docs(network): document ipv6 and fake-ip behavior

Author: JadenJSJ

README.md

@@ -260,6 +260,12 @@ On tags (`v*`):
     - `mode = "tun"` and `ipv6 = true`: IPv6 is proxied by the core TUN stack
     - `mode != "tun"` and `ipv6 = true`: IPv6 stays direct outside the Linux firewall graph
     - `ipv6 = false`: runtime disables IPv6 in the core/DNS path so clients prefer IPv4
+  - practical selection matrix:
+    - `mixed + ipv6=true + fake-ip`: current default, IPv4 proxied and IPv6 direct
+    - `mixed + ipv6=false + fake-ip`: prefer IPv4 while keeping transparent IPv4 proxying
+    - `tun + ipv6=true + fake-ip`: closest to phone-style full-device behavior, including proxied IPv6
+    - `mixed + redir-host`: real-address DNS answers instead of fake-IP
+  - browser/devtools may still show the real upstream server address even when local DNS is `fake-ip`; the fake-IP is only the local interception hop
 - Route convergence: renew/reapply prunes stale BOX fwmark rules and enforces one current `route_pref` rule
 - Idempotent + lock-protected: `enable|renew|disable`
 - `BOX_TRACE_COMMANDS=1` logs external command executions with component/action context
@@ -275,6 +281,16 @@ On tags (`v*`):
   - `cap_ipv4=true`
   - `cap_ipv6=false` (full IPv6 interception/hijack graph pending)
 
+## Live Behavior Notes
+
+- `boxctl service status --json` reports:
+  - `dns_enhanced_mode`
+  - `ipv6_enabled`
+  - `ipv6_effective_mode`
+- `boxctl firewall status --json` reports the same IPv6/DNS fields plus backend capability flags.
+- If `dns_enhanced_mode = "fake-ip"`, local name resolution can return fake-IP ranges such as `198.18.0.0/16` while browser/devtools still show the real remote server address used by Mihomo's outbound connection.
+- There is no reference-backed `prefer_ipv4|prefer_ipv6|default` selector. The supported family control is `network.ipv6 = true|false`.
+
 ## Rollback/Uninstall
 
 Safe uninstall (keeps config backups/data unless manually removed):

docs/linux-port/01-component-config-runtime-model.md

@@ -141,3 +141,8 @@ This snapshot is used by:
   - `mode!=tun` + `ipv6=true`: IPv6 remains direct because the firewall graph is still IPv4-only.
   - `ipv6=false`: runtime disables IPv6 in the core/DNS layer so clients fall back to IPv4.
 - `network.dns_enhanced_mode = "fake-ip" | "redir-host"` is exposed explicitly for Mihomo overlay rendering.
+- Operational presets:
+  - `mixed + ipv6=true + fake-ip`: default desktop compromise, IPv4 proxied and IPv6 direct
+  - `mixed + ipv6=false + fake-ip`: force IPv4 preference without changing firewall mode
+  - `tun + ipv6=true + fake-ip`: closest to phone-style full-device behavior
+  - `mixed + redir-host`: avoid fake-IP answers and keep real-address DNS responses

docs/linux-port/04-component-firewall-routing.md

@@ -80,6 +80,10 @@ If unsupported, apply controlled downgrade with explicit logs.
   - non-`tun` modes + `network.ipv6=true`: IPv6 remains direct outside the firewall graph.
   - `network.ipv6=false`: runtime disables IPv6 in the core/DNS path to prefer IPv4.
 - `network.dns_enhanced_mode` controls Mihomo DNS `fake-ip` vs `redir-host` independently from firewall mode.
+- This means `mixed` mode on current Linux-native backends is effectively:
+  - IPv4: transparent redirect/mark path through Box/Mihomo
+  - IPv6: direct host path unless `mode=tun`
+- When `dns_enhanced_mode = "fake-ip"`, applications may resolve fake IPv4/IPv6 placeholders locally while observability tools still show the real remote upstream address chosen by Mihomo.
 
 ## Tailscale Coexistence Requirements
 For hosts that run Tailscale alongside Box, firewall apply/cleanup must preserve Tailscale routing and DNS behavior.