Community discussions

MikroTik App
 
CodeAlpha
just joined
Topic Author
Posts: 7
Joined: Mon Jan 18, 2021 3:17 pm

Connect to VPN via IPV6

Thu Jun 30, 2022 9:12 pm

Hi, I have an l2tp server on my mikrotik RB4011iGS set up, I can connect to this via vpn from outside my network without any problems in the past. But recently my ISP put me under cgnat and now I can't connect to my server from outside my network. I have also set up and working ipv6 connection verified on https://test-ipv6.com. Can I connect to ipv6 instead of my usual ipv4 using vpn that's already set up on my router? if so is there any additional set up that I need? I'm pretty new on networking in general and would appreciate any help thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect to VPN via IPV6

Thu Jun 30, 2022 10:27 pm

It is possible to configure an IPv6 address for an L2TP client on RouterOS 7, but not on RouterOS 6 (just tested on 7.3 and 6.47.10). So I suppose you can run an L2TP server on 7.x too. However, there's a fix on some L2TP related issue which has still not been released, so I'd be careful at the moment.

If you don't want to upgrade to ROS 7, IKEv2 should work on IPv6 in ROS6. The question is what are your VPN client devices. Moving the L2TP server to a virtual CHR in a datacenter and let the 4011 connect to that CHR too may be yet another solution.
 
CodeAlpha
just joined
Topic Author
Posts: 7
Joined: Mon Jan 18, 2021 3:17 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 2:19 pm

It is possible to configure an IPv6 address for an L2TP client on RouterOS 7, but not on RouterOS 6 (just tested on 7.3 and 6.47.10). So I suppose you can run an L2TP server on 7.x too. However, there's a fix on some L2TP related issue which has still not been released, so I'd be careful at the moment.

If you don't want to upgrade to ROS 7, IKEv2 should work on IPv6 in ROS6. The question is what are your VPN client devices. Moving the L2TP server to a virtual CHR in a datacenter and let the 4011 connect to that CHR too may be yet another solution.
Thanks for the reply. I'm on ROS v7.3.1. Can you please give me some insights on how to set up IPv6 on L2TP server? I have it set up on IPv4, when I connect to it using IPv6 it does not connect.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 5:40 pm

For the server role, I cannot see anything that would have to be set specifically to enable client connections via IPv6.

So post the export of the current configuration - don't forget to obfuscate the public and global IP addresses. There are too many things that may be wrong to list them all.
 
CodeAlpha
just joined
Topic Author
Posts: 7
Joined: Mon Jan 18, 2021 3:17 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 8:16 pm

For the server role, I cannot see anything that would have to be set specifically to enable client connections via IPv6.

