Cannot ping from client to internet via IPv6 tunnel

ipv6mikrotikrouting

I'm facing an odd issue with my IPv6 setup. I've configured it as follows:

/interface 6to4
  add comment="SixXS 6to4 tunnel" local-address=zz.yy.xx.94 (my wan ip) mtu=1280 name=6to4-sixxs remote-address=zz.yy.xx.73 (tunnel endpoint)

/ipv6 address
  add address=2001:aaaa:bbbb:123::2/128 (my ipv6) advertise=no interface=6to4-sixxs
  add address=2001:bbbb:cccc:123::1/64 (subnet for my ipv6 prefix) advertise=yes interface=bridge-lan

/ipv6 route
  add distance=1 dst-address=2000::/3 gateway=6to4-sixxs

Now:

I can ping servers from the router (f.e. 2a00:1450:400c:c03::5e)
Clients obtain an IPv6 via ND in the correct subnet
Pings from the router to a client fails (timeout, ping is not dropped by firewall)
Pings from a client to servers fail

What am I missing here?

Best Answer

Ok, just came across this thread on the Mikrotik Forums, and it mentions things about routing caches being stuck. I've decided the reboot the router and it fixed my issue.

Weird stuff. Thanks for thinking along, @Colyn1337 and @MichelZ.

Related Solutions

Forwarding protocol 41 (6to4) to a Linux box

iptables -t nat -A PREROUTING -d 192.0.2.75 -p 41 -j DNAT --to 10.0.0.2 on the router should do the trick, assuming that all flows are initiated from outside to your IP address (given as 192.0.2.75 in this example). If your IPv6-capable box starts things, then regular catch-all SNAT rules should do the trick.

OpenVPN IPV6 Tunnel Radvd

Your question really got me hooked up, since I may use the very same solution in another network I'm managing. I experimented with it and it is indeed possible! (I just love Linux...).

I created a Netkit laboratory that models your situation. You can download the laboratory here (1.8 KiB).

You do not need to install Netkit if you are not interested in testing it in your machine. You can just get the package above and see the .startup files for the various machines. In case you want to test the laboratory, it needs a filesystem with "radvd" installed, which is not included in Netkit's standard filesystem. Check the README of the filesystem package to see how to mount it in your machine and then use apt-get update && apt-get install radvd.

The lab contains 6 machines: v6site (some V6 Internet site you want to access), v6isp (your ISP), r1 (your first router with V4 and V6 connectivity), r2 (your second router that connects to r1 via OpenVPN), pc1 and pc2 (machines connected and served IPv6 by r2).

I used the RFC 3849 documentation prefix 2001:DB8::/32 in the example, instead of the random example addresses you used. Also, I used FEC0::/96 for the OpenVPN endpoints, which is obsolete. In your deployment, it is recommended that you use a small prefix from your Unique Local Address instead.

Clarification: RFC 3849 defines the prefix 2001:DB8::/32 to be used for example and documentation purposes (for global unicast). Instead of choosing any random IPv6 address, people are encouraged to use addresses in the 2001:DB8::/32 prefix as a wildcard in examples that will be changed to something else in the actual deployment. In this question, first 2001:acb:132:acb::/64, then 2001:123:123:11a1::/64. In the answer, I just replaced both with addresses in the documentation prefix. When you apply the answer to your real scenario, just look for every occurrence of 2001:DB8:: addresses and replace them with your actual addresses.

Tunnel endpoints also need addresses. The addresses used in tunnel endpoints do not need to be externally routeable, since they are used only internally. You used addresses starting with FED1:: and FED2::, while I used address starting with FECO::. These addresses were originally defined in RFC 3513. They are the equivalent to IPv4's private-use addresses 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12. Due to problems, they were later deprecated in RFC 3879 in favor of Unique Local Addresses (ULA) in RFC 4193. ULAs have a "random" prefix unique for each end-user. The benefit is that if for any reason you route between these networks, using tunnels for example, they will be able to talk to each other without address translation (while clashes may and do occur when using 192.168.0.0/16, for example). The page linked before this clarification will help you create your own ULA prefix (and possibly register it, but it is not necessary to register).

