Mike,
Here’s what you need to do:
- Get a public GUA IPV6 /48 block from Hurricane electric. If you sign up for a free account they will give you a /48. Don’t use the tunnel though as you won’t be able to build a tunnel. T-Mobile’s CGNAT will block it. You are signing up just to get a /48 GUA. Don’t waste your time trying to get IPV6 to work with ULAs. Your computers will prefer IPV4 over ULA IPV6 and your browsers will keep picking IPV4 over IPV6 ULA. Many people say this works, but I could never get my browsers to pick the IPV6 ULA. There is a hack that you have to apply to every single computer to do it. I don’t know that it will work on a mobile device though when you use ULAs.
- Create a private pool on your RB5009 using the /48 GUA that you received from HE
- Assign a /64 to each of your VLANs. You say you don’t use VLANs so just assign a /64 to your bridge.
- Go to IPV6/Firewall/nat and build a rule where the source address is the block that you got from HE and out interface list = WAN.
I’ve had T-Mobile internet for 2+ years. It’s in a dual WAN config with Spectrum. It took me a while to get this to work.
Yes I’m using IPV6 NAT – and in general everybody recommends that you don’t do that. However when you only get a /64 you don’t have any good options. On my RB5009 ether1 goes to Spectrum and ether2 to the T-Mobile 5G router. T-Mobile’s 5G router only gets a /64 from T-Mobile. It doesn’t have any ability to do prefix delegation even if you do manage to get someone at T-Mobile who even understands what you are asking for when you ask for a /48 or /56. I have over 500 business internet lines with them and I still can’t get anyone on the wireless side to comprehend why I want a /48 or /56 at each site. Their entire network is designed to support a phone and any device connected to it. Their internet service behaves in the same way.
/ipv6 pool
add name=HE-Private-Pool prefix=<HE GUA prefix obtained in step 1>::/48 prefix-length=64
/ipv6 address
add disabled=no eui-64=no from-pool=Hurricane-Private-Pool interface=VLAN_110
do this for each VLAN. If you don’t use VLANS then assign it to your bridge.
/ipv6 dhcp-client
this statement gets you an IPV6 address on your uplink to T-Mobile’s 5G router.
add comment=“WAN2 connected to T-Mobile router” disabled=no interface=ether2-WAN2
pool-name=T-Mobile request=address
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=
“IPV6 NAT when ether2 is connected directly to T-Mobile Router” out-interface-list=WAN
src-address=::/48
Good luck! Hopefully I’ve pointed you in the right direction. If you only have T-Mobile as your ISP and you only use ether1 as your WAN port then replace ether2 in the steps above with ether1.