Community discussions

MikroTik App
 
en1gm4
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Sun Oct 02, 2016 6:27 pm
Location: UK

correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Fri Dec 08, 2023 5:46 pm

Has anyone set up a /48 from hurricane electric (tunnelbroker) and delegated /64's to different interfaces/subnets/vlans?
Now that I have ipv6 /64 working on a vlan I realised that to spearate my guest and iot I will need ipv6 subnets

I've been looking around and there seems to be a lot of varying advice mostly using DHCPv6 and dynamic prefixes from ISPs
In the case of HE the prefix is static and not DHCP .. and requires a sit tunnel set up that uses its own /64 for the tunnel endpoints (amazing - 1.8x10^19 addresses used for 2 ;) )

I'm hoping this is an easy setup and someone has experience to share. The HE site only shows how to set up a basic /64
Ideally I would like to choose my ipv6 subnet address ranges to match my v4 /vlan numbers if that is a possibility
thanks in advance
 
accarda
Member Candidate
Member Candidate
Posts: 207
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation  [SOLVED]

Sat Dec 09, 2023 1:47 pm

I have setup the same at my end and it's nothing different than setting any other address allocation that you receive on that sit interface.
Once you have your setup ready based on the remote IP as provided by HE and you have set default route via HE remote end, then you just need to setup your addresses in your router to define your subnets as needed.
All those from the /48 are routed to your router directly by HE, so you can just set them up and use them.
Firewall and other things you can do as usual based on your needs.

So if you had 2001:470:xxxx::/48 then you can start defining your internal interfaces and assign to each of them the 2001:470:xxxx:yyyy::1/64 and so on for as many subnets you will want to set.
Just as an example, here one of my VLAN interfaces:
/ipv6/address
add address=2001:470:xxxx:7::1 comment="VLAN7 subnet" interface=vlan-home

/ipv6/nd
add interface=vlan-home reachable-time=5m
 
tdw
Forum Guru
Forum Guru
Posts: 1838
Joined: Sat May 05, 2018 11:55 am

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Sat Dec 09, 2023 3:19 pm

And remember to add unreachable or blackhole routes to any routed subnets so packets to any unused portions don't bounce back and forth between you and HE until the TTL expires. From a previous setup before getting native IPv6:
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:xxxC:xxxx::1
add distance=1 dst-address=2001:470:xxxD:xxxx::/64 type=unreachable
# this is the original routed /64 which is no longer being used
add distance=1 dst-address=2001:470:yyyy::/48 type=unreachable # this is the additional routed /48
 
en1gm4
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Sun Oct 02, 2016 6:27 pm
Location: UK

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Sun Dec 10, 2023 4:09 pm

many thanks @tdw
nice to see it is relatively straightforward. I'm looking forward to making the next ipv6 step (one day when my isp supports it I'll be ready ;) )

I've added the address to my interface but cannot add the type=argument on 7.12.1
it looks like blackhole is the only option now? viewtopic.php?t=182705
 
tdw
Forum Guru
Forum Guru
Posts: 1838
Joined: Sat May 05, 2018 11:55 am

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Sun Dec 10, 2023 5:01 pm

blackhole would be acceptable - any traffic to unallocated subnets would just be dropped. Otherwise adapting the IPv4 workaround as discussed in a related thread viewtopic.php?p=853939#p853939 would be needed to return unreachable.
 
en1gm4
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Sun Oct 02, 2016 6:27 pm
Location: UK

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Mon Dec 11, 2023 1:29 pm

@tdw did you happen to change your MTU? I have seen comments online about using 1280 and the tunnelbroker site says 1480
I have a routed fibre connection (without PPPoE) although who knows what goes on inside their network...
 
tdw
Forum Guru
Forum Guru
Posts: 1838
Joined: Sat May 05, 2018 11:55 am

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Mon Dec 11, 2023 4:48 pm

My WAN was PPPoE, but configured to use baby jumbo frames giving an MTU of 1500, so I used the defaults of mtu=auto and clamp-tcp-mss=yes on the 6to4 interface.

The minimum MTU for IPv6 is 1280, normally you should set your MTU correctly and let path MTU discovery do its thing. IPv6 fragmentation is different to IPv4 in that only the end points can fragment packets, intermediate devices cannot arbitrarily fragment packets where the MTU is too great for the next hop link, so PMTU discovery working correctly is important. There have been cases in the past where providers get it wrong, e.g. https://blog.cloudflare.com/increasing-ipv6-mtu/, but as IPv6 matures this should be much less likely.
 
en1gm4
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Sun Oct 02, 2016 6:27 pm
Location: UK

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Mon Dec 11, 2023 7:31 pm

Thanks again.
I'll start at 1480 on the tunnel and see how it goes.

I found a little online pmtu test (but can't find the link at the moment) . It seemed satisfied that pmtu (ICMP?) messages were getting through properly.
.. slowly understanding that this ipv6 thing seems pretty sensible! 😜
 
en1gm4
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Sun Oct 02, 2016 6:27 pm
Location: UK

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation

Tue Dec 12, 2023 12:42 pm

just fyi. I found that having an ip address from my HE /64 prefix on the bridge would result in RA's sent even if the address was disabled.(i only disabled it while testing the /48 but as that is working i can remove the /64 now). This resulted in /64 addresses on my home lan but no route out as far as I can tell.
I believe that this might be a bug but will have to look further. It would be helpful to know if others are seeing this behaviour

I moved the ND to only being on my guest vlan and it stopped the RA's which is helpful (sadly google nest devices still send RA's and cause all the other devices to create address in tjier ULA range)
I was looking to see if the 1480 MTU information in the RA was being propagated to the lan (it is, and ipv6 connectivity and speed tests seem better but still varying in speed far more than expected when direct speedtest via ookla on ipv4 is very stable.. maybe just HE peering and tunnel related)

Who is online

Users browsing this forum: romenNT, scoobyn8 and 32 guests