cancel
Showing results for 
Search instead for 
Did you mean: 
Replies are disabled for this topic. Start a new one or visit our Help Center.

[For PowerUsers] IPv6 via non-Google router as a way to "bypass" Google Wifi DHCP

jmsgomes
Community Member

Disclaimer: This is not intended for casual users, but could potentially be helpful for power users seeking to (semi-)bypass Google Wifi's DHCP service (since it cannot be disabled).

Hi! I've recently been able to "bypass" Google Wifi DHCP in an unorthodox way and was wondering if others have tried or what others might think of this.

An essential premise is that devices will prefer IPv6 connections over IPv4 - this seems to be true for the devices I have on my network (or, at least, for the ones where I care), but RFC 3484 doesn't exactly promise that...

In broad strokes, the setup is:

  • I have a Ubiquiti EdgeRouter (ER) connected to the internet (modem). The Google Wifi's WAN interface is connected to the ER so Google Wifi can get to the Internet (yes, this is technically double-NAT'd, so do your homework before trying this yourself).
  • In the Google Home app, the Google Wifi's IPv6 setting is disabled.
  • Instead, for IPv6 services, the LAN subnet of the Google Wifi devices is also connected to the ER on a different L2 network than the WAN interface of the Google Wifi. VLANs are handy here.
  • IPv6 has been enabled on the ER, with all the proper IPv6 firewall rules in place. IMPORTANT: Without proper firewall rules, enabling IPv6 will likely expose your devices to the internet!
  • The ER is connected to the modem and configured to get an IPv6 address (autoconf)  a non-/64 IPv6 subnet from my ISP and, in turn, via pd (prefix delegation), offers IPv6 /64 SLAAC on the LAN interface. 
  • dnsmasq is configured as a forwarding server with IPv6 addresses for public DNS servers (such as Cloudflare or Google DNS) and advertises itself using dhcp-option=option6:dns-server,[::] and dhcp-range=::,constructor:<your_lan_interface>,ra-stateless,ra-names
  • Optional "Privacy Theatre": On the ER's WAN interface, I disabled my ISP's DNS servers from being advertised by setting no-dns in pd  setting dhcp-option name-server no-update. I suppose that, for even more privacy, one ought to use DNS-over-TLS et al, VPNs, etc.

(If not enough of this makes sense to you, I also knew little about IPv6 but I learned a lot from blogs and forum posts like this one.)

My current end result: Devices on the Google Wifi LAN use the routing/DNS/etc. advertised via IPv6 from my EdgeRouter instead of the routing/DNS/etc. advertised via IPv4 from my Google Wifi.

WIN?

What I haven't tried and should probably try at some point: 1) **bleep** open a hole in the firewall rules to one or more devices that I'd like to expose to the internet and try connecting to them from an external network... 2) Try to "break stuff" and see what happens, especially in terms of security

I hope this is helpful to others and/or leads to a helpful discussion 🙂

3 REPLIES 3

MichaelP
Diamond Product Expert
Diamond Product Expert

Hello @jmsgomes 

This is really interesting. I think the key to making this work is to make sure that other network is only providing IPv6 connectivity and not IPv4. Otherwise you'd be bridging your internal and external IPv4 networks across a NAT, which would cause some really unpleasant behavior. But, I can see what you've done, and while I definitely wouldn't recommend it to anyone who doesn't fully grok what's going on here, I commend you for your determination. I'm just using Google WiFi with IPv6 directly connected to my cable modem, and while it wasn't entirely smooth sailing to start with, it's been quite reliable for a long time now.

I wonder if it would be possible to configure your ER to delegate a longer IPv6 prefix to Google WiFi instead of this, but I would hate to see you tear all this down just to try something like that.

The only "clever" thing I've done is run a couple instances of cloudflared on two separate Raspberry Pi units to do all of my DNS resolution via DNS-over-HTTPS. I just configured my Google WiFi to use their IP addresses (v4 and v6) as the custom DNS server addresses.

Jeff
Community Specialist
Community Specialist

Hey, szhu25.

Thanks for coming back and letting us know what worked for you! That's always going to be a big help for others who are dealing with the same issue and searching online for an answer. The process is quite technical, so this is great to have archived here on the forums.

As we have this one resolved, I'm going to go ahead and close the thread. If you need anything else going forward, please feel free to open a new discussion.

Thanks.

szhu25
Community Member

I just tried this and it works! (I'm using UDM-Pro + Google Wifi 2 pack mesh)

Thank you so much for writing this up.

Breakdown of this:
1. Connect your Google Wifi's WAN onto Ubiquiti product. Make sure they have internet connection.
2. Disable Google Wifi's IPv6 (toggle off on Google Home app)
3. Create a new VLan on Unifi Network. Set the VLan to not advertise DHCP for IPv4 (DHCP Mode to none) and IPv6 Interface Type to Prefix Delegation. Enable all sort of things on IPv6 in VLan settings.
4. Find a empty port on Ubiquiti Switch, change the port VLan on app to make sure it only use the VLan you just created.
5. Connect Google Wifi's LAN port to Ubiquiti's port (the one you modified on step 4)
6. Restart Google Wifi network

P.S. After this, IPv6 works and now I need to find a way to also redirect IPv6 DNS traffic to my local DNS servers.