How to get IPv6 address over NAT friendly VPN?

RouterOS General
1

I’ve been using an L2TP client on my Mac to tunnel back home when I’m away from the house for some “road warrior” type of stuff, but it’s IPv4 only. How do I get an IPv6 address from the IPv6 prefix I’m allocated at home onto my remote Mac? I’m currently on an IPv4 only NAT at a hotel. This is how it’s set up:

/ppp profile
set *0 local-address=10.0.24.1 remote-address=vpn-pool
/interface l2tp-server server
set enabled=yes ipsec-secret=totallysecret use-ipsec=yes
/ip pool
add name=vpn-pool ranges=10.0.24.2-10.0.24.10

I noticed in the /ppp profile stuff there is an option called

use-ipv6=yes

and I don’t understand what it does.

It would be nice if I didn’t have to install something onto my Mac but I would if it is the right thing to do.

2

There are two even more interesting options in PPP profile:

  • dhcpv6-pd-pool - creates dynamic DHCPv6 PD server on client’s interface and assigns prefix from pool, if client asks for it
  • remote-ipv6-prefix-pool - takes prefix from pool and enables RA on client’s interface; client can get address using SLAAC

I did quick test with both and they work. But I have no idea what Mac supports (I used another RouterOS as client).

3

Thanks for the reply.

My question really is:

  1. How do I get an IPv6 address from my prefix delegation from home over a NAT friendly VPN without needing to do anything special on the Mac

or

  1. If I need to install something what is it? I’m guessing some OpenVPN client. This is a question to anyone.

You said:

“takes prefix from pool and enables RA on client’s interface; client can get address using SLAAC”

Is that RA on the client’s (really clent router’s) downstream interface then? I’m not doing anything like that with a laptop. If you’re thinking upstream interface maybe you mean neighbor discovery or router solicitation?

Anyway, doesn’t surprise me that MikroTik works with MikroTik, they have that pretty well figured out…

4

Ok with much messing around, I think I found something. Maybe. It pings stuff over IPv6. And then it stopped working after some time.

MikroTik router side:

/ipv6 address add interface=<l2tp-vpn> address=<ipv6 prefix>::1/64

Mac side:
sudo route add -inet6 default -interface ppp0
sudo ifconfig ppp0 inet6 ::2/64

Where is some available /64 I picked out of the /56 that my ISP gives me.

It seems like it’s not working right when it is working. There has to be a better way of doing this.

5

You mentioned L2TP, so I tested L2TP. On server (router), go in “/ppp profile” and focus on remote-ipv6-prefix-pool option. Give it a pool (possily set by DHCPv6 client on server, or static, depending on how you get it) with prefix-length set to 64 (default you’d use also for LAN). And when L2TP client connects, server will automatically start sending RAs on dynamic interface created for client. And it’s up to client (Mac) to accept it. I don’t have any Mac, so I can’t test this part, I just checked if server offers something.

6

Ok, thanks. That is getting somewhere but it doesn’t work.

The Mac never tries to autoconfig an address from the pool into the ppp0 interface. The configuration GUI does include the ability to configure IPv6 on the L2TP interface, and I have it set to “Automatic”. No attempts to get an address and I see no RA coming through in Wireshark. Also, if I choose “Manually” as the method to setup IPv6, it never applies a global address (that I’m getting from the prefix that is being set on the MikroTik) to the ppp0 interface.

Something is broken, probably on the Mac, and I’m kinda done trying to make it work. At least I know I can set it up manually (meaning CLI) and it somewhat works.

Suck.