So post the export of the current configuration - don't forget to obfuscate the public and global IP addresses. There are too many things that may be wrong to list them all.
Here you go
# jul/02/2022 01:02:36 by RouterOS 7.3.1
# software id =
#
# model = RB4011iGS+
# serial number =
/interface bridge
add name=bridge1-LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=""
set [ find default-name=ether2 ] name="ether2-ISP Backup"
set [ find default-name=ether3 ] name=\
"ether3-Synology 820.3ad Link Aggregation"
set [ find default-name=ether4 ] name="ether4-Marv PC"
set [ find default-name=ether6 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full,2500M-full loop-protect=on \
name="ether6-Marv PC"
set [ find default-name=ether7 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full loop-protect=on name=\
"ether7-Marv PC"
set [ find default-name=sfp-sfpplus1 ] advertise=\
1000M-full,10000M-full,2500M-full,5000M-full auto-negotiation=no
/interface l2tp-server
add name=l2tp-in1 user=vpn
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1-LAN name=vlan11 vlan-id=11
add interface=bridge1-LAN name=vlan12 vlan-id=12
add interface=bridge1-LAN name=vlan15 vlan-id=1
add interface=bridge1-LAN name=vlan20 vlan-id=20
/interface bonding
add mode=802.3ad name="Synology DS 918+" slaves=\
"ether3-Synology 820.3ad Link Aggregation,ether4-Marv PC"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
bc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des" \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=10.25.23.20-10.25.23.200
add name=pool-VLAN ranges=192.168.11.21-192.168.11.250
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=ovpn-pool ranges=192.168.12.21-192.168.12.250
add name=pool-VLAN12 ranges=192.168.13.21-192.168.13.250
add name=pool-VLAN20 ranges=192.168.20.21-192.168.20.250
add name=pool-OVPN ranges=192.168.15.21-192.168.15.250
add name=dhcp_pool8 ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1-LAN lease-time=1d name=server-LAN
add address-pool=pool-VLAN interface=vlan11 lease-time=1d name=server-VLAN
add address-pool=pool-VLAN12 interface=vlan12 lease-time=1d name=\
server-VLAN12
add address-pool=pool-VLAN20 interface=vlan20 name=server-VLAN20
add address-pool=pool-OVPN interface=vlan15 name=OVPN
/ipv6 dhcp-server option
add code=23 name=DNS value=0xfd000000000000000000000000000001
/ipv6 pool
add name=ULA-pool6 prefix=fd00::/64 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add interface-list=LAN local-address=pool-OVPN name=ovpn remote-address=\
pool-OVPN
set *FFFFFFFE dns-server=10.25.23.1 local-address=192.168.89.1 \
remote-address=vpn remote-ipv6-prefix-pool=IPV6
/queue simple
add max-limit=10M/10M name=queue-VLAN11 target=vlan11
add max-limit=20M/20M name=queue-VLAN12 target=vlan12
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
add fib name=to_ISP2
/tool traffic-generator port
add interface=sfp-sfpplus1 name=port1
/interface bridge port
add bridge=bridge1-LAN ingress-filtering=no interface=ether8
add bridge=bridge1-LAN ingress-filtering=no interface=ether9
add bridge=bridge1-LAN ingress-filtering=no interface=ether10
add bridge=bridge1-LAN ingress-filtering=no interface="Synology DS 918+"
add bridge=bridge1-LAN ingress-filtering=no interface=ether5
add bridge=bridge1-LAN ingress-filtering=no interface=l2tp-in1
add bridge=bridge1-LAN ingress-filtering=no interface="ether6-Marv PC"
add bridge=bridge1-LAN ingress-filtering=no interface="ether7-Marv PC"
add bridge=bridge1-LAN ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes l2tpv3-ether-interface-list=LAN use-ipsec=yes
/interface list member
add comment=defconf interface=bridge1-LAN list=LAN
add comment=defconf interface="" list=WAN
add interface=vlan12 list=LAN
add interface=vlan15 list=LAN
add interface=l2tp-in1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=ovpn enabled=\
yes keepalive-timeout=120 require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.25.23.1/24 interface=bridge1-LAN network=10.25.23.0
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=192.168.13.1/24 interface=vlan12 network=192.168.13.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.15.1/24 interface=vlan15 network=192.168.15.0
add address=192.168.1.2/24 interface=ether10 network=192.168.1.0
add address=10.2.0.1/24 interface=wireguard1 network=10.2.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface="ether2-ISP Backup" use-peer-dns=no
add interface="" use-peer-dns=no
/ip dhcp-server network
add address=10.25.23.0/24 comment=LAN dns-server=10.25.23.1 gateway=\
10.25.23.1 netmask=24
add address=192.168.11.0/24 comment=VLAN dns-server=8.8.8.8 gateway=\
192.168.11.1
add address=192.168.13.0/24 gateway=192.168.13.1
add address=192.168.15.0/24 gateway=192.168.15.1
add address=192.168.20.0/24 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes cache-size=10240KiB servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=10.25.23.20 disabled=yes name=marv-server
/ip firewall address-list
add address=192.168.10.51 comment=OPPO-F7 list="Family Safe Browsing"
add address=192.168.10.52 comment=OPPO-A5s list="Family Safe Browsing"
add address=10.25.23.30 comment=Galaxy-J7-Pro list="Family Safe Browsing"
