Flint 2 (GL-MT6000) VPN Policy Base on the Client Device - IPv4 vs. IPv6

Hello people,

I received my Flint 2 (GL-MT6000) last week I finally found the time to set it up.

No issues there. Adguard Home working as intended.

Now I tried to configure the VPN Client (Mullvad) on the router which seemed pretty straight forward as it is already preset in the router. The VPN works and all traffic is routed through Mullvad (Wireguard). Both IPv4 and IPv6 are routed with no leaks and thus working perfectly.


Afterwards I wanted to keep my Apple TV device excluded from the VPN tunnel, since it causes too much hassle with the streaming apps on it. When setting up the VPN Policy Base on the Client Device and excluding the Apple TV device from the VPN, I notice that only IPv4 is excluded and not IPv6.


The IPv4 address is showing my ISP address. The IPv6 is showing the VPN routed address causing issues since some of the apps are detecting the VPN blocking access.

Am I doing something wrong here or is this a bug?

Sidenote: I have to keep IPv6 enabled, since my incoming ISP signal is always terminated (and trying to reconnect) on their side if only IPv4 is enabled resulting in a continuous loop connecting-TerminationRequest-fail-connecting-TermReq-fail-… on the Flint 2.

You can turn off IPv6 for individual LAN-side ports while leaving IPv6 up on the sole port the ISP should directly connect (WAN, eth0).

LuCI → Network → Interfaces → Devices → < eth {1–4} > → General device options → Enable IPv6 → < uncheck, save > → Save, Save & Apply

LuCI is accessiable via GL GUI → System → Advance Settings. Same pwd as GL GUI; username root .

Thanks for the reply. I tried this and it indeed solves the issue that the Apple TV device is making use of the VPN-routed IPv6 connection instead of the excluded IPv4 while being in the ‘exclusion’ list. Problem is that this specific LAN-port is connected to a switch, which results in all the devices on this switch losing the IPv6 connection.

But even then, I’m still wondering why the VPN Policy is only excluding IPv4 and not IPv6. I was hoping to be able to leave IPv4 and IPv6 enabled and just exclude (both IPv4 and IPv6) one device from the VPN-tunnel.

Well, I can’t be much help here re: the switch aspect as I just have IPv6 turned off at the WAN port.

I’ll bet a shiny US half dollar (I’m not in the USA or have such currency) it’s just an oversight by GL. @hansome , do you have any iptables magic for us to solve this?

The IPv6 part of the VPN policy is not implemented yet.
But I’ll find a quick way for your scenario ASAP. @HairyKameltoe


I had indeed read the notification. I was however surprised to see that the VPN itself worked perfectly on the router (and still works without any hiccups) regardless of this notification.

Both IPv4 and IPv6 are routed correctly without any leakage.

Since that seems to be the hardest part to integrate, I found it strange that the VPN Policy wasn’t working correctly and was thinking it was maybe something I overlooked.

Anyway, thank you for checking it out!

Hello. I cant seem to find VPN policy on my Flint 2 to manually select devices that I want to use the VPN. I’m new to GL inet so I’ll be grateful for any info about it. Thanks!

VPN > VPN Dashboard and then see my images

From factory it says ‘Global Proxy’. Click it and select what you need (Client based or IP/Domain based)

You push on the blue highlight and you get the next screen. You select if you want VPN as default and exclude devices or the other way around and include certain devices. in my example here I use the client based policy and I can choose in the picklist which devices (based on their MAC) I want to exclude from the VPN tunnel. Push the + once selected. It appears in the list right beneath it and click apply.

I see thats why I cant seem to find it. Thank you so much!

Run this command to mark the ipv6 traffic for clients to bypass VPN.

ip6tables -t mangle -A PREROUTING -i br-+ -m set --match-set bypass_vpn_mac src -j MARK --set-xmark 0x8000/0xc000
ip6tables -t mangle -A PREROUTING -i br-+ -j CONNMARK --save-mark --nfmask 0xc000 --ctmask 0xc000

We’ll merge the changes to further release.

1 Like

Btw, what’s the APP with green and red UI, I’d like to test again with that APP or site maybe.

It’s Mullvad’s own website. At the top they offer a tool “check for leaks”.

1 Like