Le ecureuil

1 - непонятно, но выясним 2 - вообще никак не связано, я имел в виду только запись в логе. Насчет тормозов нужно отдельно в поддержке разбираться.

Это скорее просто запись в логе о том, что компонента нет. Приложение это понимает, но в логе уже написано.

Можете просто доустановить компонент "Шейпер" и все само починится.

Конкретно про эту ошибку запишем, но это связано с мобильным приложением скорее. На тему зависания луше в поддержку.

Думаю что не хуже ku_ra

Эти чипы с 2015 не выпускаются, найти их - дело сложное. Лучше сперва полный сброс попробуйте, если не поможет, то значит все.

С версией 3.6 лучше в поддержку.

>> Packets with those addresses are not forwarded by routers. (ц)

Согласно официальному roadmap обещают 2.6 alpha к "End of December 2021": https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn26 Ждем с нетерпением.

I see no objections to do that. Probably UDP/500 and UDP/4500 should be excluded from DMZ, but worth to try.

Надо пытать ростелеком на тему "что там за галка была раньше магическая".

Так все от клиента зависит. Сервер ему предлагает TS с 0.0.0.0/0, а дальше как захочет.

Вообще такое может быть, это особенность работы IPsec. Но сильно зависит от реализации на клиенте.

It has some drawbacks, of course, but in the world of dynamic and multiple addresses it's the easiest way for user to open port without messing with static ip.

1 и 2 на роутере устроены внутри абсолютно одинаково, разница только в способе согласования ключей. Потому разницу в работе нужно адресовать производителям телефона, если она вас беспокоит. По поводу wg - это реально непонятная история, скорее всего трафик идет "мимо".

It's possible and works as expected. You need two rules: one per device mac.

We will pin in to feature request.

Input interface is set here as incoming direction for applying rules, no address from this interface will be used. Suppose you have ISP with addr 2::100, ISP2 with addr 3::100 and host in LAN with addrs 2::1 and 3::2. so after cmd ipv6 static tcpudp ISP <mac> 80 you will be able to get access from the internet to [2::1]:80 when connection comes from ISP. When connection comes from ISP2 it will be rejected, the separate rule is needed to allow traffic from ISP2. Just notice, that ISP and it's address 2::100 is never used.

Думаю надо не сюда, а в поддержку писать.

Yes, you can. 'ipv6 stati'c doesn't perform any type of NAT/PAT, it is just about opening ports. So if your PC1 has addrs 2::1 and 3::1, and PC2 has addrs 2::2 and 3::2, you can host different services on PC1 on addresses 2::1 and 3::1, and access from Internet to [2::1]:80 an to [3::1]:80 will not be mixed, but delivered properly. Moreover, you can host another two services on PC2 on 2::2 and 3::2, and access to [2::2]:80 and [3::2]:80 will not be interleaved or confused with access to [2::1]:80 or [3::1]:80. All four {ip,port} combinations will be available from Internet directly without NAT or port forward.

Did you tried to connect to all IPv6 addresses on host from Internet? As far as I know port is forwarded for all addresses, so multiple connections are well supported.

We have plans for major update of NextDNS support in 3.8, so stay tuned and thanks for reports.

Right now IPv6 doesn't compatbile with policy routing. We know the issue and have plans to resolve it. You can vote for it by creation of ticket in official support.

Syslog sender in fw works on very low level and cannot resolve domain names when it starts (It's even connectionless, so UDP messages are being sent without knowlege of running interafces and availability of network addresses and connection). It is the known limitation, and we plan to resolve it in future. You can vote for it by creation of ticket in official support.

Any recognised IPv6 address on device will be forwarded, that's the reason to use MAC in command instead of explicit IPv6 address. By the way, IPv6 privacy extensions can be enabled on device, so effective IPv6 address will be changed every 3/6/12 hours by random. Router tracks current set of available IPv6 addresses for every host and update translation table automatically. Forward will be performed at L3, so there is no reason to worry about possible L2 leaks.