge-nf-call-arptables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-ip6tables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

However, ifconfig –a #Returns IPv6 address (masked) for eth0 interfaces after performing all these steps and rebooting router. As I understand, OpenWrt 17.01.4 is build based on IPv6 enabled by default, it may not be easy to disable IPv6 entirely without compiling from the source code with no IPv6 library (which is difficult task for nobo). Let’s hope for same tech guru answer for this challenging issues.

Your technical help is greatly appreciated.

Disclaimer & rules for this post:
I am not comfortable yet to compile the code from source without an IPv6 library (still nobo and learning, may be in future, when comfortable with source code compiler)
Please don’t waste our time discussing about why to disable IPv6? What’s the benefits? It’s future etc..
Please keep this core technical discussion about accomplishes the goal, how to disable IPv6 entirely from 17.01.4 build and real useful post for others looking for a solution.
How to disable IPv6 entirely in 17.01.4 build for Ubiquiti Edgerouter-X (ER-X)


#2

#3

mbo2o, thank you so much for quick and detailed response. Much appreciated! Sorry, forgot to mentioned that I have already removed followings:-> (updated my original post as well)

#Removed IPv6 ULA-Prefix
Network> Interfaces> IPv6 ULA-Prefix: blank

#Remove the IPv6 address and prefix from all interfaces
Network> Interfaces> Interface Overview> {lan}> Edit> Common Configuration> General Setup> Request IPv6-address: disabled
IPv6 assignment length: blank
IPv6 assignment hint: blank
IPv6 suffix: blank
Advanced Settings> Use builtin IPv6-management: Unchecked

I believe I have also done these three steps as well. However, I want to ensure that it has been done in correct way. Would you please provide a CLI command for all three steps you mentioned earlier?
#Remove the IPv6 address and prefix from all interfaces
#Disable RA/DHCPv6 on all Interfaces
#You can also disable IPv6 routing in sysctrl.conf

Here is my configuration files output:->
cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ipv6 '0'
        option delegate '0'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '78:8a:20:0b:1c:b6'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option delegate '0'
        option macaddr '44:D9:E7:7A:7D:AF'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '44:D9:E7:7A:7D:AF'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

cat /etc/sysctl.conf

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

#net.ipv6.conf.default.forwarding=1
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.lan.disable_ipv6=1
net.ipv6.conf.lan_dev.disable_ipv6=1
net.ipv6.conf.wan.disable_ipv6=1
net.ipv6.conf.wan_dev.disable_ipv6=1
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

#disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

Finally:->
Ifconfig -a

br-lan    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1223750 (1.1 MiB)  TX bytes:1602206 (1.5 MiB)

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet6 addr: **_fe80::xxxx:xxxx:xxxx:xxxx/64_** Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22699 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1429742 (1.3 MiB)  TX bytes:5511049 (5.2 MiB)
          Interrupt:10

eth0.1    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1223750 (1.1 MiB)  TX bytes:1602206 (1.5 MiB)

eth0.2    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10830 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3703860 (3.5 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:26737 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26737 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:1745072 (1.6 MiB)  TX bytes:1745072 (1.6 MiB)

As you can see the eth0 interface still has IPv6 address present (masked here). How can eth0 IPv6 should be disabled?


#4

I am hoping to hear from expert, guru, OpenWrt architect, developer, maintainer, QA for a solution to disable IPv6 100% from OpenWrt firmware.
So far I have no success, as you can see here IPv6 is still persent after folowing all the suggestion / recomandation.
Is it even possible to disable/remove IPv6 100% from OpenWrt?

As you can see here IPv6 still present-
#ifconfig -a
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link

Have a good day!


#5

I think those are the right sysctls to use. have you actually seen that they are set in the kernel?

try:

sysctl -a | grep disable_ipv6

if not, after putting them in /etc/sysctl.conf reboot and see if they are applied?


#6

I'd say that this isn't considered to be a supported configuration anymore. You'll likely have the most success with building custom images and globally disabled IPv6 capability.


How can I completely disable ipv6 from LuCI?
#7

Hello dlakelan,
Thank you for shedding some light of hope. Much appreciated!
After rebooting the router many times following are the results:

sysctl -a | grep disable_ipv6

sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.br-lan.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.default.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.eth0.disable_ipv6 = 0
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.1.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.eth0.1.stable_secret': I/O error
net.ipv6.conf.eth0.2.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.eth0.2.stable_secret': I/O error
net.ipv6.conf.lo.disable_ipv6 = 0
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error

Look like disable_ipv6 has been set and persist in the sysctl file after reboot. But no luck either.
Any things else should I try?

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 **fe80::xxxx:xxxx:xxxx/64** scope link

#8

Jow, Thank you for your answering my million $ question. That’s my end goal, to compile the code without IPv6 dependencies. I am taking baby step to learn OpenWrt first and next step build environment to compile the code and ultimately contribute and support the community as well. But right now I am looking for a solution to remove/disable IPv6 to start with.


#9

It’s been a while, however just checking if any find a solution to disable IPv6 entirely from OpenWRT 18.06.1


#11

There are settings when compiling your own firmware to disable IPv6 support. I think you may also have to edit the kernel configuration to disable any in kernel IPv6 support.

Please note, this still won't stop anyone from using say Teredo, or any other VPN from using IPv6 in your network. You'll also want to disable IPv6 on any hosts etc if you are going this far. Still, it's going to be on your network somewhere. From my point of view as a person whom does not have native IPv6 from my ISP as of yet, keep IPv6, and start using/learning it within your own network for now.


#12

IPv6 is currently broken on builds for the ER-X and other MT76 devices since mid 2018. Flash the latest 18.06.2 release and you'll achieve your goal of a build with disabled IPv6. https://bugs.openwrt.org/index.php?do=details&task_id=1763