Community discussions

MikroTik App
 
dogmatix
just joined
Topic Author
Posts: 6
Joined: Thu Nov 28, 2019 4:55 pm

Routing IPV4 over IPV6 (IPv6 DS Lite)

Fri Jun 24, 2022 3:40 am

Hi everyone,
I have one HAP AC3 router and recently changed internet provider (Germany) that offers only DS Lite/IPV6. Looks like the DHCP V6 client is properly configured and the WAN interface gets the proper IPV6 address.

Here is the configuration based on the default one.
admin@MikroTik] > export compact
# jun/24/2022 00:22:35 by RouterOS 7.2rc4
# software id = G22P-GRK6
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:BD:2B:63 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-BD2B67 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-BD2B68 wireless-protocol=802.11
/interface ipipv6
add local-address=2600::2 name=ipipv6-tunnel remote-address=2600::1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.88.2 interface=ipipv6-tunnel network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1_wan
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ipipv6-tunnel
/ip service
set ssh address=0.0.0.0/0
/ipv6 address
add address=::1 from-pool=ipv6-pool interface=ipipv6-tunnel
/ipv6 dhcp-client
add add-default-route=yes interface=ether1_wan pool-name=ipv6-pool rapid-commit=no request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
I can ping the AFTR address:
[admin@MikroTik] /tool> ping
address: 2a02:3040:0:200::b
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 2a02:3040:0:200::b                         56  58 8ms32us    echo reply
    1 2a02:3040:0:200::b                         56  58 10ms89us   echo reply
    2 2a02:3040:0:200::b                         56  58 10ms155us  echo reply
    3 2a02:3040:0:200::b                         56  58 8ms897us   echo reply
    4 2a02:3040:0:200::b                         56  58 10ms606us  echo reply
    5 2a02:3040:0:200::b                         56  58 8ms864us   echo reply
 
I can ping Google DNS as well:
[admin@MikroTik] /tool> ping
address: 2001:4860:4860::8888
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 2001:4860:4860::8888                       56 112 20ms551us  echo reply
    1 2001:4860:4860::8888                       56 112 20ms6us    echo reply
    2 2001:4860:4860::8888                       56 112 20ms724us  echo reply
    3 2001:4860:4860::8888                       56 112 18ms308us  echo reply
    
Other detail:
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; I, A - ACTIVE; c, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS      GATEWAY        DISTANCE
DAc  192.168.88.0/24  bridge                0
DIcH 192.168.88.0/32  ipipv6-tunnel         0
[admin@MikroTik] /ip/address> print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
;;; defconf
0 192.168.88.1/24  192.168.88.0  bridge
1 192.168.88.2/32  192.168.88.0  ipipv6-tunnel

[admin@MikroTik] /ipv6/address> print
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
#    ADDRESS                                   FROM-POOL  INTERFACE      ADVERTISE
0 DL fe80::2ec8:1bff:febd:2b62/64                         ether1_wan     no
1 DL fe80::2ec8:1bff:febd:2b63/64                         bridge         no
2 DG 2a02:3102:4c00:6c:902d:c067:7bc3:65ad/64             ether1_wan     no
3  G 2a02:3102:4db1:fff2::1/64                 ipv6-pool  ipipv6-tunnel  yes

[admin@MikroTik] /ipv6/pool> print
Flags: D - DYNAMIC
Columns: NAME, PREFIX, PREFIX-LENGTH, EXPIRES-AFTER
#   NAME       PREFIX                    PREFIX-LENGTH  EXPIRES-AFTER
0 D ipv6-pool  2a02:3102:4db1:fff2::/64             64  23h51m21s

[admin@MikroTik] /ipv6/route> print
Flags: D - DYNAMIC; I, A - ACTIVE; c, d, y - COPY; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
      DST-ADDRESS               GATEWAY             DISTANCE
DAd + ::/0                      fe80::1%ether1_wan         1
DAd + ::/0                      fe80::1%ether1_wan         1
DAc   2a02:3102:4c00:6c::/64    ether1_wan                 0
DIcH  2a02:3102:4db1:fff2::/64  ipipv6-tunnel              0
DAd   2a02:3102:4db1:fff2::/64                             1
DAc   fe80::%ether1_wan/64      ether1_wan                 0
DAc   fe80::%bridge/64          bridge                     0

I believe that I'm missing something trivial here. Any help would be gratefully appreciated.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Routing IPV4 over IPV6 (IPv6 DS Lite)

Fri Jun 24, 2022 7:40 am

It's a little unclear as to what exactly isn't working. Where are you seeing the issue?
 
tangent
Forum Guru
Forum Guru
Posts: 1353
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Routing IPV4 over IPV6 (IPv6 DS Lite)

Fri Jun 24, 2022 10:31 am

/ip/route> print
Flags: D - DYNAMIC; I, A - ACTIVE; c, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS      GATEWAY        DISTANCE
DAc  192.168.88.0/24  bridge                0
DIcH 192.168.88.0/32  ipipv6-tunnel         0

There is no IPv4 default route, hence no use of the IPIPv6 tunnel. You may need to add something like "/ip/route/add dst-address=0.0.0.0/0 gateway=ipipv6-tunnel". (But see below.)

