Community discussions

MikroTik App
 
mmotti
just joined
Topic Author
Posts: 16
Joined: Thu Nov 17, 2022 9:50 pm

ROS 7.7 - How to tunnel IPv6 traffic through WireGuard (Mullvad)?

Sun Jan 29, 2023 1:32 am

Hi,

I have just today got IPv6 working for one of my VLANs and was looking to expand it to the VLAN that I use to tunnel through Mullvad but I just can't seem to get it to work.

I'm connecting to my ISP with PPPoE and use the DHCPv6 Client to obtain a prefix from my ISP, then assigning prefix::1, prefix::2 etc as addresses for my VLANs, then setting up ND for said VLANs. Devices are getting assigned IPv6 addresses and I can confirm this through whatismyipaddress etc.

The issue I seem to get is that I can't replicate this when tunnelling through my Mullvad interface. Every site that I've used to verify IPv6 connectivity just fails and only returns IPv4.

I've listed some key config changes below - Is anybody able to spot whether I've missed anything that could be stopping IPv6 from tunnelling? I don't understand where I am going wrong.

WireGuard Config
/interface wireguard
add comment="External -> Home" listen-port=13231 mtu=1420 name=wg0
add comment=Mullvad listen-port=61468 mtu=1420 name=wg1
/interface wireguard peers
add allowed-address=192.168.10.10/32 interface=wg0 public-key=\
    "mypublickey"
add allowed-address=0.0.0.0/0,::/0 endpoint-address=mychosenmullvadserver \
    endpoint-port=51820 interface=wg1 public-key="server public key"
IPv6 Addresses
*Provided Mullvad address with /64 instead of /128. Also tried /128.
/ipv6 address
add address=mullvadprovidedaddress* advertise=no interface=wg1
add address=::1 from-pool=IPv6_ISP_Prefix interface=bridge
add address=::2 from-pool=IPv6_ISP_Prefix interface=vlan91
add address=::3 from-pool=IPv6_ISP_Prefix interface=vlan95
IPv6 Route
://0 for testing purposes before I try to only send VLAN traffic through
/ipv6 route
add dst-address=::/0 gateway=wg1 routing-table=wg_mullvad
Routing Rule
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.5.0/24 table=wg_mullvad
add action=lookup-only-in-table dst-address=::/0 table=wg_mullvad
IPv6 Firewall
Tried to integrate my IPv4 configuration with the default configuration for IPv6. Not sure if masq needed but added it anyway as part of testing. I made sure to add a forward accept rule for the VLAN clients to access the WireGuard interface list. I disabled all firewall rules temporarily and the traffic still didn't seem to tunnel through
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
    udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment=\
    "Allow full access to the LAN input chain from trusted LANs" in-interface-list=LAN_TRUSTED
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=\
    yes in-interface-list=!LAN
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop remaining traffic on the input chain"
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Allow trusted LAN to forward to all interface lists" \
    in-interface-list=LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment="Allow untrusted LAN to forward only to WAN" \
    in-interface-list=LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment="Allow specific clients through the WG provider tunnels" \
    in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="Drop remaining traffic on the forward chain"
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WG_WAN
DNS
I set 2002:a40:1:: in the IPv6 ND's dns advertisement. It at least shows up on my phone with the following DNS: 2002:a40:1::, 10.64.0.1. I am unsure of a better way to do this and don't have an IPv6 DNS server address for Mullvad.
 
mmotti
just joined
Topic Author
Posts: 16
Joined: Thu Nov 17, 2022 9:50 pm

Re: ROS 7.7 - How to tunnel IPv6 traffic through WireGuard (Mullvad)?

Mon Jan 30, 2023 12:15 pm

I managed to solve this somehow... No idea how but it just randomly started working for a short time.

Shortly after it started working I added a firewall rule to allow multicast traffic as I noticed it was getting caught up in my drop rule (that I substituted the "drop !LAN" rule for) on the input chain. I also disabled DNS advertisements on the interface that my phone uses in the hopes that it would still work through the DHCPv4 provided addresses as I use different Mullvad DNS servers on some devices on the same network to block ads.

Now I seem to have a new issue in that my Android 13 phone just loses it's assigned global IPv6 address after a few hours and I'm unsure why? I'm fairly sure the given address is one of those listed as "stale" in my Neighbours.

I can't find anywhere that specifies a lifetime of 4-8 hours (overnight with no use) for my phone just to lose the provided global addresses?! If I disconnect and reconnect my wireless then I get my IPv6 addresses / connectivity back.

I've re-enabled DNS advertisements but this time managed to find the correct IPv6 DNS address for Mullvad which I've confirmed does in fact resolve DNS queries. I hope that this will stop my phone from removing the IPv6 addresses?!

I have since also discovered that in order to send custom DNS servers to certain devices for adblocking purposes I'd likely need to use DHCPv6 options which I believe Android ignores.

Who is online

Users browsing this forum: giovanniv, Kanzler, shadarim and 42 guests