Community discussions

MikroTik App
  4. RouterOS
  5. General

Could not access the local IPv6 network over Wireguard VPN IPv6 [but the Internet is routed successfully]

Post Reply
 
zummi
just joined
Topic Author
Posts: 1
Joined: Mon Mar 11, 2024 4:20 pm

Could not access the local IPv6 network over Wireguard VPN IPv6 [but the Internet is routed successfully]

Mon Mar 11, 2024 4:26 pm

I have two independent Internet providers offering public static IPv4 addresses - ISP1 and ISP2.

ISP1 doesn’t support IPv6 natively.
ISP2 supports IPv6 with the following static parameters:

IP: 2A01:XXX:YYY::2
Gateway: 2A01:XXX:YYY::1
Network: 2A01:XXX:YYY:2::/64

I have a pair of RB5009 routers on ISP1 and ISP2 with their local networks:

LAN1 10.31.1.1/24
LAN2 10.31.2.1/24 and 2a01:XXX:YYY:2::/64

I would like to configure the Wireguard connection ISP1 -> ISP2 side to support IPv6 on the ISP1 side and access LAN1 -> LAN2 using the IPv6 protocol.
So I created two Wireguard interfaces (name - wireguard3) and Peers with Allowed addresses 0::/0 - on ISP1 and ISP2 side routers.
The following addresses are set for the interfaces:

Router ISP1:
Code: Select all
/ipv6 address set *F address=2a01:XXX:YYY:1:2000:1::/67 advertise=no disabled=no eui-64=no from-pool="" interface=wireguard3 no-dad=no)

Router ISP2:
Code: Select all
/ipv6 address set *F address=2a01:XXX:YYY:2:2000:2::/67 advertise=no disabled=no eui-64=no from-pool="" interface=wireguard3 no-dad=no)

(I'm not sure if I chose the correct subnets for wireguard interfaces, the /67 subnet selected is the only option that worked. The selection from the pool does not work.).

After these steps I got a working Wireguard VPN IPv6 and can ping Internet addresses from ISP1-side network. e.g. Google:
Code: Select all
[admin@ISP1] > ping 2001:4860:4860::8888              
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 2001:4860:4860::8888                       56  60 26ms384us  echo reply    
    1 2001:4860:4860::8888                       56  60 25ms882us  echo reply

The problem is that I can ping only Internet resources and can not get access to local network ISP2 from ISP1:
Code: Select all
[admin@ISP1] > ping 2a01:XXX:YYY:2:208:9bff:feff:dba9
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                
    0 2a01:XXX:YYY:2:208:9bff:feff:dba9                           timeout                                                                               
    1 2a01:XXX:YYY:2:208:9bff:feff:dba9                           timeout                                                                               
    sent=2 received=0 packet-loss=100%
Code: Select all
[admin@ISP1] > tool/traceroute 2a01:XXX:YYY:2:208:9bff:feff:dba9
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS                   LOSS  SENT  LAST     AVG  BEST  WORST  STD-DEV
1  2a01:XXX:YYY:2:2000:2::  0%       2  8.4ms    8.3  8.2   8.4    0.1    
2                            100%     2  timeout                           
3                            100%     2  timeout                           
4                            100%     2  timeout                           
5                            100%     2  timeout                           
6                            100%     2  timeout

Please note that the ping to the opposite gateway 2a01:XXX:YYY:2:2000:2:: is successful.

Routers ISP1 and ISP2 have default Firewall settings and wireguard3 interfaces have been added to LAN interface list. Also tried to disable the firewall on two routers but without success.

What could be the cause of the problem, why is the local network not accessible over Wireguard with IPv6?
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], jaclaz, jurajhampel, Techsystem and 29 guests
  4. RouterOS
  5. General