To IPv6 or not? That's my question!

Discussion in 'Tomato Firmware' started by Nazgulled, Apr 10, 2019.

  1. Nazgulled

    Nazgulled Serious Server Member

    As you may have noticed I've been posting a few questions about some problems I was having while setting up a custom DNS Server (using AdGuard Home for ads and trackers blocking) and now I reached to another problem related to IPv6.

    A bit of context of my whole setup for this:
    • I have a Synology NAS running Docker.
    • I have a Docker container running AdGuard Home (the DNS Server).
    • I have two subnets, one is the main network the other is the guest network.
    • The guest network cannot access any client on the main network with the exception of the DNS Server and even for that, only port 53 is allowed.
    • The Synology NAS has an IP address of 192.168.0.99 (main network).
    • The DNS Server running in a Docker container has an IP address of 192.168.0.253 (main network).
    • The DNS Server Docker container has it's own IP using the Docker MACVLAN network driver.
    • With Docker MACVLAN networks, the host (Synology NAS) cannot access the containers (DNS Server) and to get that working I have a MACVLAN interface in the host itself (based on this guide).
    • In my Tomato router dnsmasq configuration, I push the 192.168.0.253 DNS Server to all clients in both the main and guest networks.
    • I also have IPv6 properly configured on my Tomato router and my main Windows machine.
    • On my main Windows machine, the network connection is both configured with IPv4 and IPv6, using the AdGuard Home DNS Server for IPv4 but using my ISP's DNS Servers for IPv6.
    Now, what's my problem? Windows will pick either the IPv4 or IPv6 DNS Server and if I'm not mistaken will give priority to the IPv6 one, only using the IPv4 one if needed. This is a problem because for this particular Windows machine, the AdGuard Home DNS Server won't be used that much.

    Which brought me the question, should I even be using IPv6 on my Tomato router and my Windows machine? Should I just disable IPv6 on the router and forget about this? Or should I take the time to configure my AdGuard Home container, MACVLAN networks, firewall rules and all that to work with IPv6 too? Do I have anything to gain from using IPv6?
     
  2. snowman58

    snowman58 Network Newbie Member

    Since all IPV4 addresses have been allocated, Everyone is slowly migrating to IPV6 that has plenty of addresses available and allows the internet to function the way it was originally intended (NO NAT) every device has a public address. You will eventually have to set it up for IPV6 as more companies migrate to it away from IPV4. Eventually IPV4 will disappear and be fully replaced by IPV6. This will take years possibly decades. Setting it up now makes sure you are ready in case the site you need happens to be IPV6 only.
     
    Nazgulled likes this.
  3. Nazgulled

    Nazgulled Serious Server Member

    Yep, I clearly see your point. But as I've found out recently, it seems my Synology NAS has some issues Docker and IPv6, it doesn't seem to work :/
     
  4. RogueScholar

    RogueScholar Serious Server Member

    Pardon the presumption if it was simply an oversight, but you seem to have quite clearly identified the cause of your issue within your synopsis, perhaps without even realizing it.

    You mention having configured dnsmasq to announce your AdGuard Docker instance IPv4 address to all connected clients, but fail to mention doing so for its IPv6 address in tandem. The two protocols operate wholly independent of one another (the former via DHCP and the latter usually through RA), so unless you announce both addresses during the configuration handshake it's quite natural that exactly what you describe would occur: the AdGuard server only being used for IPv4 queries and the upstream ISP server handing the rest.

    I'm sure the syntax of the extra configuration strings for your dnsmasq.conf will even seem quite familiar. (Shown here as I have them in my own home network)

    Code:
    enable-ra
    ra-param=br*,high,120,240
    dhcp-option=option6:dns-server,[fd00::]

    The final segment, [fd00::], tells dnsmasq to determine the subnet's current ULA (Unique Local Address) and announce it as the IPv6 DNS server to clients, whatever it may be. It won't work unless you first add a ULA to your device's interfaces, but you can use [::] instead to substitute the router's ISP-assigned global address, or even [fe80::] which uses the router's link-local address, though it sounds like you'll be placing the full static IPv6 address of your AdGuard Docker instance there, considering your stated objective.

    The ra-param line specifies the interfaces which will be informed of the added IPv6 configuration information (br* signifying all local bridged interfaces), the priority relative to other available protocols (i.e. IPv4), the interval in seconds between the router's announcements, and finally the lifetime in minutes that clients should consider the address valid. Finally you'll need to find all existing lines in your dnsmasq.conf file that begin with "dhcp-range" and make certain they include one or both of the directives "ra-names" or "ra-stateless" to make the above configuration strings relevant to those existing subnets. All of this, of course, is described in exquisite detail at Simon Kelley's glorious man page for dnsmasq.

    After saving the extra strings to your custom dnsmasq configuration in the GUI and restarting your connecting devices you should see all DNS traffic flowing through AdGuard.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice