Jump to content

fl4co

Forum Members
  • Posts

    19
  • Joined

  • Last visited

Equipment

  • Keenetic
    Skipper

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

fl4co's Achievements

Member

Member (2/5)

3

Reputation

1

Community Answers

  1. Hello. I created an IKEv2 connection to a VPN service on my Keenetic router. I created a new connection policy and selected the VPN connection as the only conenction for that policy. When I assign clients to the VPN policy, their IPv4 traffic is correctly routed via the VPN service. However, the IPv6 traffic keeps going through the main ISP, thus leaking my real IPv6 addresses. The only way to stop this is to disable IPv6 on every client when I assign them to the VPN policy, but this is annoying because I frequently move clients to and from the VPN policy. I guess maybe it's difficult to block the IPv6 traffic because SLAAC is stateless and the Keenetic router doesn't know which device has an IPv6, but maybe it's possibile to track the MAC addresses?
  2. fl4co

    MAP-T

    In their configuration page they just say this: IPoE IPv4/IPv6 protocol NAT: MAP-T Mapping of Address and Port, Translation mode (RFC7599) I will post more information when they make the switch or if they release new information.
  3. fl4co

    MAP-T

    In my country, Italy, Sky (the satellite TV provider) became an ISP and started with a dual-stack network, but it's planning to switch to IPv6-only by the end of the year and you need a router supporting MAP-T to access their network. There is a failry new law in Italy that allows a customer to use any router they want with their ISP, but as far as I know only the router provided by Sky, and OpenWrt, support MAP-T among consumer routers. It may be a good idea to support MAP-T since not many routers support it right now. Would Keenetic be interested in implementing MAP-T?
  4. Hello, I'd like to add new information regarding this issue. 9.9.9.11 is a DNS server with EDNS Client Subnet. This feature might be the one causing problems. If fact, if I try a query with dig google.com +noedns I get a succesful answer: ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> google.com +noedns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23119 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 211 IN A 142.250.180.142 ;; Query time: 197 msec ;; SERVER: 10.88.0.1#53(10.88.0.1) ;; WHEN: dom giu 06 11:34:05 CEST 2021 ;; MSG SIZE rcvd: 55 Maybe the DNS proxy have problems forwarding EDNSClient Subnet information?
  5. With Alpha 12 the new component is present on the Skipper.
  6. Italy. I think Skipper is the European name for the model KN-1910.
  7. Then I don't have it 🤷‍♀️
  8. I don't have it. Do I need to remove "traffic shaper" first?
  9. Hello, I'm in version 3.7 Alpha 11 but I can't find the component to install. I searched for "ntce" and "traffic analizer" but didn't find anything, How is the component called?
  10. Then it's not possible to have a DNS server in the LAN at the moment, when dual-stack is present 😞. As far as I know clients will prefer IPv6 and bypass the DNS server on the LAN. Should I open a thread in the feature request section?
  11. I use Pi-hole on my home network to block ads. All I had to do with IPv4 was set the DHCP server in my Keenetic device. I recently switched my ISP and they provide IPv6 connectivity. I managed to have IPv6 working, but now the router pushes via SLAAC its IPv6 address as DNS server to clients. So now my devices prefer IPv6 and reach to the router for DNS resolution, bypassing the Pi-hole on my home network. I tried to find an option to change the DNS server address pushed via SLAAC but couldn't find one. I saw that I can change SLAAC to DHCPv6 but I can't find where to set the options. Is it possible to change the DNS server pushed to IPv6 clients?
  12. I'm attaching the capture file, as you can see the queries for google.com, facebook.com and twitter.com made with dig received REFUSED as a response. I have to point out that 10.88.0.1 is the Keenetic's private IP address. capture-Bridge0-May 2 22-59-25.pcapng
  13. Hello, I have a problem with DNS over TLS that I can't debug. If I'm using 9.9.9.11 server from Quad9, I receive this output from dig, on Mac and on Linux: └─$ dig cnn.com ; <<>> DiG 9.16.13-Debian <<>> cnn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37374 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 12882241105594ad (echoed) ;; QUESTION SECTION: ;cnn.com. IN A ;; Query time: 1040 msec ;; SERVER: 10.88.0.2#53(10.88.0.2) ;; WHEN: gio apr 22 11:46:21 CEST 2021 ;; MSG SIZE rcvd: 48 host and nslookup work fine. Operating systems can resolve names (web browsers work), at least I tried a Mac and Linux with regular /etc/resolv.conf. However a Linux server with systemd-resolved can't resolve names when the upstream on the router is 9.9.9.11. If I change to 9.9.9.9 everything works fine. DoH works fine even for 9.9.9.11. I tried a packet capture and it seems that queries don't go to the internet, it's the router that responds REFUSED to the local clients. Truncated output from "show dns-proxy": ... proxy-tls: server-tls: address: 9.9.9.11 port: sni: dns11.quad9.net spki: interface: server-tls: address: 149.112.112.11 port: sni: dns11.quad9.net spki: interface: ... Is this a bug? Why is it not working properly for just these two servers? I'd like to use these and not the regular Quad9 because they have EDNS Client Subnet.
×
×
  • Create New...