I’m currently setting up my MikroTik with dual-WAN failover. It’s already working perfectly with IPv4, but there’s a problem with IPv6 support. WAN1 has both IPv4 and IPv6, while WAN2 only provides IPv4. Now I want the MikroTik to use both IPv4 and IPv6 when using WAN1, and only IPv4 when failing over to WAN2. Currently, I’m having the problem that WAN1’s IPv6 prefix is still being used, even on WAN2.
What script should I use to implement my plan? Any examples? I tried several ones, but no one is working.
You can use Routing rules for this, where you define, when a source IP from your WAN1 prefix sends out data, it should lookup in the Routing table WAN1, so you prevent that IPv6 is send out to WAN2.
But I´m asking myself how IPv6 can be used on a connection with only IPv4 supported??
As there are no routes based on IPv6, how can WAN2 be used for IPv6?
Indeed. The question seems unclear. If WAN2 does not have Internet access via IPv6… It would be better to simply show your current configuration in a text file. So that at least something in your settings is more or less clear.
I’m going through a similar drama. My main link is via HFC and provides IPv4 and IPv6. When using HFC, the router expects the router will use a dhcp client. The dhcp client is assigned a /128 address and a /56 prefix delegation which is assigned to an address pool. The address pool used to assign an address to the LAN interface.
The backup link is LTE. For IPv6, the LTE interface is assigned a /64 address. This address has to be accessible from the LAN. Running both modes on the router may be possible, but it’s going to get messy. My solution is to only have IPv6 via HFC and disable IPv6 on LTE.
When check-gateway detects failure of the primary IPv4 default route via HFC, the traffic will route via LTE. When this occurs, a script will disable the IPv6 address on the LAN interface. It’s crude but after 30 min or so all my devices recognise that there is no longer an IPv6 default route and revert to IPv4.
Anyway, that’s my theory. I’ve tested the various bits, it should work. What could go wrong
To clarify: The ISP of wan1 provides an IPv4 and an IPv6 prefix. The ISP of wan2 (Vodafone LTE/5G) or the APN home.vodafone.de only supports IPv4 addresses. When wan1 (with a valid IPv6 prefix) fails over to wan2, this prefix continues to be used, and that’s the problem.
I will share the configuration here from time to time.
I´ve realized this with a simple script in Netwatch, where the “advertise=yes” on the corresponding device (e.g. bridge) will set to no, when the LINK to ISP1 fails…
After some short seconds the Prefix is invalid and will no longer be used.
I’ll add some more details here. Here is my current IPv4 failover configuration:
/ip/route print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded;
+ - ecmp
0 As ;;; wan2 (default-route + public DNS 1 check)
dst-address=0.0.0.0/0 routing-table=main gateway=139.7.30.125 immediate-gw=192.168.188.1%wan2 check-gateway=ping distance=1
scope=30 target-scope=32 suppress-hw-offload=no
1 s ;;; wan1 (default-route + local gateway check)
dst-address=0.0.0.0/0 routing-table=main gateway=192.168.178.1 immediate-gw=192.168.178.1%wan1 check-gateway=ping
distance=3 scope=30 target-scope=10 suppress-hw-offload=no
2 s ;;; wan2 (default-route + public DNS 2 check)
dst-address=0.0.0.0/0 routing-table=main gateway=139.7.30.126 immediate-gw=192.168.188.1%wan2 check-gateway=ping distance=2
scope=30 target-scope=32 suppress-hw-offload=no
DAc dst-address=192.168.0.0/24 routing-table=main gateway=lan1-bridge immediate-gw=lan1-bridge distance=0 scope=10 target-scope=>
local-address=192.168.0.250%lan1-bridge
DAc dst-address=192.168.178.0/24 routing-table=main gateway=wan1 immediate-gw=wan1 distance=0 scope=10 target-scope=5
local-address=192.168.178.250%wan1
DAc dst-address=192.168.188.0/24 routing-table=main gateway=wan2 immediate-gw=wan2 distance=0 scope=10 target-scope=5
local-address=192.168.188.250%wan2
3 As ;;; wan2 (static-route public DNS 1)
dst-address=139.7.30.125/32 routing-table=main gateway=192.168.188.1 immediate-gw=192.168.188.1%wan2 distance=1 scope=30
target-scope=31 suppress-hw-offload=no
4 As ;;; wan2 (static-route public DNS 2)
dst-address=139.7.30.126/32 routing-table=main gateway=192.168.188.1 immediate-gw=192.168.188.1%wan2 distance=1 scope=30
target-scope=31 suppress-hw-offload=no
The wan1/wan2 link is active simultaneously; failover occurs either when the interfaces are physically offline or the configured DNS routes/servers (testing the internet connection) are unreachable. Therefore, I need a script that does the same with the IPv6 prefix. So, not just on a purely physical level, but also ensuring the accessibility of specific servers.