add address=192.168.10.53 comment=Galaxy-A10 list="Family Safe Browsing"
add address=10.25.23.27 comment=CodeAlpha list="Adult Filter"
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.10.0/24 comment="Marv Admin" list="Marv Admin"
add address=192.168.10.1 comment=Router list=Router
add address=192.168.11.0/24 list="Marv Admin"
add address=192.168.10.48 comment="MSI Marv" list="Adult Filter"
add address=192.168.11.21-192.168.11.250 comment="VLAN 11" list=\
"Adult Filter"
add address=192.168.10.46 comment="OPPO-F1 S" list="Family Safe Browsing"
add address=192.168.12.21-192.168.12.250 comment="VLAN 12" list=\
"Adult Filter"
add address=10.25.23.28 comment="Elijah A52" list="Family Safe Browsing"
add address=14.169.204.14 list=ssh_blacklist
add address=10.25.23.29 comment="Luke A52" list="Family Safe Browsing"
add address=10.25.23.25 comment=Marv-ROG list="Adult Filter"
add address=10.25.23.23 comment="Marv Admin" list="Marv Admin"
add address=10.25.23.5 list=Router
add address=10.25.23.23 comment="Marv PC" disabled=yes list=\
"Family Safe Browsing"
/ip firewall filter
add action=add-src-to-address-list address-list="Port Scan Attackers" \
address-list-timeout=1w3d chain=input comment="Port Scan Attackers" \
protocol=tcp psd=21,3s,3,1 src-mac-address=!80:61:5F:0D:E4:25
add action=add-src-to-address-list address-list="Port Scan Attackers" \
address-list-timeout=5d chain=forward comment="Port Scan Attackers" \
protocol=tcp psd=21,3s,3,1 src-mac-address=!80:61:5F:0D:E4:25
add action=accept chain=forward comment="Allow remote desktop" dst-port=3389 \
in-interface=all-ppp protocol=tcp
add action=fasttrack-connection chain=forward comment="Fastrack SFP+ Port" \
connection-state=established,related disabled=yes hw-offload=yes \
in-interface=bridge1-LAN
add action=fasttrack-connection chain=forward comment="Fastrack DNS TCP" \
disabled=yes dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fastrack DNS UDP" \
disabled=yes dst-port=53 hw-offload=yes protocol=udp
add action=drop chain=input comment="Drop incoming DNS request from WAN" \
dst-port=53 in-interface="" protocol=tcp
add action=drop chain=input comment="Drop incoming DNS request from WAN" \
dst-port=53 in-interface="" protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
dst-port=1701,4500,500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPSEC-ESP in-interface-list=WAN \
protocol=ipsec-esp
add action=accept chain=input comment=IPSEC-AH in-interface-list=WAN \
protocol=ipsec-ah
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=forward dst-port=3389 in-interface=all-ppp protocol=\
tcp
add action=drop chain=input src-address-list="Port Scan Attackers"
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input connection-state=established,related,new \
disabled=yes
add action=accept chain=forward connection-state=established,related,new \
disabled=yes
add action=add-src-to-address-list address-list="Trying to access router" \
address-list-timeout=none-dynamic chain=input dst-address-list=Router \
protocol=tcp src-address-list="!Marv Admin"
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain="add action=drop dst-address-list=no_forward_ipv6 commen\
t=\"defconf: drop bad forward IPs\"" comment=\
"defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Remote Desktop Connection" \
in-interface="" protocol=rdp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=ftp_blacklist content=\
"530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment=ssh_blacklist \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment=ssh_stage3 connection-state=\
new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment=ssh_stage2 connection-state=\
new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment=ssh_stage1 connection-state=\
new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ip firewall mangle
add action=change-ttl chain=prerouting disabled=yes new-ttl=increment:2 \
passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=ISP1_conn out-interface=\
""
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1 out-interface=""
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=ISP2_conn out-interface=\
"ether2-ISP Backup"
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2 out-interface="ether2-ISP Backup"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=""
add action=masquerade chain=srcnat out-interface="ether2-ISP Backup"
add action=dst-nat chain=dstnat comment="Family Safe Browsing" dst-port=53 \
protocol=udp src-address-list="Family Safe Browsing" to-addresses=\
185.228.168.168 to-ports=53
add action=dst-nat chain=dstnat comment="Family Safe Browsing" dst-port=53 \
protocol=tcp src-address-list="Family Safe Browsing" to-addresses=\
185.228.168.168 to-ports=53
add action=dst-nat chain=dstnat comment="Adult Filter" dst-port=53 protocol=\
udp src-address-list="Adult Filter" to-addresses=185.228.168.10 to-ports=\
53
add action=dst-nat chain=dstnat comment="Adult Filter" dst-port=53 protocol=\
tcp src-address-list="Adult Filter" to-addresses=185.228.168.10 to-ports=\
53
add action=masquerade chain=srcnat disabled=yes out-interface=\
"ether2-ISP Backup"
