Community discussions

MikroTik App
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Tunnel 6to4 IPv6 from CHR on Remote routerboard

Tue Jan 11, 2022 11:34 pm

hello everyone ... I have set up a 6to4 tunnel from a CHR to a remote RB ... the tunnel is registered ... I have assigned two IPs of a ULA subnet to the sides of the tunnel and the two IPs ping each other ... on the CHR I have 10 IPv6 single public IPs assigned ... one I have attested to the CHR and by inserting the default route it works .... the other 9 I would like to take them up to the RB passing through the tunnel ... I have done various tests but not I can navigate the RB in ipv6 ... how should this be done?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Tue Jan 11, 2022 11:51 pm

Have you got 10 /64 subnets or seriously 10 /128 individual addresses? In either case, same question like in the IPv4 case - how does the neighbor (the router in the datacenter) know that traffic for these 10 addresses or subnets should be sent to the CHR, does it have routes for them via the CHR's link-local address on ether1? Or, maybe an easier way to learn that - if you sniff for one of the addresses that is not assigned to the CHR itself and ping it from outside, can you see the ping requests to come to the CHR?

/tool sniffer quick ipv6-address=2xxx::xxxx
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 12:28 am

I don't have 10 subnets, but 10 single ip ... I have attested a single one in / 64 to chr and so it navigates in ipv6 ... in theory the CHR ISP announces the IPv6 on the ether port of the CHR .. .if I try the ip manually on the CHR it seems to work ... if you run the sniffer command I don't get any results
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 12:29 am

you say you see the sniffer command while at the same time a ping is performed from the outside to the same ip?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 12:33 am

you say you see the sniffer command while at the same time a ping is performed from the outside to the same ip?
Yes, exactly.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 12:53 am

from the sniffer I would tell you that the ip from ether1 arrives at the chr and it is even encapsulated in the tunnel ... but in the RB if I smell I don't see anything
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 1:00 am

That sounds weird to me. So you can see the ping request at two interfaces, coming in via ether1 and leaving via the 6to4 one, at CHR1, but you cannot see it at the RB at all?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 1:16 am

If I understand it correctly that addresses are not routed, but they simply belong to one common /64, which is shared by CHR and ISP's router, you'll have problem routing them further. If it was IPv4, you'd use proxy ARP. But I don't think RouterOS has anything like that for IPv6.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 8:11 am

yes, but looking carefully at the photo, I do not understand if then from the tunnel it succeeds towards ether1 .. I imagine that being bidirectional is normal ..
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 8:18 am

Photos
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 9:31 am

The sniffer output shows that the remote RB even responds to the ping - the arrows show the request came in via ether1, got forwarded out from 6to4-tunnel1, then 44 ms later the response came in via 6to4-tunnel1, and got sent out from ether1.

Did the responses reach the machine from which you were pinging?

Is the actual issue that you can ping the address at the RB but cannot log in to the RB using that address?
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 9:53 am

the problem is that from the remote RB I don't pin the banal ipv6 2600 :: and I don't even pin other ipv6 addresses, I haven't tried to access
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Wed Jan 12, 2022 10:17 am

So you can ping the RB from outside and from the CHR, but you cannot ping anything on a global address from the RB?
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Thu Jan 13, 2022 11:28 pm

I did some tests ... so if I certify the public ip not working on the CHR, it is working ... if after having made it surf the internet I re-link it to the remote rb ... magic, it surfs ... too bad it lasts little ... maybe 15 minutes and then it times out ... there seems to be something on the machine that announces the ip, which recognizes the mac of the chr ... I don't understand how to solve
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 12:15 am

Do you mean that you assign the address to CHR for a while, use it to access internet, then you remove it, and after that you can use this address from other device over tunnel? If so, it would suggest that you need NDP proxy, which RouterOS currently doesn't have.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 12:24 am

that's right, you have grasped the concept
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 12:30 am

since there is no ndp proxy available on routerOS, if i tunnel eoip v6 and encapsulate it in tunnel 6to4, could i carry ip with tunnel layer2?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 12:44 am

Yes. But you can also use EoIPv4 instead (single tunnel).
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 12:50 am

I'll try tomorrow ...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 12:59 am

If you have v7, something could be done using netmap or undocumented dnpt/snpt, but... yikes. Not really something you want to use.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 1:14 am

With the EoIP, bear in mind that at the CHR, ether1 and eoip1 will be bridged together, but the transport packets of the EoIP tunnel will pass through that bridge on IPv4. So you must set the mtu of eoip1 manually (rather than keeping it at the default auto) as the MTU of the bridge automatically adjusts to the smallest MTU of all the member ports, and the MTU of the EoIP tunnel adjusts to the MTU of the interface through which the transport packets are sent if left at auto, so you would end up with MTU of 150 or so (it doesn't get all the way to 0).

I don't think using EoIPv6 and transporting it via 6to4 would change anything about this infinite loop of MTU adjustment.

Also, you may want to use a bridge filter to allow only mac-protocol=ipv6 to be sent via eoip1, to keep the ARP and IPv4 broadcast traffic of the datacenter away from the tunnel.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 8:16 am

i knew that eoip suffered from mtu problems ... but i did not think a really noticeable lowering of mtu up to 150 was needed ... this afternoon i will do some tests ...

another doubt would be if i use eoip v4, ipv6 ip are also transported ...?

