Community discussions

MikroTik App
 
nostromog
Member Candidate
Member Candidate
Topic Author
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

IPv6 routing with several interfaces

Thu Dec 13, 2018 1:03 am

I have a router in one provider who didn't read RFC 6177 and thus assigns my MikroTik router 1 (YES, I said ONE) IPv6 in ether1, using DHCPv6. It also tells me gently to set up a default router to this interface. They also block protocol 41, because they don't want my life to be too easy.

To be able to deploy some IPv6 there I set up a 6to4 tunnel with IPsec to another of our offices (fortulnately they don't block IPsec). I called it sit1 and set up the proper routes to that a /52 of one of my /48 from HE is assigned there.

Now, the problem is: Everything works well if I don't accept their "native" IPv6 default route. All the traffic goes through sit1, using the address I set up in bridge.

Now, if I add their native default IPv6 route, as the distance is smaller than to the tunnel, all traffic flows through ether1 where it is dumped into the bit bucket.

This is a general problem in the face of dual IPv6 providers... how is typically approached in RouterOS the problem of forwarding packets with src AAAA:AAAA::/N through an interface that routes only BBBB:BBBB/M?


Regards
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: IPv6 routing with several interfaces

Thu Dec 13, 2018 2:24 pm

Short answer: not.

Policy based routing is not implemented yet for IPv6. A todo...

Fix: don't accept default route from current provider....
 
nostromog
Member Candidate
Member Candidate
Topic Author
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: IPv6 routing with several interfaces  [SOLVED]

Tue Feb 26, 2019 1:24 am

To solve (sort of) my own question, in case anyone finds it useful:

I revisited the issue in a more realistic case where I got two different /64 addresses in office routers:

* a nnaa:ttii:vvee:main::/64 comes from the native pool, and I use it as
/ipv6 address add address=::1 from-pool=wlan interface=bridge
. It gets a
dynamic default route, distance configured as 2
* a pprr:eeff:iixx:vpn0::/64 is coming from a L2TP/IPsec VPN. I set up a /64 per user manuall in the server through
/ppp secret remote-ipv6-prefix
I also add routes:
/ipv6 route
  add distance=3 gateway=myVPN
  add distance=2 dst-address=pprr:eeff:iixx::/48 gateway=myVPN
I have to do it this way, I'm not sure if there is a way to make a mikrotik client accepting ipv6 from ppp but I have not found it...

I was adding the address as:
/ipv6 address
  add address=pprr:eeff:iixx:vpn0::1/64 comment="VPN IPv6 address" interface=myVPN
WRONG! The stations doing autoconfiguration from the router were configuring addresses from the native
prefix and there was a bad interaction when the stations tried to send something to the VPN network,
the traffic was sent through the VPN with the native source addresses, which are not routable back and
thus dropped at the other side

Solution: don't assign the VPN address to the VPN interface, but to the LAN one:
/ipv6 address
add address=pprr:eeff:iixx:vpn0::1/64 comment="VPN IPv6 address" interface=bridge
Doing it this was the stations will get IPv6 addresses with both prefixes, and all routing will magically work...

It is tricky to change my mindset from the IPv4 world to the IPv6 world, a lot of things are different.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPv6 routing with several interfaces

Tue Feb 26, 2019 3:57 am

Basically if you want to use IPv6 don't buy MikroTik. They've done little more than maintain they're initial very basic set of features targeted mostly at service providers over the last several years. The comments from MikroTik see on here makes it seem that they think they can wait for an unannounced release of at least ROSv7 to even be capable of pinging an IPv6 hostname much less enabling services like VPN or functionality like policy based routing.

Rant satisfied.

If you are getting a default route from the provider and you want to accept it via DHCP you should be able to assign a custom administrative distance like you can do with IPv4. This would allow you to prefer the tunnel learned route. You will want a route to the tunnel endpoint to keep it up. I like GRE and it's capable of deploying v6 inside a v4 tunnel in addition to supporting multicast for routing protocols.

Who is online

Users browsing this forum: ericksetiawan, godel0914, Guntis, onnyloh, xrlls and 85 guests