IPv6 NAT T-Mobile Home Internet

ChildOTK · February 28, 2022, 3:12am

I have T-Mobile Home Internet and one of their 5G gateways which I am trying to get working nicely with my RB4011, specifically with IPv6.

I am able to turn on the IPv6 DHCP client which pulls an address, and from there ping Google’s DNS, so there is connectivity.

T-Mobile Home Internet doesn’t support PD so I can’t pull a prefix from the DHCP client and use a pool internally.

What I have tried so far is setting up an internal IPv6 network, and then essentially NAT IPv6 traffic out, which I would expect behaves similarly to IPv4, sharing the same address.

However, although my devices get IPv6 IP addresses, IPv6 doesn’t work and is just dead.

I am wondering if anyone here has T-Mobile Home Internet and is using IPv6. Since T-Mobile Home Internet is really IPv6 based, it’s a necessity to maintain good performance.

With IPv6 latencies are anywhere from 17-22ms on average. Without it, latencies are more like 60-70ms on average, so quite a huge jump.

Would appreciate any help with this.

I upgraded to 7.1.3 today with hopes that I could get this working, I was on the most recent version of 6 earlier this morning but noticed there was no NAT available for IPv6.

tdw · February 28, 2022, 8:01pm

Mobile/cellular carriers often only provide a single /64 and use the RFC7278 bodge. This is just about OK for a mobile with tethering, or a MiFi device with a single “LAN”, but useless if it is in (or connected to) a router which requires a /64 per interface. Support for prefix delegation was introduced into the 3GPP specifications, but it can take years for changes to be implemented by carriers.

The huge address space in IPv6 was supposed to do away with NAT, specifically the one-to-many network address and port translation (NAPT) which is ubiquitous in IPv4. There is a case for stateless one-to-one network prefix translation, I believe Mikrotik added this in v7 but can’t find any documentation to see if it would be suitable.

nsaldanh · May 17, 2022, 12:23pm

I have the same setup and am running 7.2 of ROS. I haven’t found any way to do this without getting a PD from T-Mobile. I also have business accounts with them and they don’t provide PD for their business accounts either.

pe1chl · May 17, 2022, 2:26pm

RouterOS now seems to support NAT “masquerade”, at least in the 7.3beta.
Maybe you can get it to work using that?

aglabs · May 18, 2022, 4:21am

Have TMobile 5g home internet myself. Only way I’ve found so far is as mentioned use fc00/7 inside my network and setup nat66 (/ipv6/firewall/nat).

My endpoints get a fc00/64 address which nats to public ipv6 address (must configure dhcpv6 on wan interface connected to TMobile router)

Only thing I’ve found so far is fc00/7 is treated as lower priority than ipv4 on windows endpoints so they will prefer ipv4 when it’s available. But ping -4 Google.com and ping -6 Google.com both work. Linux doesn’t seem to care and tries ipv6 first.

711brown · May 21, 2022, 1:55am

Can you expand on how you’ve set up the nat66 (/ipv6/firewall/nat) arrangement? I have the same situation – TMHI, their box grants an address (no PD); set up my own addressing – clients successfully get an IPV6 address, but without any internet access.

I tried setting up the IPV6 NAT rule similar to the ipv4 nat/masquerade settings, but wasn’t able to gain internet access over ipv6.

nsaldanh · May 25, 2022, 9:50pm

I have the same issue. I’ve setup an IPV6 DHCP server on ROS 7.2.3 with a pool = FD01::/56 I see all the devices getting an IPV6 address but they can’t get to the internet.

pe1chl · May 26, 2022, 8:33am

So now you all have to wait on each other and maybe one of you will experiment with the NAT features and post a working solution…

nsaldanh · May 26, 2022, 12:58pm

The IPV6 DHCP server doesn’t seem to do anything. I setup a private pool fc00::/56 and then assigned IP addresses to each VLAN. I also setup NAT rules similar to what we do on IPV4. I see the IPV6 routes created. I can ping the IPV6 gateway but that’s about where it all dies.

If I do prefix delegation from Spectrum I can get IPV6 to work. That’s probably because I’m getting publicly routable IP addresses from Spectrum.

aglabs: If you can post what you have working I can try some more experiments.

Zoxc · May 26, 2022, 5:56pm

@nsaldanh You’ll want to use fd01::/64 with Advertise enabled as the address on the LAN side. Make sure your client devices gets an address in fd01::/64 by SLAAC. Also make sure you get a IPv6 address on the WAN side and that the router is able to ping IPv6 addresses.

nsaldanh · May 27, 2022, 2:20am

RB4011-IPV6.rsc (17.3 KB)
Here is my configuration. I tried using fd01::/64 for each of the VLANS. All PCs get an IPV6 address from the pool, but they cant ping anything on the internet. I’d be very grateful for any help that someone much more knowledgeable about ROS 7 and IPV6 could provide.

