Jump to content


Forum Members
  • Posts

  • Joined

  • Last visited

Everything posted by fl4co

  1. Hello. I created an IKEv2 connection to a VPN service on my Keenetic router. I created a new connection policy and selected the VPN connection as the only conenction for that policy. When I assign clients to the VPN policy, their IPv4 traffic is correctly routed via the VPN service. However, the IPv6 traffic keeps going through the main ISP, thus leaking my real IPv6 addresses. The only way to stop this is to disable IPv6 on every client when I assign them to the VPN policy, but this is annoying because I frequently move clients to and from the VPN policy. I guess maybe it's difficult to block the IPv6 traffic because SLAAC is stateless and the Keenetic router doesn't know which device has an IPv6, but maybe it's possibile to track the MAC addresses?
  2. fl4co


    In their configuration page they just say this: IPoE IPv4/IPv6 protocol NAT: MAP-T Mapping of Address and Port, Translation mode (RFC7599) I will post more information when they make the switch or if they release new information.
  3. fl4co


    In my country, Italy, Sky (the satellite TV provider) became an ISP and started with a dual-stack network, but it's planning to switch to IPv6-only by the end of the year and you need a router supporting MAP-T to access their network. There is a failry new law in Italy that allows a customer to use any router they want with their ISP, but as far as I know only the router provided by Sky, and OpenWrt, support MAP-T among consumer routers. It may be a good idea to support MAP-T since not many routers support it right now. Would Keenetic be interested in implementing MAP-T?
  4. Hello, I'd like to add new information regarding this issue. is a DNS server with EDNS Client Subnet. This feature might be the one causing problems. If fact, if I try a query with dig google.com +noedns I get a succesful answer: ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> google.com +noedns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23119 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 211 IN A ;; Query time: 197 msec ;; SERVER: ;; WHEN: dom giu 06 11:34:05 CEST 2021 ;; MSG SIZE rcvd: 55 Maybe the DNS proxy have problems forwarding EDNSClient Subnet information?
  5. With Alpha 12 the new component is present on the Skipper.
  6. Italy. I think Skipper is the European name for the model KN-1910.
  7. Then I don't have it 🤷‍♀️
  8. I don't have it. Do I need to remove "traffic shaper" first?
  9. Hello, I'm in version 3.7 Alpha 11 but I can't find the component to install. I searched for "ntce" and "traffic analizer" but didn't find anything, How is the component called?
  10. Then it's not possible to have a DNS server in the LAN at the moment, when dual-stack is present 😞. As far as I know clients will prefer IPv6 and bypass the DNS server on the LAN. Should I open a thread in the feature request section?
  11. I use Pi-hole on my home network to block ads. All I had to do with IPv4 was set the DHCP server in my Keenetic device. I recently switched my ISP and they provide IPv6 connectivity. I managed to have IPv6 working, but now the router pushes via SLAAC its IPv6 address as DNS server to clients. So now my devices prefer IPv6 and reach to the router for DNS resolution, bypassing the Pi-hole on my home network. I tried to find an option to change the DNS server address pushed via SLAAC but couldn't find one. I saw that I can change SLAAC to DHCPv6 but I can't find where to set the options. Is it possible to change the DNS server pushed to IPv6 clients?
  12. I'm attaching the capture file, as you can see the queries for google.com, facebook.com and twitter.com made with dig received REFUSED as a response. I have to point out that is the Keenetic's private IP address. capture-Bridge0-May 2 22-59-25.pcapng
  13. Hello, I have a problem with DNS over TLS that I can't debug. If I'm using server from Quad9, I receive this output from dig, on Mac and on Linux: └─$ dig cnn.com ; <<>> DiG 9.16.13-Debian <<>> cnn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37374 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 12882241105594ad (echoed) ;; QUESTION SECTION: ;cnn.com. IN A ;; Query time: 1040 msec ;; SERVER: ;; WHEN: gio apr 22 11:46:21 CEST 2021 ;; MSG SIZE rcvd: 48 host and nslookup work fine. Operating systems can resolve names (web browsers work), at least I tried a Mac and Linux with regular /etc/resolv.conf. However a Linux server with systemd-resolved can't resolve names when the upstream on the router is If I change to everything works fine. DoH works fine even for I tried a packet capture and it seems that queries don't go to the internet, it's the router that responds REFUSED to the local clients. Truncated output from "show dns-proxy": ... proxy-tls: server-tls: address: port: sni: dns11.quad9.net spki: interface: server-tls: address: port: sni: dns11.quad9.net spki: interface: ... Is this a bug? Why is it not working properly for just these two servers? I'd like to use these and not the regular Quad9 because they have EDNS Client Subnet.
  14. Hello, I'd like to request the following feature. When executing ip dhcp pool $POOL_NAME update-dns the Keenetic's DNS server will add a record for devices that are assigned an IP address via DHCP, so every device with a private IP in the LAN will have an A record with the hostname passed via DHCP. It would be great if the Keenetic could add a reverse DNS record, so that private IP addresses would be pointed to the DNS name. I'm asking this because I use Pi-Hole to block ads as my DNS server, but I'd like to keep using the Keenetic as a DHCP server. Doing this makes it impossible for Pi-Hole to display the clients' names. There is an option in Pi-Hole called "conditional forwarding" that solves this problem by making reverse DNS queries to the router in order to discover the clients' names, but as of now this doesn't work with the Keenetic because it does not respond to reverse DNS queries.
  15. Thank you for clearing this out. Now the the wg interface doesn't do NAT anymore as I intended. What does doing no ip nat Home imply, anyway? If I create a L2TP VPN then I will have to manually add ip static Home <l2tp interface> to be able to access the Internet through the tunnel?
  16. Hello, I recently bought a Keenetic Skipper router and I’m very pleased with it.However, there is one problem I can’t seem to be able to fix: I set up a WireGuard connection but I can’t disable NAT translation on the interface. When I connect to a WireGuard peer from a device behind the Skipper, the peer always sees the connection originating from the the Skipper’s WireGuard address and not from the actual device’s IP address.I tried entering the command “no ip nat Wireguard0” but it has no effect because I think that a NAT rule was not active on the interface to begin with.So how can I disable NAT on the WireGuard interface?
  • Create New...