/ipv6 address
add address=::1 from-pool=ipv6-pool interface=ipipv6-tunnel

I don't see what that's supposed to accomplish. Why would you want to talk to the IPIPv6 tunnel over IPv6 directly? Shouldn't the IPv4 NAT rule take care of shoving traffic through the tunnel, once your routing problem above is taken care of?

/interface ipipv6
add local-address=2600::2 name=ipipv6-tunnel remote-address=2600::1

Where does the 2600 part come from? It looks like you're referring to a huge swath of assorted public IPv6 space. I don't see where you have any right to be using it. It isn't tied in any way to your ISP's IPv6 space. (Telefonica Germany, 2a02:3000::/23.) Maybe your ISP has additional space somewhere in that /12, but if so, I'd expect to see a longer IPv6 address, to qualify it properly.

I have only a vague sense of how DS-Lite is supposed to work, but I'd think you'd want a link-local IPv6 address on the local side and the AFTR server on the remote side.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ipipv6-tunnel

My vague understanding of DS-Lite is that the IPv4 side of it uses CGNAT inside the ISP's network. You shouldn't be doing NAT on the CPE side as well. Your DHCPv4 client should be getting an IPv4 address, likely in the 100.64.0.0/10 space, which your ISP then NATs out to the Internet for you.

Configuring the DHCPv4 client to work over the IPIPv6 tunnel may solve the routing problem above as well, by giving you a dynamic route.

/ip service
set ssh address=0.0.0.0/0

This is a side issue, but while I'm criticizing…

Either you want to listen on the LAN IPv4 scheme (192.168.88.0/24) only, or you want to listen on your provider-granted IPv6 address. In a configuration like this, where you're NATting IPv4 through an IPIPv6 tunnel, I doubt you'll be able to get back into the router from the Internet over IPv4.

# jun/24/2022 00:22:35 by RouterOS 7.2rc4

Why are you still running an RC for a stable release branch? If you want to be on the 7.2 branch, you should be on 7.2.3 for all the latest fixes applicable to that line.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Routing IPV4 over IPV6 (IPv6 DS Lite)

Fri Jun 24, 2022 4:34 pm

The configuration appears to contain random bits and pieces taken from bad examples. Firstly the IPv6 setup is incorrect:

DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server from which the address/prefix/other information was received - this works if the DHCPv6 server and the default gateway have the same link-local address, but otherwise fails.

If the WAN connection is IPoE the correct method is to use received router advertisments (RA) which unfortunately are not displayed by RouterOS, as discussed in other forum posts, and was completely broken in earler releases of RouterOS v7. The default IPv6 settings include forward=yes and accept-router-advertisements=yes-if-forwarding-disabled, and as you are using forwarding between WAN and LAN you need to set accept-router-advertisements=yes.

Requesting an IPv6 WAN address is usually not necessary. On receiving a router advertisment containing prefix information (they all should) and the autonomous address-configuration flag set the WAN interface will automatically be assigned a GUA formed from the prefix and EUI-64 address generated from the interface MAC address, in just the same way non-router endpoints such as PCs would. Note this RA prefix is not the same as that obtained through DHCPv6 prefix delegation.

There is no IPv6 address from the PD pool assigned to the LAN, just incorrectly to the tunnel interface.

Then the IPv4 in IPv6 tunnel settings make no sense, the basic setup is:
/interface ipipv6 add name=dslite1 remote-address=<provider AFTR address>
/ip address add address=192.0.0.2/29 interface=dslite1
/ip route add gateway=192.0.0.1


If the provider AFTR address is either static or available as a DNS name it can be used directly, otherwise it will require scripting to process the DHCP option (became available in RouterOS 7)
From the DS-Lite specifications you should not apply NAT (e.g. RFC6333 section 4.2), and for best practice apply suitable firewall rules.
 
dogmatix
just joined
Topic Author
Posts: 6
Joined: Thu Nov 28, 2019 4:55 pm

Re: Routing IPV4 over IPV6 (IPv6 DS Lite)

Mon Jun 27, 2022 2:53 pm

Thanks, everyone for providing useful information.
I have only a vague sense of how DS-Lite is supposed to work, but I'd think you'd want a link-local IPv6 address on the local side and the AFTR server on the remote side.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ipipv6-tunnel

My vague understanding of DS-Lite is that the IPv4 side of it uses CGNAT inside the ISP's network. You shouldn't be doing NAT on the CPE side as well. Your DHCPv4 client should be getting an IPv4 address, likely in the 100.64.0.0/10 space, which your ISP then NATs out to the Internet for you.
You are right. After putting the AFTR address as remote address DNS traffic works. I'm not sure about NAT, but I can only say that the DHCPv4 client doesn't get any IPV4 address.
If you check [1] you will see that NAT is configured for IPV4 traffic.