Thanks!

Zoxc · May 27, 2022, 2:02pm

I’d use managed-address-configuration=no and other-configuration=no for /ipv6 nd as you’re not running a DHCPv6 server. Not sure if that is sufficient to get things working, but I didn’t spot other errors.

pe1chl · May 27, 2022, 2:15pm

Show us the IPv6 routing table (/ipv6 route print) on the router and on the PC (route print) while everything is active.

tdw · May 27, 2022, 3:26pm

And don’t use all-zeros for the host part of the address, it is reserved. Use add address=::1/64 from-pool=private-pool interface=… or add eui-64=yes from-pool=private-pool interface=…

nsaldanh · May 27, 2022, 4:08pm

Thank you for all your suggestions. I am also running IPV4 in a dual wan configuration. ether1 goes to Spectrum and ether 2 goes to T-Mobile. Load balancing works under IPV4. I'm trying NAT to see if I can get dual wan loadbalancing to work under IPV6. I don't have the mangle rules for IPV6 as yet. I'll do that once I can actually connect to the internet using IPV6. If I just use prefix delegation from Spectrum, IPV6 will work as long as the Spectrum circuit is up and running.

I've changed what you suggested. Here is the output as requested:

[admin@MikroTik] Flags: D - DYNAMIC; Columns: DST-ADDRESS, DST-ADDRESS DAd + ::/0 DAd + ::/0 DIdH ::/0 DAd 2603:XXXX:XXXX:XXXX::/56 DAc 2603:XXXX:ff00:XX::/64 DAc 2607:XXXX:XX:d163::/64 DAc fd01:0:0:4::/64 DAc fd01:0:0:5::/64 DAc fd01:0:0:6::/64 DAc fe80::%ether1-WAN1/64 DAc fe80::%ether2-WAN2/64 DAc fe80::%BR1/64 DAc fe80::%VLAN_130/64 DAc fe80::%MGMT_VLAN/64 DAc fe80::%VLAN_110/64 DAc fe80::%VLAN_120/64 DAc fe80::%cap8/64 DAc fe80::%cap1/64 [admin@MikroTik] >

and on the Windows 11 PC: > /ipv6 route print
I, A - ACTIVE; c, d, y - COPY; H - HW-OFFLOADED; + - ECMP
GATEWAY, DISTANCE
GATEWAY DISTANCE
fe80::26c:bcff:feb8:c819%ether1-WAN1 1
fe80::26c:bcff:feb8:c819%ether1-WAN1 1
::%ether2-WAN2 1
1
ether1-WAN1 0
ether2-WAN2 0
BR1 0
MGMT_VLAN 0
VLAN_110 0
ether1-WAN1 0
ether2-WAN2 0
BR1 0
VLAN_130 0
MGMT_VLAN 0
VLAN_110 0
VLAN_120 0
cap8 0
cap1 0

IPv6 Route Table

Active Routes:
If Metric Network Destination Gateway
20 291 ::/0 fe80::764d:28ff:fed5:81bc
1 331 ::1/128 On-link
20 291 fd01:0:0:1::/64 On-link
20 291 fd01::1:5ca8:8b97:8561:380/128
On-link
20 291 fd01::1:708c:d761:e9bb:3b9f/128
On-link
20 291 fd01:0:0:5::/64 On-link
20 291 fd01::5:5ca8:8b97:8561:380/128
On-link
20 291 fd01::5:708c:d761:e9bb:3b9f/128
On-link
20 291 fe80::/64 On-link
20 291 fe80::708c:d761:e9bb:3b9f/128
On-link
1 331 ff00::/8 On-link
20 291 ff00::/8 On-link

Persistent Routes:
None

nsaldanh · May 27, 2022, 4:50pm

Update: I can now ping Google’s IPV6 address. I could not in the past. However whatismyipaddress.com does not detect IPV6

also test-ipv6.com gives me this message: Your browser has a real working IPV6 address but is avoiding using it.

pe1chl · May 27, 2022, 4:56pm

It can be that this is due to earlier failures and it will try using it later (maybe after a restart).
The routing tables look OK. But as mentioned, it is better to put ::1 in the requested address fields (together with from pool).

tdw · May 27, 2022, 6:21pm

If you are using Windows then IPv4 is favoured over IPv6 ULA

C:\>netsh interface ipv6 show prefixpolicies
Querying active state...
Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128        localhost
        40      1  ::/0           IPv6 (except for better matches)
        35      4  ::ffff:0:0/96  IPv4 mapped
        30      2  2002::/16      6to4 (deprecated)
         5      5  2001::/32      Teredo (deprecated)
         3     13  fc00::/7       ULA
         1     11  fec0::/10      site-local (deprecated)
         1     12  3ffe::/16      6bone (deprecated)
         1      3  ::/96          IPv4 compat

You can use netsh to temporarily or permanently change the precedence.