Recommend me a router..

I've recently upgraded to FTTP and as part of the deal I got a new router. That allowed me to rearrange my network which was great but now it appears that the router isn't all that it's cracked up to be. It's a TP-Link VX230V and the problem is that the IPv6 Firewall appears to have a bug that means you can't allow incoming connections through to services.

So I'm considering shelling out on a new router but as usual it's difficult to find the kind of reviews that I want because I have technical requirements. The TP-Link has shown that you can't go by reading manuals because the manual gives incorrect information about the firewall. Without a review of this feature there'd be no way to know it was flawed.

So what I need from a router:
2.4 & 5GHz Wifi
Dual-stack IPv4/6.
The ability to allow incoming connections on IPV6.
Three LAN ports, one WAN port. None of them have to be gigabit.

I also don't want to spend a huge amount. I don't need performance I just want a router that supports IPv4 and IPv6 properly - surely that isn't too much to expect?

Edited by Andrue (Thu 10-Jul-25 08:10:49)

I thought dual stacking was something done by the ISP, not the router.

Does your ISP support IPv6? Not all of them do.

Not sure what services you want to use with Ipv6, I am not really up to date with IPv6 as such.

I have a TP-link Archer AX53, works with IPv6 fine, not sure about the firewall and incoming connections as I have not really touched that.

In reply to a post by zyborg47:

I thought dual stacking was something done by the ISP, not the router.

Yes but the router has to support it. The router has to know to ask for IPv6 information during login as well as asking for IPv4.

Does your ISP support IPv6? Not all of them do.

I wouldn't be asking about router IPv6 features if it didn't

Not sure what services you want to use with Ipv6, I am not really up to date with IPv6 as such.

I have a TP-link Archer AX53, works with IPv6 fine, not sure about the firewall and incoming connections as I have not really touched that.

Based on my experience with this vx230v I don't think I'd touch another TP-Link with a bargepole. Releasing a router with such an egregious bug does not inspire confidence.

Edited by Andrue (Thu 10-Jul-25 09:03:40)

In reply to a post by zyborg47:

Does your ISP support IPv6? Not all of them do.

OP is with IDNet and from his previous thread, it appears that he has got IPv6 working apart from this issue.

In reply to a post by Andrue:

It's a TP-Link VX230V and the problem is that the IPv6 Firewall appears to have a bug that means you can't allow incoming connections through to services.

Have yo tried enabling the required service in the IPv6 firewall settings? ie are we looking at a problem of you not having found the setting or of the setting not working?

In reply to a post by DFScale:

In reply to a post by Andrue:

It's a TP-Link VX230V and the problem is that the IPv6 Firewall appears to have a bug that means you can't allow incoming connections through to services.

Have yo tried enabling the required service in the IPv6 firewall settings? ie are we looking at a problem of you not having found the setting or of the setting not working?

Good question. It could just be that the instructions are wrong and I haven't yet worked out what I'm supposed to be entering. What I've found is the settings page for the IPv6 firewall. The help for that page states:

IPv6 Firewall protects your IPv6 network by preveting access from the internet. However, when you are hosting a service, such as a file sharing server in your local network, you can choose to allow access to the server from the internet by adding entries on this page. This feature is available only when you've set up an IPv6 connection.

To add an entry
Click Add.
Select an interface name from the drop-down list. Interface names are names of the internet connections you have set up.
Click View Existing Applications to select a service from the list to automatically populate the Port field with an propriate port number. It is recommended to keep the default Port if you are unsure about which one to use. If the service is not listed, manually enter the Service Type and the Port number (e.g., 21 or 21-25).
select the local host device running the service. Enter its global IPv6 address in the Global IPv6 Address field.
Select a protocol for the service from the drop-down list.
Select Enable This Entry.
Click OK.
Note
1. If you want to disable this entry, click the Bulb icon.
2. If the local host device hosts more than one type of available service, you need to create a rule for each service. Please note that ports should NOT be used by multiple services.

Which is all well and good except that there is no way to select a host device and the only IP address input field is labelled 'Internal IP:' I initially assumed this was a typo so I put in the global IP address as the help suggests but that didn't work. I've also tried putting in the link-local address of the server with no expectation of it working and of course it didn't. I've also tried putting in the IP address without the prefix '::201:c0ff:fe11:f814' but that doesn't work either.