There is no real problem in using site-local addresses like FECx or FEDx in tunnel endpoints. They are deprecated, but that does not make them wrong. It is just recommended to use ULAs.

The overall configuration of your first router (r1) is bellow. Follow the comments for a better understanding.

# Enable forwarding for IPv6 (between eth0 <-> tun0)
sysctl -w net.ipv6.conf.all.forwarding=1

## ISP V6 Internal network
# Since there is no host specific address, we pick an address in the /64
# prefix. Note that this address is the same in two different prefixes:
# ..11a1::/64 and ..11a0::/59. This requires a proxing hack in R2.
# Optimally, you would have an address in the /59 prefix to use here,
# outside the delegated /64 prefix.
ip link set eth0 up
ip addr add 2001:db8:1:11a1::1/59 dev eth0
ip route add default via 2001:db8:1:11a0::1 dev eth0

## V4 Internet
ip link set eth1 up
ip addr add 192.168.1.1/24 dev eth1

## OpenVPN tunnel via IPv4 Internet to R2
# This is the most basic configuration of OpenVPN. No encryption, no security,
# no nothing. DO NOT USE THIS OUTSIDE THIS LABORATORY.
openvpn --dev tun --tun-ipv6 --daemon

while ! ip link show tun0 2>/dev/null
do
    echo "Waiting for OpenVPN to connect..."
    sleep 1
done

# Configure OpenVPN endpoints. Choose a distinct small prefix for the endpoints
# and use it to route the the /64 prefix to R2.
ip link set tun0 up
ip addr add fec0::1/96 dev tun0
ip route add 2001:db8:1:11a1::/64 via fec0::2 dev tun0

The overall configuration for the second router (r2):

# Enable forwarding for IPv6 (between eth0 <-> tun0)
sysctl -w net.ipv6.conf.all.forwarding=1

## Internal Company IPv6 Network
# The router address is arbitrary.
ip link set eth0 up
ip addr add 2001:db8:1:11a1::ffff/64 dev eth0

## V4 Internet
ip link set eth1 up
ip addr add 192.168.1.2/24 dev eth1

## OpenVPN tunnel via IPv4 Internet to R1
# This is the most basic configuration of OpenVPN. No encryption, no security,
# no nothing. DO NOT USE THIS OUTSIDE THIS LABORATORY.
openvpn --remote 192.168.1.1 --dev tun --tun-ipv6 --daemon

# Wait for OpenVPN...
while ! ip link show tun0 2>/dev/null
do
    echo "Waiting for OpenVPN to connect..."
    sleep 1
done

# Configure OpenVPN endpoints. See comments for R1 above.
# Note that we route ALL IPv6 traffic through the tunnel.
ip link set tun0 up
ip addr add fec0::2/96 dev tun0
ip route add default via fec0::1 dev tun0

# R1 address is in our private network (eth0, see above), but on the other
# side of the tunnel. We need a more specific route specifically for it.
# Also, make this router (R2) act as a neighbor proxy so that other
# machines on the private network can see R1 through the tunnel.
# This is a hack that would be avoided if we had a bigger prefix than
# /64, or if R1 had a host-specific address outside of the /64.
ip route add 2001:db8:1:11a1::1/128 via fec0::1 dev tun0
ip neigh add proxy 2001:db8:1:11a1::1 dev eth0

## Routing advertisement daemon
# NOTE: The standard Netkit filesystem does not have radvd, it has to be
# installed manually with `apt-get update && apt-get install radvd` in
# the model fs.
chmod 644 /etc/radvd.conf
radvd

The configuration for the PCs connected to r1 (eth0) is extremely simple, thanks to radvd:

sysctl -w net.ipv6.conf.all.autoconf=1
ip link set eth0 up

This is the most important configuration. The other details (including a copy of r2's /etc/radvd.conf) are in the laboratory package above.

Best Answer

Related Solutions

Forwarding protocol 41 (6to4) to a Linux box

OpenVPN IPV6 Tunnel Radvd

Related Topic