add action=dst-nat chain=dstnat comment="Open VPN" disabled=yes dst-port=1194 \
in-interface=all-ppp in-interface-list=all protocol=tcp src-port=1194 \
to-addresses=192.168.10.0/24 to-ports=3389
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.25.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=src-nat chain=srcnat comment="Enable to access PLDT Onu" \
dst-address=192.168.1.1 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat in-interface="" protocol=tcp \
src-port=3389 to-addresses=192.168.10.22
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from VPN" in-interface=all-ppp
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address-list=\
192.168.10.0/24,192.168.11.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.10.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
yes
/ip route
add disabled=no dst-address=8.8.8.8/32 gateway=112.206.128.1 scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=192.168.0.1 scope=10
add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=8.8.8.8 \
routing-table=to_ISP1
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 routing-table=to_ISP1
add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=8.8.4.4 \
routing-table=to_ISP2
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 routing-table=to_ISP2
add disabled=no dst-address=8.8.8.8/32 gateway=10.111.0.1 scope=10
add disabled=no dst-address=208.67.222.222/32 gateway=10.111.0.1 scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=10.112.0.1 scope=10
add check-gateway=ping disabled=no dst-address=10.10.10.1/32 gateway=\
208.67.222.222 scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=8.8.4.4 \
scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=\
208.67.220.220 scope=10
add check-gateway=ping disabled=no dst-address=10.10.10.1/32 gateway=8.8.8.8 \
scope=10
add check-gateway=ping disabled=no dst-address=10.10.10.1/32 gateway=\
208.67.222.222 scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=8.8.4.4 \
scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=\
208.67.220.220 scope=10
add disabled=yes dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-table=\
to_ISP1
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=10.20.20.2 \
routing-table=to_ISP1
add disabled=yes dst-address=0.0.0.0/0 gateway=10.20.20.2 routing-table=\
to_ISP2
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=10.10.10.1 \
routing-table=to_ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.25.23.0/24,192.168.89.0/24,192.168.0.0/24
set api-ssl disabled=yes
/ipv6 address
add address=fd00::1/128 advertise=no comment="IPv6 ULA address" disabled=yes \
interface=bridge1-LAN
add disabled=yes from-pool=IPV6 interface=wireguard1
/ipv6 dhcp-client
add add-default-route=yes interface="" pool-name=IPV6 request=\
prefix use-peer-dns=no
/ipv6 dhcp-server
add address-pool="" dhcp-option=DNS disabled=yes interface=bridge1-LAN name=\
LAN-dhcp6
/ipv6 firewall address-list
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="drop incoming dns request from WAN" \
dst-port=53 in-interface="" protocol=udp
add action=drop chain=input comment="drop incoming dns request from WAN" \
dst-port=53 in-interface="" protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept (established, related)" \
connection-state=established,related
add action=accept chain=input comment="Drop DHCP (>10/sec)" in-interface=\
"" protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" limit=\
10,5:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
in-interface="" protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" in-interface=\
"!" protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface=\
""
add action=reject chain=input comment="Reject everything else" reject-with=\
icmp-no-route
add action=accept chain=output comment="Accept all"
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
invalid
add action=accept chain=forward comment="Accept (established, related)" \
connection-state=established,related
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
in-interface="" limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
in-interface="" protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface=\
"!"
add action=accept chain=forward comment="Accept outgoing" out-interface=\
""
add action=drop chain=forward comment="Drop external" in-interface=\
""
add action=reject chain=forward comment="Reject everything else" reject-with=\
icmp-no-route
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface=""
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp \
src-address-list=Test to-address=2a0d:2a00:1::/128 to-ports=53
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
dst-address=ff02::1:ff00:0/104 icmp-options=135:0-255 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes other-configuration=\
yes
add advertise-dns=no interface=bridge1-LAN other-configuration=yes
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=ovpn profile=ovpn service=ovpn
add name=marv profile=default-encryption service=l2tp
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool traffic-generator packet-template
add mac-protocol=ip name=packet-template1
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 10:09 pm