Editing an entry on the settings page

In reply to a post by Andrue:

Editing an entry on the settings page

It is http on port 80. https is on 443

In reply to a post by DFScale:

In reply to a post by Andrue:

Editing an entry on the settings page

It is http on port 80. https is on 443

Good catch but that's just a text description as far as I can tell. I've corrected it and the ports remain blocked on IPv6.

Edit: This isn't just for a web server. It's actually for my mail server so I need SMTP, IMAP and HTTP/S. It's working for IPv4 with port forwarding but as I have IPv6 access I'd also like my mail server to be visible that way. There are some email servers using it eg; GMail.

Edited by Andrue (Thu 10-Jul-25 11:37:27)

Chances are this is a configuration issue.

Are inbound packets arriving at the target server? Check with tcpdump (Linux) or Wireshark (Windows). If they are, then possibly the server itself isn't accepting incoming connections from public IPv6 addresses - which could be due to a software firewall on the server itself. Possibly the service is bound to IPv4 only, although I expect you've already tested IPv6 connectivity locally across the LAN.

If packets aren't arriving, then you focus on the router firewall configuration. It's not *impossible* that it's totally broken, but if it is, it's unlikely you're the first person to come across the problem.

If in the end you still want a new router, then my recommendation is Mikrotik - it does everything I could possibly want. Note that I'm a bit of a router geek and I configure it via the CLI, but there are other ways.

I note you said you wanted integrated wifi. I'd recommend against that - buy one or more Unifi U7 Lite APs for the wifi. Mikrotik do have a couple of routers with integrated wifi but they're very old standards (Wifi 5, from memory)

In reply to a post by candlerb:

Chances are this is a configuration issue.

Are inbound packets arriving at the target server? Check with tcpdump (Linux) or Wireshark (Windows). If they are, then possibly the server itself isn't accepting incoming connections from public IPv6 addresses - which could be due to a software firewall on the server itself. Possibly the service is bound to IPv4 only, although I expect you've already tested IPv6 connectivity locally across the LAN.

The server configuration has been unchanged for several years. All that's happened is that I've switched from FTTC to FTTP. It's the same ISP and the same static addresses. I did briefly have an issue because a Windows update coincidentally reset the server's network profile to Public but that blocked all access to the mail server and has been changed back and all is fine again from the LAN. Most devices on the LAN are connecting via the public IPv6 address although I think my phone connects over IPv4.

If packets aren't arriving, then you focus on the router firewall configuration. It's not *impossible* that it's totally broken, but if it is, it's unlikely you're the first person to come across the problem.

I can believe I'm the first to encounter this since it's basically a home router and I doubt many home users want to expose public services let alone on IPv6. From spending time on their forums it's clear that almost no-one uses this model of router and several other models have issues with the firewall. Although I do at least have the UI option to disable the firewall it doesn't seem to have any effect. The Windows firewall logs only show IPv6 packets from the LAN regardless.

If in the end you still want a new router, then my recommendation is Mikrotik - it does everything I could possibly want. Note that I'm a bit of a router geek and I configure it via the CLI, but there are other ways.

I note you said you wanted integrated wifi. I'd recommend against that - buy one or more Unifi U7 Lite APs for the wifi. Mikrotik do have a couple of routers with integrated wifi but they're very old standards (Wifi 5, from memory)

Thanks for the recommendation. I had been using a WAP and I could reinstate that but I like the fact that having it all in one box has allowed me to unplug several pieces of kit.

In reply to a post by candlerb:

Chances are this is a configuration issue.

Are inbound packets arriving at the target server? Check with tcpdump (Linux) or Wireshark (Windows). If they are, then possibly the server itself isn't accepting incoming connections from public IPv6 addresses - which could be due to a software firewall on the server itself. Possibly the service is bound to IPv4 only, although I expect you've already tested IPv6 connectivity locally across the LAN.

If packets aren't arriving, then you focus on the router firewall configuration. It's not *impossible* that it's totally broken, but if it is, it's unlikely you're the first person to come across the problem.

Good points, I agree.

In reply to a post by candlerb:

If in the end you still want a new router, then my recommendation is Mikrotik - it does everything I could possibly want. Note that I'm a bit of a router geek and I configure it via the CLI, but there are other ways.

