IPv6 Advice

troykelly · March 22, 2016, 6:37am

It would seem that Mikrotik is the wrong choice for IPv6 - but before replacing a whole bunch of routers - I thought I would check.

Is there a VPN client on RouterOS that support IPv6? From my own testing:

OpenVPN IP - No
OpenVPN Ethernet - No
SSTP - No
L2TP - No
L2TP/IPSec - No

We are moving parts of our network to v6 and need to route it within our network. I’ve wasted a little over a week trying to get it working with RouterOS - and it would seem that the Mikrotik contributors in this forum clearly don’t want to support IPv6.

If I’m wrong about the above - would love some pointers on getting it working, if I’m right - could somebody suggest alternate hardware that is similar to CCR’s that does support IPv6 ?

barkas · March 22, 2016, 6:58am

Most of those using bcp should be able to transport v6.

mrz · March 22, 2016, 8:18am

If you are talking about transporting ipv6 over the ipv4 tunnel then it is supported (except ovpn in IP mode).

pe1chl · March 22, 2016, 8:35am

You are talking about adding IPv6 to your network and having problems with routing, but you also refer to VPN.
Maybe you can explain a bit better what your requirements are.
I have no problem routing IPv6 on MikroTik, and of course some applications for a VPN do not really apply to
IPv6 so it needs a bit of clarification.

troykelly · March 22, 2016, 11:35pm

We have a VPN server - it was SoftEther, but RouterOS doesn’t support that - we we are trying pure OpenVPN, which it appears that RouterOS doesn’t support either (for ethernet bridging).

Remote sites use local connectivity - DSL, some fixed wireless, one fibre. Their traffic is all tunneled to a server and then to the Internet. Most of the sites are in Co-Working spaces who provide good Internet - but there are some double NAT issues at some sites and security concerns at others - and not a single one with IPv6.

I thought the solution was fairly simple, CCR at each site - VPN in to a local server (typically only 5 to 10ms away) and then out to the big bad Internet.

We need to tunnel IPv6 to the sites, so that we can ensure the platform works properly with IPv6 devices - but I can’t seem to see any support for IPv6 inside of tunnels on RouterOS. I’ve spent the last 12 or so hours trying to use an OpenVPN ethernet bridge - but it for some reason terminates straight away because it doesn’t get an IP assigned (watching tcpdump shows it’s not even asking for one - so of course it won’t get one).

I’d really love a suggestion for getting a working IPv6 and IPv4 network tunneled our to remote sites with RouterOS / Mikrotik hardware.

Sob · March 23, 2016, 2:39am

You may want to share your configs…

Because if I do this on server side (Debian):

local <server ip>
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:1234::/64
keepalive 10 120
persist-key
persist-tun

And this on client side (CHR 6.35rc33):

/interface ovpn-client
add certificate=<client.crt> connect-to=<server ip> mode=ethernet name=ovpn-out1 user=test

This is what server says about it:

Wed Mar 23 03:24:03 2016 TCP connection established with [AF_INET]<client ip>:39857
Wed Mar 23 03:24:04 2016 <client ip>:39857 [Test-Client] Peer Connection Initiated with [AF_INET]<client ip>:39857
Wed Mar 23 03:24:04 2016 Test-Client/<client ip>:39857 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2001:db8:1234::1000
Wed Mar 23 03:24:04 2016 Test-Client/<client ip>:39857 send_push_reply(): safe_cap=940

Test from server:

# ping -c 1 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=1.73 ms

--- 10.8.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.738/1.738/1.738/0.000 ms

Hooray, working OpenVPN in ethernet mode. With IPv6 there’s less joy, because RouterOS ignores IPv6 address provided by server-ipv6 option:

# ping6 -c 1 2001:db8:1234::1000
PING 2001:db8:1234::1000(2001:db8:1234::1000) 56 data bytes
From 2001:db8:1234::1 icmp_seq=1 Destination unreachable: Address unreachable

--- 2001:db8:1234::1000 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

But add it manually (or any other address from that subnet):

/ipv6 address add address=2001:db8:1234::1000 interface=ovpn-out1

And voila:

# ping6 -c 1 2001:db8:1234::1000
PING 2001:db8:1234::1000(2001:db8:1234::1000) 56 data bytes
64 bytes from 2001:db8:1234::1000: icmp_seq=1 ttl=64 time=5.45 ms

--- 2001:db8:1234::1000 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.457/5.457/5.457/0.000 ms

Take it as a quick demo showing that it’s not completely broken and can work.

pe1chl · March 23, 2016, 8:35am

I agree with that, it should work with OpenVPN in ethernet mode.
I referred to plain IPv6 routing, which works fine for me. I did not try an IPv6-over-IPv4 VPN that you seem to
require, but I would expect it to work in IPsec. Apparently is does not accept IPv6 policies, though.