Hello all!
I have a problem with IPv6 over L2TP/IPSEC tunnel between two HAP AC2 working on 6.47.4
There are two sites: “home” and “dacha”. Both has public IPv4 and IPv6, at home it’s got from ISP, at dacha it’s from HE via 6to4 tunnel.
I’ve set up L2TP/IPSEC tunnel between sites, home works as server and dacha is a client.
I’ve added IPv4 firewall and static routing rules to both sides and IPv4 works just fine.
Then I’ve decided to bypass IPv6 traffic via L2TP/IPSEC tunnel as ping and BW is much better through my tunnel than via public internet, and here I’m stuck.
To allow IPv6 on the L2TP tunnel itself I’ve set “IPv6 = yes” in PPP profile on both sides. After that link-local addresses appeared on L2TP interfaces on both server and client, fe80::8/64 at home and fe80::d2/64 at dacha.
I’ve added rules to IPv6 firewall on both sides allowing both input and forward traffic coming from tunnel interface, also I’ve added rules to both input and forward to pass ICMPv6:
Home side:
/ipv6 firewall filter add action=accept chain=input limit=100,5:packet protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input in-interface=l2tp-dacha
/ipv6 firewall filter add action=accept chain=forward limit=100,5:packet protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward in-interface=l2tp-dacha
/ipv6 route add distance=1 dst-address=2001:470:xx:xx::/64 gateway=l2tp-dacha
Dacha side:
/ipv6 firewall filter add action=accept chain=input in-interface=l2tp-home
/ipv6 firewall filter add action=accept chain=input protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward out-interface=l2tp-home
/ipv6 route add distance=1 dst-address=2a02:2168:xx:xx::/56 gateway=l2tp-home
I’ve tried to ping far end of the tunnel using link-local address and it works fine:
[kostik@Hometik] > /ping fe80::d2 interface=l2tp-dacha
SEQ HOST SIZE TTL TIME STATUS
0 fe80::d2 56 64 4ms echo reply
1 fe80::d2 56 64 4ms echo reply
sent=2 received=2 packet-loss=0% min-rtt=4ms avg-rtt=4ms max-rtt=4ms[kostik@Hometik] >
And then magic begins.
If I enable route to dacha IPv6 subnet via L2TP tunnel, it doesn’t work. Packet sniffer on home router shows that packets exits from home but they don’t appear at other end.
But traffic from dacha passes L2TP tunnel normally, so now I have have to disable route via L2TP/IPSEC tunnel on home side and enable such route on dacha side, thus I have asymmetric routing: IPv6 traffics from home to dacha goes via public internet and traffic from dacha to home goes through L2TP/IPSEC tunnel.
What I’ve already tried:
- Disable all firewall rules on both sides
- Reduce MTU on L2TP interface from default to 1400
- Disable fast path in L2TP client interface
- Adding IPv6 remote prefix pool to PPP profile on server side
- Adding remote IPv6 prefix to PPP secret on server side
What am I missing?
Thank you!