I hope you can understand roughly what I mean by that.
/tool netwatch
add comment=ISP1_check_IPv6 disabled=no down-script="ipv6 address set adve\
rtise=no [ find where from-pool=\"Pool1-ISP1\" && interface=\"bridg\
e\" ];\r\
\nipv6 address set advertise=no [ find where from-pool=\"Pool1-ISP1\
\" && interface=\"bridge-vlan99\" ]\r\
\n" host=2001:4860:4860::8844 http-codes="" ignore-initial-down=yes \
ignore-initial-up=yes interval=1m name=Vodafone_check_ipv6 src-address=\
<your-source-IPv6> start-delay=15s startup-delay=1m \
test-script="" timeout=10s type=icmp up-script="ipv6 address set advertise\
=yes [ find where from-pool=\"Pool1-ISP1\" && interface=\"bridge\" ]\r\
\nipv6 address set advertise=yes [ find where from-pool=\"Pool1-ISP\" && interface=\"bridge-vlan99"]\r\
\n"
As I get dynamic changing prefixes from my ISPs I have to adopt the source-IP in the Netwatch tool after the prefix changed. This is done with the following script, which is executed by the Scheduler:
/system script
add dont-require-permissions=yes name=Set-Netwatch-Source-IPv6-ISP1 owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
delay 2\r\
\n#Netwatch SRC-Adresse setzen\r\
\n:global NWpool6 \"Pool1-ISP1\"\r\
\n:global NWinterface6 \"bridge\"\r\
\n:global NWip6\r\
\n:global NWlastip6\r\
\n:if ([ :typeof \$NWlastip6 ] = nil ) do={ :global NWip6 \"0\" }\r\
\n:local int\r\
\n :foreach int in=[ /ipv6 address find interface=\$NWinterface6 glob\
al ] do={\r\
\n :global testip [ /ipv6 address get \$int address ]\r\
\n :if (\$testip in \"fe80::/10\" || \$testip in \"fc00::/7\") do={\r\
\n } else={\r\
\n :global NWip6 \$testip\r\
\n }\r\
\n }\r\
\n# Grab the current Global IP address on that interface from spec ip pool\
.\r\
\n:local NWip6 [ /ipv6 address get [ /ipv6 address find interface=\$NWinte\
rface6 from-pool=\$NWpool6 ] address ]\r\
\n:global NWprefix6 [ /ipv6/pool/used/get [ /ipv6/pool/used/find where p\
ool=\$NWpool6 info=\$NWinterface6 ] prefix ]\r\
\n:global NWip6 [ :pick \$NWip6 0 [ :find \$NWip6 \"/\" ] ];\r\
\n:if ([ :typeof \$NWip6 ] = nil ) do={\r\
\n :log info (\"Netwatch Source IP6 : No ip address present on please \
check.\")\r\
\n} else={\r\
\n :log info (\"Netwatch Source IPv6:\" . \$NWip6)\r\
\n :if (\$NWip6 != \$NWlastip6) do={\r\
\n tool netwatch set src-address=\$NWip6 [find name=\"ISP1_check\
_ipv6\"]\r\
\n :global NWlastip6 \$NWip6\r\
\n :log info \"Netwatch Source IPv6: UPDATE successfull!\"\r\
\n }\r\
\n}\r\
\n"
This script is called by the DHCPv6 Client and, as the Netwatch task changed my interface prefix while enable or disable the “advertise”, via Scheduler every 5 min:
Awesome, thanks a lot!
Since my MikroTik is also designed for an ISP1/ISP2 failover setup, I’m probably still thinking too much about how to reliably solve this.
I’m currently struggling with the conditions in Netwatch for when IPv6 should be enabled/disabled. My idea is to trigger the whole thing only via the default route of ISP1 (which currently also provides IPv6). So, for example, if the default route of ISP1 is active, IPv6 is also enabled, and vice versa. However, I haven’t found a way to implement this using a script yet.
Furthermore, there are two possible providers on WAN2/ISP2 that also support IPv6. This, in turn, wouldn’t be used with this setup – so, in general, I could set up WAN1/WAN2 with IPv6…?
Can anyone create another example configuration (for my case) or have a suggestion for how to implement this? I’m working with Mikrotik, but I’m still pretty new to this field…
