It would seem that Mikrotik is the wrong choice for IPv6 - but before replacing a whole bunch of routers - I thought I would check.
Is there a VPN client on RouterOS that support IPv6? From my own testing:
OpenVPN IP - No
OpenVPN Ethernet - No
SSTP - No
L2TP - No
L2TP/IPSec - No
We are moving parts of our network to v6 and need to route it within our network. I've wasted a little over a week trying to get it working with RouterOS - and it would seem that the Mikrotik contributors in this forum clearly don't want to support IPv6.
If I'm wrong about the above - would love some pointers on getting it working, if I'm right - could somebody suggest alternate hardware that is similar to CCR's that does support IPv6 ?
AW: IPv6 Advice
Most of those using bcp should be able to transport v6.
Re: IPv6 Advice
If you are talking about transporting ipv6 over the ipv4 tunnel then it is supported (except ovpn in IP mode).
Re: IPv6 Advice
You are talking about adding IPv6 to your network and having problems with routing, but you also refer to VPN.We are moving parts of our network to v6 and need to route it within our network. I've wasted a little over a week trying to get it working with RouterOS
Maybe you can explain a bit better what your requirements are.
I have no problem routing IPv6 on MikroTik, and of course some applications for a VPN do not really apply to
IPv6 so it needs a bit of clarification.
Re: IPv6 Advice
We have a VPN server - it was SoftEther, but RouterOS doesn't support that - we we are trying pure OpenVPN, which it appears that RouterOS doesn't support either (for ethernet bridging).You are talking about adding IPv6 to your network and having problems with routing, but you also refer to VPN.
Maybe you can explain a bit better what your requirements are.
Remote sites use local connectivity - DSL, some fixed wireless, one fibre. Their traffic is _all_ tunneled to a server and then to the Internet. Most of the sites are in Co-Working spaces who provide good Internet - but there are some double NAT issues at some sites and security concerns at others - and not a single one with IPv6.
I thought the solution was fairly simple, CCR at each site - VPN in to a local server (typically only 5 to 10ms away) and then out to the big bad Internet.
We need to tunnel IPv6 to the sites, so that we can ensure the platform works properly with IPv6 devices - but I can't seem to see any support for IPv6 inside of tunnels on RouterOS. I've spent the last 12 or so hours trying to use an OpenVPN ethernet bridge - but it for some reason terminates straight away because it doesn't get an IP assigned (watching tcpdump shows it's not even asking for one - so of course it won't get one).
I'd really love a suggestion for getting a working IPv6 and IPv4 network tunneled our to remote sites with RouterOS / Mikrotik hardware.
Re: IPv6 Advice
You may want to share your configs...
Because if I do this on server side (Debian):
And this on client side (CHR 6.35rc33):
This is what server says about it:
Test from server:
Hooray, working OpenVPN in ethernet mode. With IPv6 there's less joy, because RouterOS ignores IPv6 address provided by server-ipv6 option:
But add it manually (or any other address from that subnet):
And voila:
Take it as a quick demo showing that it's not completely broken and can work.
Because if I do this on server side (Debian):
Code: Select all
local <server ip>
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:1234::/64
keepalive 10 120
persist-key
persist-tunCode: Select all
/interface ovpn-client
add certificate=<client.crt> connect-to=<server ip> mode=ethernet name=ovpn-out1 user=testCode: Select all
Wed Mar 23 03:24:03 2016 TCP connection established with [AF_INET]<client ip>:39857
Wed Mar 23 03:24:04 2016 <client ip>:39857 [Test-Client] Peer Connection Initiated with [AF_INET]<client ip>:39857
Wed Mar 23 03:24:04 2016 Test-Client/<client ip>:39857 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2001:db8:1234::1000
Wed Mar 23 03:24:04 2016 Test-Client/<client ip>:39857 send_push_reply(): safe_cap=940Code: Select all
# ping -c 1 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=1.73 ms
--- 10.8.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.738/1.738/1.738/0.000 ms
Code: Select all
# ping6 -c 1 2001:db8:1234::1000
PING 2001:db8:1234::1000(2001:db8:1234::1000) 56 data bytes
From 2001:db8:1234::1 icmp_seq=1 Destination unreachable: Address unreachable
--- 2001:db8:1234::1000 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0msCode: Select all
/ipv6 address add address=2001:db8:1234::1000 interface=ovpn-out1Code: Select all
# ping6 -c 1 2001:db8:1234::1000
PING 2001:db8:1234::1000(2001:db8:1234::1000) 56 data bytes
64 bytes from 2001:db8:1234::1000: icmp_seq=1 ttl=64 time=5.45 ms
--- 2001:db8:1234::1000 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.457/5.457/5.457/0.000 msRe: IPv6 Advice
I agree with that, it should work with OpenVPN in ethernet mode.
I referred to plain IPv6 routing, which works fine for me. I did not try an IPv6-over-IPv4 VPN that you seem to
require, but I would expect it to work in IPsec. Apparently is does not accept IPv6 policies, though.
I referred to plain IPv6 routing, which works fine for me. I did not try an IPv6-over-IPv4 VPN that you seem to
require, but I would expect it to work in IPsec. Apparently is does not accept IPv6 policies, though.