Hello,
i have a mikrotik with a public ipv4 address, and a view persons who can make a vpn connection to it.
Now some persons got a new modem from the ISP with dualstack light. Sinze then vpn isn’t working anymore for them.
Is there anything i can do to make vpn for this dualstack light client possible? (speciffic VPN protokol / get an ipv6 for my MT / something else).
I think the road warrior VPN types for Mikrotik don’t support IPv6 yet (at least the dial-out options don’t allow you to specify an IPv6 remote host).
In any case, the client should still be using IPv4 to connect with you because your server’s address is IPv4, and the presence of IPv6 shouldn’t affect that.
More than likely, the new modem has some setting in the IPv4 side of it that’s interfering with your client’s connection attempts.
I think the road warrior VPN types for Mikrotik don’t support IPv6 yet (at least the dial-out options don’t allow you to specify an IPv6 remote host).
Thats good to know
In any case, the client should still be using IPv4 to connect with you because your server’s address is IPv4, and the presence of IPv6 shouldn’t affect that.
More than likely, the new modem has some setting in the IPv4 side of it that’s interfering with your client’s connection attempts.
The Clients (Windows) get a public ipv6 address from the new modem. Might this be the problem?
Not really. If you speak two languages, does that interfere with your ability to speak in either of them?
A dual-stack client could only be confused if it is attempting to connect to a remote host by name, and the name contains both IPv4 and IPv6 address information in DNS.
In this case, the client can choose whether it wants to use IPv4 or IPv6 to make the connection.
(The RFC known as “Happy Eyeballs” states that such clients should actually attempt both at the same time and then use whichever one answers faster)
Anyway, if your user’s VPN connection specifies an IPv4 address literal (not a hostname) then the client has no choice but to use IPv4 to make the connection, so IPv6 is irrelevant at this point.
So unless your clients are configured to connect to “myvpn.example.com” and this name has a AAAA record in DNS, I don’t think the existence of IPv6 is the actual root cause.
You can verify this by having the user go into their network profile and disabling IPv6 on their connection (un-check the protocol) and testing again. Almost certainly this will not fix the problem.
(If it does, then I can say that I’m stumped)
More likely is that this is a new router, and its IPv4 capabilities / settings may be configured differently in a way that actually causes the VPN connection to fail.
(NAT type, state tracking, etc. - I even found that older Adtran routers simply refuse to forward protocol 47 - GRE - whenever their firewall was enabled. You couldn’t even explicitly allow protocol 47. It would just fail)
Not really. If you speak two languages, does that interfere with your ability to speak in either of them?
Yea, thats why i assumed it shoud work. But it doesn’t
A dual-stack client could only be confused if it is attempting to connect to a remote host by name, and the name contains both IPv4 and IPv6 address information in DNS.
DNS is used, but it only has A records. So can’t resolve to an ipv6.
That would be rly black magic if the ip somehow gets on the way converted to ipv6.
More likely is that this is a new router, and its IPv4 capabilities / settings may be configured differently in a way that actually causes the VPN connection to fail.
(NAT type, state tracking, etc. - I even found that older Adtran routers simply refuse to forward protocol 47 - GRE - whenever their firewall was enabled. You couldn’t even explicitly allow protocol 47. It would just fail)
The ISP does offer to change the user back to ipv4 (don’t know when this is not possible anymore) and i can confirm that this works. Modem is still the same. So unless the change also affects certain firewall rules in the modem (that would be strange), i don’t think that this is the problem.
There is actually a black magic voodo DNS thing called DNS64 where if the client requests an AAAA record for a host that does not have one, the server will reply with a specially-crafted IPv6 address which routes to a box that will translate IPv6 to IPv4 via nat. You should try getting that user to do this:
On a command prompt:
nslookup [enter]
set type=aaaa [enter]
your.vpn.hostname [enter]
exit
If it returns Address:IPv6-address, then their site offers DNS64+NAT64 service. In theory, this should work anyway, but it’s possible that might be behind the issue.
thx! i will try that.