I note you said you wanted integrated wifi. I'd recommend against that - buy one or more Unifi U7 Lite APs for the wifi. Mikrotik do have a couple of routers with integrated wifi but they're very old standards (Wifi 5, from memory)

Yes. Routers with integrated wifi are exclusively consumer oriented and the settings are accordingly dumbed down. What you want to do, OP, with your own servers on IPv6 is very much an edge case for consumer routers, so if you can't make it work on the TP link, better to go with separate kit for the router and the wifi.

With the Mikrotik routers, there is a web interface, but this is not dumbed down. I am very happy with mine, but they are not for everyone. But then, if you are going to have your own IPv6 servers, you may well need to face up to a little complexity.

In reply to a post by Andrue:

Edit: This isn't just for a web server. It's actually for my mail server so I need SMTP, IMAP and HTTP/S. It's working for IPv4 with port forwarding but as I have IPv6 access I'd also like my mail server to be visible that way. There are some email servers using it eg; GMail.

Is it possible the relevant ports are blocked at the ISP?
The IPv6 ones.

In reply to a post by clyde123:

In reply to a post by Andrue:

Edit: This isn't just for a web server. It's actually for my mail server so I need SMTP, IMAP and HTTP/S. It's working for IPv4 with port forwarding but as I have IPv6 access I'd also like my mail server to be visible that way. There are some email servers using it eg; GMail.

Is it possible the relevant ports are blocked at the ISP?
The IPv6 ones.

There is that too. Probably OP needs to start a process of rodding through

• Can the server ping the IPv6 loopback address -
• Can the server see its own services on the IPv6 loopback address?
• Can the server ping its own Global IPv6 address?
• Can the server see its own services on its own Global IPv6 address?
• Can other machines on the LAN ping the server link local IPv6 address?
• Can other machines on the LAN see the services on the server link local IPv6 address?
• Can other machines on the LAN ping server Global IPv6 address?
• Can other machines on the LAN see the services on the server Global IPv6 address?

Once that stage has been reached, OP needs to refer to tech support for the router and to ensure that the ISP is permitting the services if it still isn't working

In reply to a post by Andrue:

Although I do at least have the UI option to disable the firewall it doesn't seem to have any effect. The Windows firewall logs only show IPv6 packets from the LAN regardless.

Are you saying that the servers can make outbound connections to global IPv6 addresses (e.g. ping 2001:4860:4860::8888) but not receive inbound?

I would have expected that disabling the firewall would have allowed everything in and out.

One thing to check: make a web connection to ip6.me, either from a web browser or
curl ip6.me/api/

Does the IPv6 address you see, match the interface IPv6 address? (ipconfig /all) I'm just wondering if the router is doing IPv6 NAT - it's unusual, but it does exist.

(Note: there's a bug in ip6.me where it truncates the address by one character, if there are no leading zeros in any of the 16-bit words. So don't worry if you see that).

In reply to a post by candlerb:

In reply to a post by Andrue:

Although I do at least have the UI option to disable the firewall it doesn't seem to have any effect. The Windows firewall logs only show IPv6 packets from the LAN regardless.

Are you saying that the servers can make outbound connections to global IPv6 addresses (e.g. ping 2001:4860:4860::8888) but not receive inbound?

Correct.

I would have expected that disabling the firewall would have allowed everything in and out.

So would I.

One thing to check: make a web connection to ip6.me, either from a web browser or
curl ip6.me/api/

Does the IPv6 address you see, match the interface IPv6 address? (ipconfig /all) I'm just wondering if the router is doing IPv6 NAT - it's unusual, but it does exist.

(Note: there's a bug in ip6.me where it truncates the address by one character, if there are no leading zeros in any of the 16-bit words. So don't worry if you see that).

Now that is weird..and interesting. My laptop works fine with IP6.me but although my server has a global IPv6 address that website reports that it doesn't. In addition I note that my dynamically assigned devices have an IPv6 address starting 2a02:xxxx:xxxx:1::4362 whereas the server has two IPv6 address - one that is similar and the static address of 2a02:xxxx:xxxx:1:201:c0ff:fe11:f814. Doesn't that mean it's on a different subnet? It doesn't seem to be an issue on the LAN but I wonder if that's breaking IPv6 connectivity?

I think I've seen Windows do this before so I'll try and delete that spurious address.

