6to4 Tunnel from ISP just won't work.

squarefanatic · July 17, 2015, 12:39am

I’ve posted this here in the beginner forums as what I’m doing here seems pretty basic but it just won’t work for me and I need some halp!

*Note: I’ve changed some of the numbers below to make them a little more anonymous, they all match perfectly in the config so where you see the same number it’s the same in the config with the right details.

My ISP has provisioned access to their 6to4 tunnel with the following details:

The IPv6 Tunnel Gateway is 2002:3A60:689::1
We have allocated your service IPv6 address : 2406:3400:000C:0123::/64
Your Tunnel IPv6 address : 2002:7346:4123::/128

My static IP with them is 115.70.75.123

I’ve configured my tik with the following:

/interface 6to4 add mtu=1280 name=6to4-tunnel local-address=115.70.75.123 disabled=no
/ipv6 address add address=2002:7346:4123::/128 interface=6to4-tunnel
/ipv6 route add dst-address=2002::/16 gateway=6to4-tunnel scope=10 target-scope=10
/ipv6 route add dst-address=::/0 gateway=2002:3A60:689::1 scope=30 target-scope=10
/ipv6 address add address=2406:3400:000C:0123::1/64 interface=bridge-lan advertise=yes disabled=no

With this configuration I can ping the Gateway (2002:3A60:689::1) from the tik and from the clients on bridge-lan who are all picking up their own IP in 2406:3400:000C:0123::/64 just fine. I cannot ping ipv6.google.com by IP from the tik, or from the clients.

I have firewall rules for input, output, and forward that simply accept all traffic while testing to eliminate that as a cause.

Here is a dump of the IPv6 route table:

 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0   S  ::/0                     2002:3a60:689::1                1
 1 A S  2002::/16                6to4-tunnel                     1
 2 ADC  2002:7346:4b6f::/128     6to4-tunnel                     0
 3 ADC  2406:3400:c:12::/64      bridge-lan                      0

No matter what I do the default route is always marked unreachable.

I must be doing something wrong here, what is it?

squarefanatic · July 17, 2015, 6:36am

That route dump should read:

 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0   S  ::/0                     2002:3a60:689::1                1
 1 A S  2002::/16                6to4-tunnel                     1
 2 ADC  2002:7346:4123::/128     6to4-tunnel                     0
 3 ADC  2406:3400:c:12::/64      bridge-lan                      0

I’ve changed a few numbers (the 123’s on the ends of address) for some privacy!

Sob · July 17, 2015, 2:40pm

First, I don’t think that RouterOS ever supported gateways in 2002:aabb:ccdd::1 format. They had to be entered using ::aa.bb.cc.dd%6to4interface format. But that’s now broken for almost a year (ok, up to 6.28 at least, I did not try newer ones yet, but I’m not an optimist).

The workaround for “pure 6to4” (everything using only 2002::/16) is to use two 6to4 interfaces, one for communication with other non-local 2002::/16 addresses and second for default gateway.

In your case, 2002::/16 is only for a link to ISP, so one tunnel is enough. Try this:

/interface 6to4 add mtu=1280 name=6to4-tunnel local-address=115.70.75.123 remote-address=58.96.6.137
/ipv6 route add dst-address=::/0 gateway=6to4-tunnel
/ipv6 address add address=2406:3400:000C:0123::1/64 interface=bridge-lan advertise=yes disabled=no

2002:3A60:689::1 => 3A60:689 => 3A 60 06 89 => 58.96.6.137 (hexadecimal to decimal)

squarefanatic · July 18, 2015, 12:28am

Sob:

First, I don’t think that RouterOS ever supported gateways in 2002:aabb:ccdd::1 format. They had to be entered using ::aa.bb.cc.dd%6to4interface format. But that’s now broken for almost a year (ok, up to 6.28 at least, I did not try newer ones yet, but I’m not an optimist).

The workaround for “pure 6to4” (everything using only 2002::/16) is to use two 6to4 interfaces, one for communication with other non-local 2002::/16 addresses and second for default gateway.

In your case, 2002::/16 is only for a link to ISP, so one tunnel is enough. Try this:
/interface 6to4 add mtu=1280 name=6to4-tunnel local-address=115.70.75.123 remote-address=58.96.6.137
/ipv6 route add dst-address=::/0 gateway=6to4-tunnel
/ipv6 address add address=2406:3400:000C:0123::1/64 interface=bridge-lan advertise=yes disabled=no
2002:3A60:689::1 => 3A60:689 => 3A 60 06 89 => 58.96.6.137 (hexadecimal to decimal)

Yep. This was exactly it. Once the remote address was set on the tunnel actually it all worked perfectly so your reply was spot on.

The only issue I have now is the 6to4 drops to inactive when it’s not been used for a while and the only way to get ipv6 working again is to disable and re-enable that tunnel. Any suggestions there? Do I need some kind of keep alive setup or something else? My configuration right now is exactly the three lines you have written.

Other than that all is working well.

Sob · July 18, 2015, 11:27am

I don’t have a good explanation for that, 6to4 is stateless, there is no established connection to break or time out.
Recent RouterOS versions do have keepalive option for 6to4 interfaces, but I’m not sure what exactly it does. It’s obviously meant to detect dead peer, but if it’s supposed to work with other RouterOS devices only or with anything, no idea. I think there was some problem with it in lower 6.2x versions and it was taking the tunnels down. So make sure you have something newer.