I can see nothing wrong in L2TP settings, IPsec settings, nor ipv6 firewall settings.

I am a bit confused regarding the IPv6 address - I can see there is a DHCPv6 client but not connected to any particular interface, do you have any global IPv6 address attached to any interface at all?

Anyway, run /tool/sniffer/quick mac-protocol=ipv6 port=500,1701,4500 and try to connect the remote L2TP client - can you see anything in the sniff?
 
CodeAlpha
just joined
Topic Author
Posts: 7
Joined: Mon Jan 18, 2021 3:17 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 11:18 pm

I am a bit confused regarding the IPv6 address - I can see there is a DHCPv6 client but not connected to any particular interface, do you have any global IPv6 address attached to any interface at all?
Yes it's connected to an interface, I think I just accidentally deleted it when I'm editing the config export file.

Anyway, run /tool/sniffer/quick mac-protocol=ipv6 port=500,1701,4500 and try to connect the remote L2TP client - can you see anything in the sniff?
I did but when I try to connect via the IPv6 address on my vpn client on another network the error was IPv6 can't be found.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 11:29 pm

when I try to connect via the IPv6 address on my vpn client on another network the error was IPv6 can't be found.
IPv6 in general or the IPv6 address of the 4011? I.e. are we dealing here with "how to set up an L2TP server listening on an IPv6 address on Mikrotik" or with "why can't my client use IPv6 to connect anywhere" question?
 
CodeAlpha
just joined
Topic Author
Posts: 7
Joined: Mon Jan 18, 2021 3:17 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 11:44 pm

IPv6 in general or the IPv6 address of the 4011?
IPv6 of the 4011

I.e. are we dealing here with "how to set up an L2TP server listening on an IPv6 address on Mikrotik" or with "why can't my client use IPv6 to connect anywhere" question?
Sorry for the confusion, it is
how to set up an L2TP server listening on an IPv6 address on Mikrotik
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect to VPN via IPV6

Fri Jul 01, 2022 11:53 pm

But since the client claims it cannot reach the address of the 4011, and you cannot see any packets from the client to arrive while sniffing at the 4011, it sounds more like the latter. Can you at least ping the IPv6 address of the 4011 from the client device?
 
CodeAlpha
just joined
Topic Author
Posts: 7
Joined: Mon Jan 18, 2021 3:17 pm

Re: Connect to VPN via IPV6

Sat Jul 02, 2022 12:05 am

But since the client claims it cannot reach the address of the 4011, and you cannot see any packets from the client to arrive while sniffing at the 4011, it sounds more like the latter. Can you at least ping the IPv6 address of the 4011 from the client device?
Well this is weird I also can't ping the IP address of the 4011. "Ping transmit failed general failure" but I think this must have to do something on my clients side rather than the 4011
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect to VPN via IPV6

Sat Jul 02, 2022 12:40 pm

So first, what does https://test-ipv6.com/ show on the client?

Second, what are the first 16 bits of the IPv6 address of the server you are trying to connect the client to, 20xx, fe80 or something else?
First 16 bits are still safely unsufficient to break your anonymity.

Who is online

Users browsing this forum: 4l4R1, Google [Bot], GoogleOther [Bot], h1ghrise, Yahoo [Bot] and 90 guests