/ip service
set ssh address=0.0.0.0/0

This is a side issue, but while I'm criticizing…

Either you want to listen on the LAN IPv4 scheme (192.168.88.0/24) only, or you want to listen on your provider-granted IPv6 address. In a configuration like this, where you're NATting IPv4 through an IPIPv6 tunnel, I doubt you'll be able to get back into the router from the Internet over IPv4.
Thanks anyway. This is just a test config to configure routing. My complete config is more complex since I have multiple VPN connections etc.
Code: Select all
/ip/route> print
Flags: D - DYNAMIC; I, A - ACTIVE; c, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 192.168.88.0/24 bridge 0
DIcH 192.168.88.0/32 ipipv6-tunnel 0

There is no IPv4 default route, hence no use of the IPIPv6 tunnel. You may need to add something like "/ip/route/add dst-address=0.0.0.0/0 gateway=ipipv6-tunnel". (But see below.)
I think the problem is in this route. I tried to add it but it doesn't work. The interface status shows "not running" and the gateway isn't reachable.
[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS      GATEWAY        DISTANCE
0  IsH 0.0.0.0/0        ipipv6-tunnel         1
  DAc  192.168.88.0/24  bridge                0
[admin@MikroTik] > /ipv6/address/print
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
#    ADDRESS                       FROM-POOL  INTERFACE      ADVERTISE
0 DL fe80::2ec8:1bff:febd:2b63/64             bridge         no
1 DL fe80::2ec8:1bff:febd:2b62/64             ether1_wan     no
2  G 2a02:3102:4db1:fff0::/64      ipv6-pool  ipipv6-tunnel  no
I'm not sure if this is DSLite at least this is how they call it. The provider support has no clue what I'm talking about.
Anyway, I think that the IPV6/DSlite part works as expected.
Requesting an IPv6 WAN address is usually not necessary. On receiving a router advertisement containing prefix information (they all should) and the autonomous address-configuration flag set the WAN interface will automatically be assigned a GUA formed from the prefix and EUI-64 address generated from the interface MAC address, in just the same way non-router endpoints such as PCs would. Note this RA prefix is not the same as that obtained through DHCPv6 prefix delegation.

There is no IPv6 address from the PD pool assigned to the LAN, just incorrectly to the tunnel interface.

Then the IPv4 in IPv6 tunnel settings make no sense, the basic setup is:
/interface ipipv6 add name=dslite1 remote-address=<provider AFTR address>
/ip address add address=192.0.0.2/29 interface=dslite1
/ip route add gateway=192.0.0.1
Thanks. I think this is something similar I tried. Please see [2] below. I believe that the IPV6 part of the configuration works as expected.

I was following these examples:
[1] https://tobler.dev/
[2] https://life-seed.co.jp/mikrotik%E3%83% ... %E6%B3%95/

After adding the IPV6 tunnel interface DNS traffic work and I can use dig to resolve hostnames.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Routing IPV4 over IPV6 (IPv6 DS Lite)  [SOLVED]

Mon Jun 27, 2022 3:35 pm

Neither of those links show the correct method, they may luckily work for those particular users setups and ISPs.

You should not have a DHCPv4 client as the DS-Lite is not set up that way, and you certainly should not be setting a tunnel address which overlaps with your WAN.

The DS-Lite standard (see RFC6333 section 5.7) specifies you should set the "WAN" address on the IPv4-in-IPv6 tunnel enndpoint to 192.0.0.2/29, this is the address the router itself uses when accessing the internet. Then use a default gateway address of 192.0.0.1, on Mikrotiks using gateway=someinterfacename only works correctly with /32 endpoint addresses or on unnumbered links.

Whilst you can do NAT it is not necessary. The ISPs AFTR provides NAT functionality so you are unnecessarily introducing a second layer of NAT.
 
dogmatix
just joined
Topic Author
Posts: 6
Joined: Thu Nov 28, 2019 4:55 pm

Re: Routing IPV4 over IPV6 (IPv6 DS Lite)

Thu Jun 30, 2022 2:49 pm

Neither of those links show the correct method, they may luckily work for those particular users setups and ISPs.

You should not have a DHCPv4 client as the DS-Lite is not set up that way, and you certainly should not be setting a tunnel address which overlaps with your WAN.

The DS-Lite standard (see RFC6333 section 5.7) specifies you should set the "WAN" address on the IPv4-in-IPv6 tunnel enndpoint to 192.0.0.2/29, this is the address the router itself uses when accessing the internet. Then use a default gateway address of 192.0.0.1, on Mikrotiks using gateway=someinterfacename only works correctly with /32 endpoint addresses or on unnumbered links.

Whilst you can do NAT it is not necessary. The ISPs AFTR provides NAT functionality so you are unnecessarily introducing a second layer of NAT.
Thank you again for all the help. You are right that NAT isn't needed. I had to disable keepalive and set dscp to 0 to get the ipipv6-tunnel interface up and running.
Everything works without any issue. I found some issues with the IKEV2 VPN connection because it seems to use the same IP 192.0.0.2 but will figure out that later.

Who is online

Users browsing this forum: bschapendonk, Google [Bot], JohnTRIVOLTA, rextended, tangent, TheCat12 and 74 guests