Extending IPV6 to IPV4 branch offices

mcisar · June 28, 2017, 4:55pm

I have 3 locations, all running Mikrotik routers. All 3 locations are connected via VPN, and the internal IPV4 (10.0.0.0/24, 10.0.1.0/24 and 10.0.2.0/24 respectively) routing is configured so everything in all 3 offices is accessible from the others.

We now have native IPV6 connectivity as well as IPV4 on our main location’s internet connection (and have a /48 of space allocated). The two branch locations, however, still only have IPV4 available from their providers. I have looked at just getting a tunnelbroker account from hurricane electric or someone for these two sites… but since I have the address space available I would like to instead try to do it internally and pass a /64 of the IPV6 space to each of the two branches.

With that said I’m no Mikrotik expert, I can get through a basic configuration and tack on a few bells and whistles but I’m going to need some hints on a task like this… but hopefully increase my Mikrotik knowledge in the process so all in all not a bad deal.

Can anyone give me a few hints on the best way to set this up… and where to start
Cheers,
Mike

Sob · June 28, 2017, 5:15pm

It’s basically the same as with IPv4, you just route some subnets to other locations. What kind of VPN do you have?

mcisar · July 2, 2017, 3:34am

The VPNs between the sites are L2TP/IPsec

So you’re saying I would just route the IPV6 subnet to the IPV4 IP on the remote routers… LAN or WAN-side IP?

Would I not have to create a 6to4 tunnel or something first between the routers to carry the IPV6 over the IPV4 internet connections???

Cheers,
Mike

idlemind · July 2, 2017, 2:03pm

The MikroTik PPP implementation supports IPv6. It doesn’t assign a global unicast address to the L2TP interfaces. This makes it unusable for a road warrior capable IPv6 VPN but it can be used for your purposes I think.

So you can just enable use-ipv6 in the underlying PPP profile and you’ll be good to go. You can then statically assign a /64 to each location and add routes pointing to the appropriate interface or link local IPv6 address. Alternatively, you can delegate a /64 by creating a pool and assigning that as the remote prefix pool in the PPP profile. Might be able to do this under the PPP secret as well. I’m posting from my phone so I can’t verify that.

When you give your remote hosts IPv6 they’ll start to connect to IPv6 enabled websites and that traffic will be tunneled to your home office. This may be detrimental if the current setup in IPv4 tunnels only office traffic home and dumps Internet out.

Sob · July 2, 2017, 10:55pm

I never tried IPv6 with L2TP, but I did a (very) quick test and it seems to work fine.

If you have different client accounts for each branch, you can add remote prefix like this:

/ppp secret
add <other params> remote-ipv6-prefix=2001:db8:1234:b1::/64

And that’s all you need to do on server. When user connects, route will be added automatically.

On client, assign selected prefix to LAN. I don’t know if there’s a way to do it dynamically, but static assignment should be ok for you. Then there’s the thing with default gateway, already touched by idlemind. Client’s option to add default route is common for both IPv4 and IPv6. If you tunnel all IPv4 through main office, then just keep it checked and that’s it. If not, i.e. you want different settings for IPv4 and IPv6 (you don’t really have a choice with IPv6, if you’re building a tunnel broker for yourself), then keep it unchecked and add default route manually:

/ipv6 route
add gateway=<l2tp client interface>

mcisar · July 3, 2017, 7:20am

Thanks SOB & Idlemind I’ll give that a try. Sounds simple enough that not even I should be able to screw it up