Hello!
I have RB4011 and trying to set it up to use 2 IPv6 interfaces, while each one can be used as default gateway.
- I have single IPv6 address on my ether1 (2a00:xxxx::61) from my ISP
- I have /64 on 6to4interface from HurricaneElectric (2001:470:xxxx::2/64). I’ve also have /48 from HE.
- Mobile clients that have only IPv4 connectivity in their origin (IPv4 and static-assigned IPv6 from fd2a:93ec:7070::/64 pool at wireguard interface) using RB4011 as VPN server to access IPv4 and IPv6 resources via NAT (yes, I know it’s a shit to use NAT for IPv6).
I want that RB4011 could be accessible both from ether1 and 6to4interface addresses, default gw for RB4011 itself should be via ether1, but all IPv6 traffic from Wireguard clients should go via 6to4interface from HE. I don’t know if it is possible to redistribute IPv6 addresses from /48 HE to Wireguard clients, if it is possible it will be much better.
After setting up addresses, routes and wireguard I’m getting such situation that only one gw is working.
IPv6 address config:
[admin@MikroTik] > ipv6 address print
Flags: I - INVALID, D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2a00:xxxx::61/64 ether1 no
1 DL fe80::6d5a:e59c:d0e5:2f0b/64 wireguard1_srv no
2 DL fe80::2ec8:xxxx:xxxx:5331/64 bridge no
3 DL fe80::2ec8:xxxx:xxxx:5330/64 ether1 no
4 G fd2a:93ec:7070::1/64 pool1_ula wireguard1_srv no
5 G 2001:470:xxxx::2/64 6to4-tunnel1 no
6 DL fe80::3:25e4:58ed/64 6to4-tunnel1 no
Static routes:
[admin@MikroTik] > ipv6 route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As+ 2000::/3 2001:470:xxxx::1 1
1 As+ 2000::/3 2a00:xxxx::1 1
DAc 2001:470:xxxx::/64 6to4-tunnel1 0
DAc 2a00:xxxx::/64 ether1 0
DAc fd2a:93ec:7070::/64 wireguard1_srv 0
DAc fe80::%ether1/64 ether1 0
DAc fe80::%bridge/64 bridge 0
DAc fe80::%6to4-tunnel1/64 6to4-tunnel1 0
IPv6 rule in NAT table to pass Wireguard clients via HE:
[admin@MikroTik] /ipv6/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=src-nat to-address=2001:470:xxxx::2/128 out-interface=6to4-tunnel1 log=no log-prefix=""
Ping using source address seems to be ok, as target is much closer to 2a00.
[admin@MikroTik] > ping 2a02:xxxx:0ff src-address=2a00:xxxx::61
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:0ff 56 59 4ms783us echo reply
1 2a02:xxxx:0ff 56 59 4ms691us echo reply
2 2a02:xxxx:0ff 56 59 4ms763us echo reply
3 2a02:xxxx:0ff 56 59 4ms705us echo reply
4 2a02:xxxx:0ff 56 59 4ms556us echo reply
sent=5 received=5 packet-loss=0% min-rtt=4ms556us avg-rtt=4ms699us max-rtt=4ms783us
[admin@MikroTik] > ping 2a02:xxxx:0ff src-address=2001:470:xxxx::2
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:0ff 56 56 29ms550us echo reply
1 2a02:xxxx:0ff 56 56 29ms705us echo reply
2 2a02:xxxx:0ff 56 56 29ms808us echo reply
3 2a02:xxxx:0ff 56 56 29ms651us echo reply
4 2a02:xxxx:0ff 56 56 29ms760us echo reply
sent=5 received=5 packet-loss=0% min-rtt=29ms550us avg-rtt=29ms694us max-rtt=29ms808us
But when I’m trying to use interface as source with the same target, something gets wrong, 47ms on both variants.
[admin@MikroTik] > ping 2a02:xxxx:0ff interface ether1
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:0ff timeout
1 2a02:xxxx:0ff 56 57 47ms200us echo reply
2 2a02:xxxx:0ff 56 57 47ms272us echo reply
3 2a02:xxxx:0ff 56 57 47ms246us echo reply
4 2a02:xxxx:0ff 56 57 47ms343us echo reply
sent=5 received=4 packet-loss=20% min-rtt=47ms200us avg-rtt=47ms265us max-rtt=47ms343us
[admin@MikroTik] > ping 2a02:xxxx:0ff interface 6to4-tunnel1
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:0ff 56 57 47ms386us echo reply
1 2a02:xxxx:0ff 56 57 47ms348us echo reply
2 2a02:xxxx:0ff 56 57 47ms309us echo reply
3 2a02:xxxx:0ff 56 57 47ms293us echo reply
4 2a02:xxxx:0ff 56 57 47ms334us echo reply
sent=5 received=5 packet-loss=0% min-rtt=47ms293us avg-rtt=47ms334us max-rtt=47ms386us
The second problem as default route from 4011 also uses HE:
[admin@MikroTik] > ping 2a02:xxxx:0ff
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:0ff 56 57 47ms362us echo reply
1 2a02:xxxx:0ff 56 57 47ms386us echo reply
2 2a02:xxxx:0ff 56 57 47ms223us echo reply
3 2a02:xxxx:0ff 56 57 47ms369us echo reply
4 2a02:xxxx:0ff 56 57 131ms248us echo reply
sent=5 received=5 packet-loss=0% min-rtt=47ms223us avg-rtt=64ms117us max-rtt=131ms248us
[admin@MikroTik] > tool traceroute 2a02:xxxx:0ff
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 2001:470:xxxx::1 0% 3 24.7ms 24.8 24.7 25 0.1
...
