I have just today got IPv6 working for one of my VLANs and was looking to expand it to the VLAN that I use to tunnel through Mullvad but I just can't seem to get it to work.
I'm connecting to my ISP with PPPoE and use the DHCPv6 Client to obtain a prefix from my ISP, then assigning prefix::1, prefix::2 etc as addresses for my VLANs, then setting up ND for said VLANs. Devices are getting assigned IPv6 addresses and I can confirm this through whatismyipaddress etc.
The issue I seem to get is that I can't replicate this when tunnelling through my Mullvad interface. Every site that I've used to verify IPv6 connectivity just fails and only returns IPv4.
I've listed some key config changes below - Is anybody able to spot whether I've missed anything that could be stopping IPv6 from tunnelling? I don't understand where I am going wrong.
WireGuard Config
Code: Select all
/interface wireguard
add comment="External -> Home" listen-port=13231 mtu=1420 name=wg0
add comment=Mullvad listen-port=61468 mtu=1420 name=wg1
/interface wireguard peers
add allowed-address=192.168.10.10/32 interface=wg0 public-key=\
"mypublickey"
add allowed-address=0.0.0.0/0,::/0 endpoint-address=mychosenmullvadserver \
endpoint-port=51820 interface=wg1 public-key="server public key"
*Provided Mullvad address with /64 instead of /128. Also tried /128.
Code: Select all
/ipv6 address
add address=mullvadprovidedaddress* advertise=no interface=wg1
add address=::1 from-pool=IPv6_ISP_Prefix interface=bridge
add address=::2 from-pool=IPv6_ISP_Prefix interface=vlan91
add address=::3 from-pool=IPv6_ISP_Prefix interface=vlan95
://0 for testing purposes before I try to only send VLAN traffic through
Code: Select all
/ipv6 route
add dst-address=::/0 gateway=wg1 routing-table=wg_mullvad
Code: Select all
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.5.0/24 table=wg_mullvad
add action=lookup-only-in-table dst-address=::/0 table=wg_mullvad
Tried to integrate my IPv4 configuration with the default configuration for IPv6. Not sure if masq needed but added it anyway as part of testing. I made sure to add a forward accept rule for the VLAN clients to access the WireGuard interface list. I disabled all firewall rules temporarily and the traffic still didn't seem to tunnel through
Code: Select all
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." \
dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=input comment=\
"Allow full access to the LAN input chain from trusted LANs" in-interface-list=LAN_TRUSTED
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=\
yes in-interface-list=!LAN
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop remaining traffic on the input chain"
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Allow trusted LAN to forward to all interface lists" \
in-interface-list=LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment="Allow untrusted LAN to forward only to WAN" \
in-interface-list=LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment="Allow specific clients through the WG provider tunnels" \
in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="Drop remaining traffic on the forward chain"
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WG_WAN
I set 2002:a40:1:: in the IPv6 ND's dns advertisement. It at least shows up on my phone with the following DNS: 2002:a40:1::, 10.64.0.1. I am unsure of a better way to do this and don't have an IPv6 DNS server address for Mullvad.