In reply to a post by clyde123:

In reply to a post by Andrue:

Edit: This isn't just for a web server. It's actually for my mail server so I need SMTP, IMAP and HTTP/S. It's working for IPv4 with port forwarding but as I have IPv6 access I'd also like my mail server to be visible that way. There are some email servers using it eg; GMail.

Is it possible the relevant ports are blocked at the ISP?
The IPv6 ones.

No. IDNet have never blocked any ports and the IPv4 side is working correctly. I really don't think it can be anything to do with my ISP. All they've done is moved me over to FTTP. However as noted in another reply there is something odd with my server's IPv6 handling.

As been said, maybe your problem is user error, I don't know, I have not really gone into that sort of thing. My router works, it does what I need. Just because you have a problem with one item from a company, don't mean others are like it.

I hope you get it sorted, but as you posted, very few people on here will do what you do, most of us will just plug the thing in, change a few settings and that is it.

It's sorted! Something (I'm glaring at that bloody Windows update) had set the default IPv6 gateway to ::. I've set it back to what it should be with the new router and everything is fine.

Good grief.

To be honest I've had gateway issues before with Windows. It'd be nice if there was some mechanism where it could get that automatically despite having a static IPv6 address but I suppose given how IPv6 works that's not going to be possible.

Thank you all for your help - you nudged me in the right direction when I realised that the server only had local IPv6 functionality. And I owe TP-Link an apology

Edit: I see I was late with this and it is all sorted, great news, but I'll leave this here:

In reply to a post by Andrue:

Does the IPv6 address you see, match the interface IPv6 address? (ipconfig /all) I'm just wondering if the router is doing IPv6 NAT - it's unusual, but it does exist.

(Note: there's a bug in ip6.me where it truncates the address by one character, if there are no leading zeros in any of the 16-bit words. So don't worry if you see that).

Now that is weird..and interesting. My laptop works fine with IP6.me but although my server has a global IPv6 address that website reports that it doesn't. In addition I note that my dynamically assigned devices have an IPv6 address starting 2a02:xxxx:xxxx:1::4362 whereas the server has two IPv6 address - one that is similar and the static address of 2a02:xxxx:xxxx:1:201:c0ff:fe11:f814. Doesn't that mean it's on a different subnet? It doesn't seem to be an issue on the LAN but I wonder if that's breaking IPv6 connectivity?

I think I've seen Windows do this before so I'll try and delete that spurious address.

2 facts about IPv6

[1] What is net and subnet is sorted out in the highest 64 bits. Every subnet has a full 64 bits of addressing. So what you are seeing is not a different subnet.

[2] Interfaces usually have multiple IP addresses. Besides the link-local address, you will typically find 2 Global addresses and 2 unique local addresses. 1 of each is static and the other changes each session. You need the static addresses for servers

Edited by DFScale (Fri 11-Jul-25 21:21:04)

Glad you got it sorted. I know what it is like when something is not working, and you can't figure out why.
you got a server, then?


I have a NAS, but it don't do IPv6, I suppose there is no need to.

In reply to a post by zyborg47:

Glad you got it sorted. I know what it is like when something is not working, and you can't figure out why.
you got a server, then?


I have a NAS, but it don't do IPv6, I suppose there is no need to.

Yeah, all working. I've run a mail server for many years now. It allows me to operate an effective Disposable Email Address system to avoid spam. There's no real need to have it visible on IPv6. I just feel that since I chose my ISP many years ago because they offered it I should fully utilise it.

I think what tripped me up this time was Windows Update pratting about. Resetting the network profile to Public is a known issue (and it happened under previous Windows as well - my server is running on Win10) but I don't think I've ever known it clear out the default gateway. It's possible though that the update occurred while I was transferring over to the new router so perhaps it was the result of the new gateway not being contactable during the update?

Ah, I see, I used to muck around with things like that years ago, but now just like the simple life, of plug and pray, I mean play

I was thinking of setting up another NAS, using a mini computer, but not sure if it is really worth it.

In reply to a post by zyborg47:

Ah, I see, I used to muck around with things like that years ago, but now just like the simple life, of plug and pray, I mean play

I was thinking of setting up another NAS, using a mini computer, but not sure if it is really worth it.

Well worth looking at a mini PC/NAS. I was given a bunch of Lenovo M93p Mini machines (and laptops I fettle and give away) and my 17 year old grandson nabbed one and put together a modest NAS to take with him when he leaves the nest for university; works very well.