I do not know the filters on the bridge if not rules at the Firewall level ... then maybe see to understand how they are configured
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 9:25 am

but i did not think a really noticeable lowering of mtu up to 150 was needed ...
It is not needed - it will happen if you don't disable the auto-adjusting mechanisms, which otherwise change it down to 150 due to the positive feedback (or self-locking if you prefer that name) loop. I've tried to explain the mechanism how it happens in more detail in my previous post. If you want to avoid problems with MTU, you have to use L2TP with BCP and MLPPP - large frames carrying IPv6 packets will be split at PPP level.

another doubt would be if i use eoip v4, ipv6 ip are also transported ...?
The difference between EoIP(v4) and EoIPv6 is in the transport protocol, not in the payload protocol. EoIP/EoIPv6 transports payload L2 frames no matter what protocol they carry, so it can be even PPPoE, PPPoE-discovery, 802.2 (STP, LLDP, ...), MPLS... And so does BCP.

I do not know the filters on the bridge if not rules at the Firewall level ... then maybe see to understand how they are configured
The /interface bridge filter works similar to /ip firewall filter:
/interface bridge filter
add chain=forward in-interface=ether1 out-interface=eoip1 mac-protocol=ipv6 action=accept
add chain=forward in-interface=ether1 out-interface=eoip action=drop


But there's another problem that may prevent it from working - most virtualisation platforms do not allow MAC address "spoofing", i.e. they drop packets coming from a virtual machine if their source MAC address differs from the one of the interface of that machine. So you may have to use also /interface bridge nat rules to hide the bridging from the virtualisation platform:
/interface bridge nat
add chain=srcnat in-interface=ether1 mac-protocol=ipv6 src-address6=2000::9 action=src-nat to-src-mac-address=mac:addr:of:ether:1:of:chr
add chain=dstnat out-interface=ether1 mac-protocol=ipv6 dst-address6=2000::9 action=dst-nat to-dst-mac-address=mac:addr:of:bridge:of:rb
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 9:34 am

now much clearer ... I was thinking, can't I DHCP single public IPv6s that I have assigned? because they are announced to me in static form ...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 9:45 am

can't I DHCP single public IPv6s that I have assigned? because they are announced to me in static form ...
I don't get what you mean.

By "announced to me" you are saying that the datacenter admins have informed you what addresses you can use (person to person announcement) or that the addresses are coming to the CHR by means of some protocol (machine to machine announcement)?

In any case, DHCPv6 can maybe delegate individual IP addresses, but at least in ROS6 Mikrotik's DHCPv6 client can only request subnets (prefixes), not individual /128 addresses. And it would still be the same issue - if the DHCPv6 client would be running at the RB, the DHCPv6 requests would arrive to the DC with the source MAC address of the bridge at the RB.

Dynamic routing protocols (like OSPF or BGP) also usually work with subnets, so I doubt you could make your CHR advertise those ten /128 addresses to the datacenter's routers, especially if they come from the same /64 subnet like the CHR's own IPv6 address.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 2:51 pm

..., but at least in ROS6 Mikrotik's DHCPv6 client can only request subnets (prefixes), not individual /128 addresses.
I don't know when exactly it was added, but even v6 can do it for some time already. Only server doesn't support giving out addresses in any ROS version.

As for the problem, is there any chance you could ask ISP to route some subnet to you? Because current way is simply wrong, it's not how it's supposed to work.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 3:21 pm

Only server doesn't support giving out addresses in any ROS version.
As usually, you are right. I remembered something was wrong with individual addresses but forgot that it was at server side.
Because current way is simply wrong, it's not how it's supposed to work.
Well, the whole idea of giving away just 10 /128 addresses is rotten. The wrong way how they do that is just a consequence. But yes, they should be able at least to take another /64 and route these individual global addresses to the clients via link-local addresses so that they could keep this broken method in place for those clients for whom it is sufficient.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Fri Jan 14, 2022 3:57 pm

Well, as devil's advocate, maybe the idea is that all addresses are meant for use on single server and they are not supposed to be forwarded elsewhere. Then it would be ok.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Sun Jan 16, 2022 11:10 pm

I did an eoip between the ether of the CHR and the bridge of the Routerboard ... now the LAN of the routerboard is not only automatically assigned IPv6 but also ip not assigned to me by the ISP .. so I assume they delegate a / 64
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Mon Jan 17, 2022 10:48 am

I am lost - not only automatically assigned but also ip not assigned is too many nots in a sentence with too few other details.

Is the LAN of the RB bridged with the EoIP tunnel, which is in turn bridged with ether1 of the CHR?
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Mon Jan 17, 2022 10:49 pm

yes, I created the eoip tunnel between the ether of the chr and the lan bridge of the RB ... only by doing this, I am on the devices assigned public ip ... but not only those assigned by the ISP, but also others of the same subnet /64 ... so I think the ISP delegates a / 64 they think they share by assigning ip in good faith ... but since the whole / 64 class is announced it doesn't make much sense
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel 6to4 IPv6 from CHR on Remote routerboard

Mon Jan 17, 2022 11:07 pm

If you assign an IPv6 global address to an interface of a router, the non-routers connected to that interface will self-assign addresses from the same /64 to themselves using SLAAC - they send a ND packet, the router responds with "I'm a router and this is my global address" (or maybe the router advertises that, I don't remember), and the non-routers auto-generate an address based on the prefix of the router's address and their own MAC address. So to use the global addresses assigned by the ISP at end devices connected to the bridge at the RB end, you have to disable SLAAC on them and assign these addresses manually.

Who is online

Users browsing this forum: Bing [Bot], roncsak and 105 guests