Let me appreciate the entire OpenWrt community including management, developer, support staff and of course forum member for an outstanding job. Thank you for your hard work and dedication for making a network world much safer place for everyone.
I am new to OpenWrt and keep learning as well. My ISP doesn’t support IPv6 and I would to disable IPv6 entirely in OpenWrt 18.06.1 (stable) version. BTW, device is Ubiquiti Edgerouter-X (ER-X) with OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152). There are numerous forum post suggesting different way to disable/remove IPv6 entirely from the router. Unfortunately I am unable to disable IPv6 from eth0 interface.
Following steps have been already implemented per old forum suggestion with no success:->
#On Luci Web UI –
Network> Interfaces> {lan}> Edit> DHCP Server> IPv6 Settings>Router Advertisement-Service: disabled
DHCPv6-Service: disabled
NDP-Proxy: disabled
#Deleted the WAN6 default interface -
Network> Interfaces> WAN6: Delete
#Via CLI ( SSH) -
vi /etc/sysctl.conf #Following two line has commented out and rest 7 interfaces is added per router actual interface viewed using cat /etc/config/network
#net.ipv6.conf.default.forwarding=1
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.lan.disable_ipv6=1
net.ipv6.conf.lan_dev.disable_ipv6=1
net.ipv6.conf.wan.disable_ipv6=1
net.ipv6.conf.wan_dev.disable_ipv6=1
option ipv6 0 # added this option in the appropriate interface to disable IPv6
#Via uci –
uci delete dhcp.lan.ra
uci delete dhcp.lan.dhcpv6
uci set firewall.@defaults[0].disable_ipv6=1
sed -i '/net.ipv6.conf.all.forwarding=1/a net.ipv6.conf.all.disable_ipv6=1' /etc/sysctl.conf
uci commit dhcp
uci commit firewall
#IPv6 ULA-Prefix removed
Network> Interfaces> IPv6 ULA-Prefix: blank
#Remove the IPv6 address and prefix from all interfaces
Network> Interfaces> Interface Overview> {lan}> Edit> Common Configuration> General Setup> Request IPv6-address: disabled
IPv6 assignment length: blank
IPv6 assignment hint: blank
IPv6 suffix: blank
Advanced Settings> Use builtin IPv6-management: Unchecked
#Test performed:-
cat /proc/sys/net/ipv6/conf/all/forwarding # return 0 means IPv6 is disabled
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ipv6 '0'
option delegate '0'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
cat /etc/sysctl.conf
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
#net.ipv6.conf.default.forwarding=1
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.lan.disable_ipv6=1
net.ipv6.conf.lan_dev.disable_ipv6=1
net.ipv6.conf.wan.disable_ipv6=1
net.ipv6.conf.wan_dev.disable_ipv6=1
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180
#disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
Finally:->
Ifconfig -a
br-lan Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
TX packets:11781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1223750 (1.1 MiB) TX bytes:1602206 (1.5 MiB)
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
TX packets:22699 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1429742 (1.3 MiB) TX bytes:5511049 (5.2 MiB)
Interrupt:10
eth0.1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11444 errors:0 dropped:0 overruns:0 frame:0
TX packets:11781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1223750 (1.1 MiB) TX bytes:1602206 (1.5 MiB)
eth0.2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10830 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3703860 (3.5 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:26737 errors:0 dropped:0 overruns:0 frame:0
TX packets:26737 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1745072 (1.6 MiB) TX bytes:1745072 (1.6 MiB)
root@LEDE:~# sysctl -a | grep disable_ipv6
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.br-lan.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.default.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.eth0.disable_ipv6 = 0
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.1.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.eth0.1.stable_secret': I/O error
net.ipv6.conf.eth0.2.disable_ipv6 = 1
sysctl: error reading key 'net.ipv6.conf.eth0.2.stable_secret': I/O error
net.ipv6.conf.lo.disable_ipv6 = 0
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
root@LEDE:~# sysctl -p
kernel.panic = 3
kernel.core_pattern = /tmp/%e.%t.%p.%s.core
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.ip_forward = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.igmp_max_memberships = 100
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_checksum = 0
net.netfilter.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_tcp_timeout_established = 7440
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 180
sysctl: error: 'net.bridge.bridge-nf-call-arptables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-ip6tables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key
However, ifconfig –a #Returns IPv6 address (masked) for eth0 interfaces after performing all these steps and rebooting router. As I understand, OpenWrt 17.01.4 is build based on IPv6 enabled by default, it may not be easy to disable IPv6 entirely without compiling from the source code with no IPv6 library (which is difficult task for nobo). Let’s hope for same tech guru answer for this challenging issues.
Your technical help is greatly appreciated.
Disclaimer & rules for this post:
I am not comfortable yet to compile the code from source without an IPv6 library (still nobo and learning, may be in future, when comfortable with source code compiler)
Please don’t waste our time discussing about why to disable IPv6? What’s the benefits? It’s future etc..
Please keep this core technical discussion about accomplishes the goal, how to disable IPv6 entirely from 17.01.4 build and real useful post for others looking for a solution.
How to disable IPv6 entirely in 17.01.4 build for Ubiquiti Edgerouter-X (ER-X)