GL-MT2500A Brume2 IPv6 Leak - how to build a blackhole

Dear all,

my setup consist of a Fritz!Box, a GL-MT2500 configured as drop-in client with dedicated clients, and a Mac client where I manually changed the gateway. For later, I want to setup the DHCP server and let all traffic being routed through the GL-MT2500, asI use VyprVPN and successfully managed to create an OpenVPN connection. IPv4 traffic is being routed correctly, whereas several test sites reported IPv6 leakage.

The reason for that is that my ISP implemented IPv6 and the Fritz!Box supports it. So my Mac will have three IPv6 addresses as one would expect: one temporary and one static, both with the 64 bit prefix provided by the IPS through the Fritz!Box and one local link address.

The Fritz!Box is configured as RA server and DHCP6 server to only provide DNS information as well. No IA_PD or IA_ND distribution. But what it does is, it also sets the local link address as the IPv6 gateway (called "router" in Mac"). So the IPv4 gateway was manually set to the IPv4 of the GL-MT2500 and the IPv6 gateway still points to the Fritz!Box.

This explains why IPv6 traffic is still routed beside the VPN tunnel. This is exactly the opposite of what the warning next to "switch IPv6 on" in the GL-MT2500 is telling me. Unfortunately I cannot disable IPv6 because that is really the only thing the ISP has blocked from the GUI of the Fritz!Box.

So I guess in the end I have to enable the GL-MT2500 to be IPv6 aware and set up a DCHPv6 server to provide the gateway information for the GL-MT2500 IPv6 interface. On the GL-MT2500 I would then create a blackhole to pipe all that traffic to /dev/null which makes me look like a pure IPv4 computer, right?

Funny thing is, that although IPv6 is switched off in the GL-MT2500, eth0 does have an IPv6 local link address as well. When I use this IPv6 address to manually configure the Mac client, network is no longer working. I saw that then there is no longer any DNSv6 server available. It also seems that even when working with IPv4 servers, the Mac client always uses a DNSv6 server (provided by the Fritz!Box) is used. But I am not able to set anotherone manually. So it seems to setup something on my own, either RA with DNS only or stateless DHCPv6 whatever would set gateway and DNS seems necessary.

So can I get some help how to manage this?

And another question, where I think it is really like reading in a glass sphere: if I would switch my VPN provider VyprVPN to one supporting IPv6 and Wireguard, would you think it will work right out of the box, as then my IPv6 traffic is tunneled from the scratch or is the drop-in gateway to capable of setting this up for me?

BR,
Carsten.