8 2a02:xxxx:ff 0% 2 47.4ms 47.3 47.2 47.4 0.1
And the third problem is that RB4011 is not accessible via 2a00:xxxx::61 on ether1. But accessible from HE via 2001:470:xxxx::2.
pts@MacBook-Air-pts ~ % ping6 2a00:xxxx::61
PING6(56=40+8+8 bytes) 2a03:xxxx:aec4 --> 2a00:xxxx::61
^C
--- 2a00:xxxx::61 ping6 statistics ---
17 packets transmitted, 0 packets received, 100.0% packet loss
But Wireguard clients use IPv6 from HE, as they should.
Next, I’ve tried to change Distance in IPv6 routes, to set in such way:
[admin@MikroTik] > ipv6 route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 s 2000::/3 2001:470:xxxx::1 2
1 As 2000::/3 2a00:xxxx::1 1
Now my 4011 is accessible via 2a00:xxxx::61 on ether1, default route also uses ether1 and directly connected IPv6 from ISP.
pts@MacBook-Air-pts ~ % ping6 2a00:xxxx::61
PING6(56=40+8+8 bytes) 2a03:xxxx:aec4 --> 2a00:xxxx::61
16 bytes from 2a00:xxxx::61, icmp_seq=0 hlim=57 time=72.093 ms
16 bytes from 2a00:xxxx::61, icmp_seq=1 hlim=57 time=13.964 ms
16 bytes from 2a00:xxxx::61, icmp_seq=2 hlim=57 time=25.752 ms
16 bytes from 2a00:xxxx::61, icmp_seq=3 hlim=57 time=32.601 ms
16 bytes from 2a00:xxxx::61, icmp_seq=4 hlim=57 time=29.309 ms
^C
--- 2a00:xxxx::61 ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 13.964/34.744/72.093/19.707 ms
[admin@MikroTik] > ping 2a02:xxxx:ff
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:ff 56 59 4ms759us echo reply
1 2a02:xxxx:ff 56 59 4ms743us echo reply
2 2a02:xxxx:ff 56 59 4ms741us echo reply
3 2a02:xxxx:ff 56 59 4ms685us echo reply
sent=4 received=4 packet-loss=0% min-rtt=4ms685us avg-rtt=4ms732us max-rtt=4ms759us
[admin@MikroTik] > tool traceroute 2a02:xxxx:0ff
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 2a00:xxxx::1 0% 3 0.6ms 0.6 0.5 0.6 0
....
5 2a02:xxxx:ff 0% 2 4.7ms 4.7 4.7 4.7 0
But…
[admin@MikroTik] > ping 2a02:xxxx:0ff interface ether1
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:ff 56 59 4ms819us echo reply
1 2a02:xxxx:ff 56 59 4ms723us echo reply
2 2a02:xxxx:ff 56 59 4ms666us echo reply
3 2a02:xxxx:ff 56 59 4ms831us echo reply
sent=4 received=4 packet-loss=0% min-rtt=4ms666us avg-rtt=4ms759us max-rtt=4ms831us
[admin@MikroTik] > ping 2a02:xxxx:0ff interface 6to4-tunnel1
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
2 no route to host
3 no route to host
4 no route to host
sent=5 received=0 packet-loss=100%
[admin@MikroTik] > ping 2a02:xxxx:0ff src-address=2a00:xxxx::61
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:ff 56 59 4ms784us echo reply
1 2a02:xxxx:ff 56 59 4ms679us echo reply
2 2a02:xxxx:ff 56 59 4ms766us echo reply
3 2a02:xxxx:ff 56 59 4ms707us echo reply
sent=4 received=4 packet-loss=0% min-rtt=4ms679us avg-rtt=4ms734us max-rtt=4ms784us
[admin@MikroTik] > ping 2a02:xxxx:0ff src-address=2001:470:xxxx::2
SEQ HOST SIZE TTL TIME STATUS
0 2a02:xxxx:ff 56 56 29ms768us echo reply
1 2a02:xxxx:ff 56 56 29ms737us echo reply
2 2a02:xxxx:ff 56 56 29ms607us echo reply
3 2a02:xxxx:ff 56 56 29ms709us echo reply
sent=4 received=4 packet-loss=0% min-rtt=29ms607us avg-rtt=29ms705us max-rtt=29ms768us
It seems quite strange that I’m getting no route to host, as route persists in route table. Wireguard clients also lose their IPv6 connectivity from HE. And 4011 also becomes unavailable via HE 2001:470:xxxx::2.
Are there any v6 experts who can help me with this issue?
How to make 4011 both accessible from ISP and HE addresses, use default ISP for outgoing IPv6 connections and force Wireguard clients to use HE-only for outgoing/incoming connections?
Is it possible to use /64 from /48 HE to pass real IPv6 addresses to Wireguard clients?