Whats i doing wrong?
I got IPv6 subnet from my ISP (/56 and cut it to /64 for local net (bridge interface)
Also i Have /64 subnet from HE.net.
What i want to do:
All IPv6 traffic to Russian subnets push over ISP network
Unless you have provider-independent address space and an agreement with your provider that allows you to use it, you usually can’t send from IP addresses that aren’t assigned to you by your provider. The router needs to pick the route based on the source IP address chosen by the device. It can’t just pick a route based on the destination address. With IPv4, you would use NAT to emit the traffic with the IP address given to you by the ISP to which you’re sending the traffic. There’s no NAT with IPv6.
Hmmm I mean that I have 2 subnets from my provider (/56 routed network) and from tunnel broker (he.net) both works fine with devices under mikrotik’s bridge, but not in same time (only one of it) .
I’m planning to use both subnets mutually for manage traffic by countries. Provider’s subnet with his routing only for Russian IPv6 hosts, except all other via tunnel broker
But one trouble, that I got dynamic V6 pool from my provider and cannot use IP pool as source.
If a host uses a source IPv6 address from the HE prefix, then your router must send that traffic through the HE tunnel, regardless of the destination address, because your ISP will almost certainly drop these packets.
If the host uses a source IPv6 address from the provider prefix, then your router must send these packets through the provider directly, also regardless of the destination address, because HE will drop this traffic.
The destination IPv6 address (geolocated in Russia or whatever) simply does not play into the routing decision, because neither the ISP nor HE will normally carry traffic that was sent from an IPv6 address assigned by the other. This is called ingress filtering and it’s used to prevent address spoofing.
What you’re doing is called multihoming with PA address space, in case you want to look up more information.
As I wrote before, with IPv4 you can do this because NAT changes the source address to the address which is assigned to the interface through which the packets are sent out. It doesn’t work with IPv6 because there is no NAT. The packets are sent out exactly how they arrive from the device, so the device’s choice of source IPv6 address for the connection determines the route the packets have to take. The router can’t choose the route independently of the source address.
Also, this is not a v7 Beta issue. It would not work with any other version or any other router. What you’re seeing is expected behaviour.
On 6.49beta54 i can make routing rules by destination address but it only works if devices under bridge got one of IPv6 subnet (if advertise only broker’s subnet)
tracert to google:
Трассировка маршрута к google.com [2a00:1450:4010:c1e::71]
с максимальным числом прыжков 30:
1 <1 мс <1 мс <1 мс 2001:***:***:224::1
2 * * * Превышен интервал ожидания для запроса.
3 58 ms 57 ms 98 ms e0-15.core2.ber1.he.net [2001:470:0:220::1]
4 79 ms 107 ms 62 ms e0-35.core2.ham1.he.net [2001:470:0:134::2]
5 63 ms 62 ms 61 ms ipv6.de-cix.ham.de.as15169.google.com [2001:7f8:3d::3b41:0:1]
6 62 ms 62 ms 62 ms 2001:4860:0:12e5::4
7 88 ms 88 ms 88 ms 2001:4860::c:4001:ebe
^C
Трассировка маршрута к mail.ru [2a00:1148:db00:0:b0b0::1]
с максимальным числом прыжков 30:
1 <1 мс <1 мс <1 мс 2001:***:***:224::1
2 * * * Превышен интервал ожидания для запроса.
3 59 ms 59 ms 59 ms 2a02:2168:0:1034::1
4 63 ms 63 ms 63 ms 2a02:2168:0:1023::111
5 52 ms 50 ms 50 ms mailru-2-bgw-1.msk.ip6.ncnet.ru [2a02:2168:0:1007::2]
6 ^C
as we can see, both traces have different third hop. But lan devices have only one subnet.
but same configuration drops all ipv6 traceroute on v7 beta
In that case your ISP may not be doing ingress filtering. That is bad. (HE certainly filters.) You can send packets with alien source addresses through your ISP, but the return traffic to these addresses will still arrive through the HE tunnel, so you’ve created asymmetric routing. If the router does reverse path filtering, these packets could get caught in that. RP-filtering is an option in the IPv4 settings. There is no configurable option for IPv6. Put a logging rule matching ICMP packets in the IPv6 firewall prerouting chain of the raw table and see if any packets from the traceroute make it to the router. You could also try looking at the egress traffic with the packet sniffer and see if the router actually sends the packets.