I have installed a MikroTik Chateau 5G(Model: D53G-5HacD2HnD) and it runs with a Deutsche Telekom SIM card (Germany). This Internet connection works mainly with IPv6, so I would like to configure my MikroTik on a way to provide IPv6 on the connected clients and let them access the Internet via IPv6. Currently, with the default configuration, the MikroTik does not provide Internet connection via IPv6.
Under IPv6 Addresses I have the following:
DG | 2a01:598:xxxx:xxxx:xxxx:xxxx:fe00:0/64 | Interface: WAN (lte1)
DL | fe80::50:xxxx:xxxx:0/64 | Interface: WAN (lte1)
DL | fe80::de2c:xxxx:xxxx:ccaf/64 | Interface: LAN-Bridge
I am hiding part of the IPs by replacing real hex numbers with “xxxx” for obvious reasons.
I have the feeling that something is not properly configured, but I am not sure what should be changed or how the configuration should be, in order to get IPs from the same subnet with WAN (lte1).
You need a /64 subnet for the WAN and each LAN, mobile/cellular carriers often only provide a single /64 and use the RFC7278 bodge. This is just about OK for a mobile with tethering, or a MiFi device with a single “LAN”, but useless if it is in (or connected to) a router which requires a /64 per interface.
Support for prefix delegation (the mechanism often used for specifying additional routed subnets) was introduced into the 3GPP specifications, but it can take years for changes to be implemented by carriers. You might be able to use passthrough to use the single /64 on your main LAN, but IPv6 would not be available on any additional (e.g. guest) LANs, and it would need some hackery to pass through only the IPv6 and not the IPv4.
Thanks a lot for your answer. I understand that it is very difficult to use the static IPv6. I am OK to use a dynamic IPv4, which looks like I have it from the provider. What happens now, is that the NAT records seems not to be working at all. In addition not even the firewall rules are working, because even if I allow pings on the router itself, it not pingable from outside! I will be more specific…
I have enabled the “cloud” option in my MikroTik, which is actually a DynDNS. This service is providing me a hostname “xxxxxxx.sn.mynetname.net”. Then I have made a CNAME record within the DNS zone on one of my domains (hq.mydomain.com) which points to the above hostname. Pinging the hostname I created shows me the same IP I see under “IP” > “cloud” (DDNS). Unfortunately ping is not answering (even if I allow that from within the firewall), but at least I can see the IP that is answering. It is now strange, that I see another IP under “IP” > “Addresses”, for the WAN (let1)…! But if I am checking from a computer from my LAN under https://whatismyipaddress.com, I am getting the one that I see under DDNS or the one that my DNS record “hq.mydomain.com” has.
So theoretically everything is properly configured. But I still cannot ping the router or reach a virtual machine at my LAN. None of the NAT rules except the masquerade seems to be working.
Would you be so kind to provide me some help with this issue, please?
Likely carrier-grade NAT (CGNAT) between the public IP address and that assigned to your WAN connection. As with regular NAT this allows the carrier to provide access to several clients sharing a single public IP address. Your local WAN address will likely be in the range 100.64.0.0-100.127.255.255 (or less likely 10.x.x.x, 172.16.0.0-172.31.255.255, or 192.168.x.x) if this is the case, inbound access is not possible.
Some carriers do have an APN providing a public IP address directly, this is becoming less common with the scarcity of IPv4 addresses.
You are absolutely right! I am getting a local IP and I am having a NATed connection. I can do things from here to the outside world, but nothing from outside to here…! I am trying to figure that out with my provider (Deutsche Telekom), but I have the feeling that it will be a dead-end. I don’t think that they will just offer another APN so easily.
Would you be so kind to advise me how could I setup a VPN with the datacenters. IPsec is not working anymore. Is there another way to re-establish these connection with a site-to-site VPN? Could another protocol help me in this case? Maybe OpenVPN…?
Wireguard runs directly on RouterOS since ROS7.
No additional equipment needed.
You only need 1 endpoint with normal IP (not CGNAT).
Can be dynamic, in which you can use any dynamic name service like available on your device in IP/Cloud, or fixed IP.
As said, I use it to connect my SXT in France to my home Hex in Belgium.
Nothing in between.
I did the configuration according to the guide you provided, but unfortunately I don’t see any traffic or even connection between the two routers. I am confused, because the configuration on both sides require the public IP (or hostname) of the other, but as I said, the one side is CGNAT. So even if I provide the hostname, there is no backwards communication, unless if the connection is established.
In addition I am confused how and where the IPs 10.255.255.1 & 10.255.255.2 are used. I have followed the steps, but I see no connection here. What can trigger the connection?
Would you be so kind to help me a little bit more with the configuration?
Apologies for late reply.
Can you provide export of both devices: /export hide-sensitive file=anynameyouwish
Review contents of those files so no public info is contained, then post both separately between CODE quotes.
No worries at all. I managed to make it work. The only problem is that when I am trying to make an IPSec from this 5G (without static public IP) to another location which has also a dynamic IP. There I cannot make it work.
Finally I got my Answer from the provider. They provided me APN settings which give me Internet Access, not NATed. This helped a lot, as the port forwarding (NAT Rules) worked like a charm, immediately after the configuration.
Here are the settings they provided:
APN: internet.t-d1.de
Benutzername: telekom
Passwort: telekom
Authentifizierung: PAP
PDP-TYP: IPv4
@apitsos: Somehow your thread drifted from “how to I propagate the IPv6 prefix given by the ISP down to my LAN clients?” to “I am happy now with my public IPv4 address” …
Since I am still fiddling with the former issue, have you successfully implemented this meanwhile?
Annoyingly, all German mobile operators seem to block sessions initiated from outside on their IPv6 subnets. Given that Deutsche Telekom indeed provides an unfirewalled access through their old APN via IPv4, it is especially stupid then to firewall the shit out of it when it comes to IPv6, effectively and reliably rendering it almost useless.
