Community discussions

MikroTik App
 
Foxeh
just joined
Topic Author
Posts: 10
Joined: Mon Oct 05, 2015 12:42 pm

Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Fri Jul 16, 2021 10:45 am

Whats i doing wrong?
I got IPv6 subnet from my ISP (/56 and cut it to /64 for local net (bridge interface)
Also i Have /64 subnet from HE.net.
What i want to do:
1. All IPv6 traffic to Russian subnets push over ISP network
2. All other IPv6 traffic over HE,net

whats i do
/routing table add name=henet
/routing table add name=myispname

/ipv6 route 
add disabled=no dst-address=2000::/3 gateway=mygwip::1%sit1 routing-table=henet distance=2
many records with russian subnets, one of it
add disabled=no dst-address=2001:1428::/32 gateway=ether1 routing-table=myispname distance=1
.....
add disabled=no dst-address=2a00:f08::/32 gateway=ether1 routing-table=myispname distance=1
add disabled=no dst-address=2a00:f30::/32 gateway=ether1 routing-table=myispname distance=1
add disabled=no dst-address=2a00:1020::/32 gateway=ether1 routing-table=myispname distance=1


/routing rule
add dst-address=2000::/3 routing-mark=henet action=lookup-only-in-table table=henet

add dst-address=2001:640::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:6d0::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:a58::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:b08::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:1428::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:1b00::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:1bb0::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:4058::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
add dst-address=2001:4be0::/32 routing-mark=myispname action=lookup-only-in-table table=myispname
All IPv6 packets get request timed out

all country's subnets got manually from a http://www.iwik.org/ipcountry/RU.ipv6
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Fri Jul 16, 2021 2:55 pm

Unless you have provider-independent address space and an agreement with your provider that allows you to use it, you usually can't send from IP addresses that aren't assigned to you by your provider. The router needs to pick the route based on the source IP address chosen by the device. It can't just pick a route based on the destination address. With IPv4, you would use NAT to emit the traffic with the IP address given to you by the ISP to which you're sending the traffic. There's no NAT with IPv6.
 
Foxeh
just joined
Topic Author
Posts: 10
Joined: Mon Oct 05, 2015 12:42 pm

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Fri Jul 16, 2021 6:09 pm

Unless you have provider-independent address space and an agreement with your provider that allows you to use it, you usually can't send from IP addresses that aren't assigned to you by your provider. The router needs to pick the route based on the source IP address chosen by the device. It can't just pick a route based on the destination address. With IPv4, you would use NAT to emit the traffic with the IP address given to you by the ISP to which you're sending the traffic. There's no NAT with IPv6.
Hmmm I mean that I have 2 subnets from my provider (/56 routed network) and from tunnel broker (he.net) both works fine with devices under mikrotik's bridge, but not in same time (only one of it) .
I'm planning to use both subnets mutually for manage traffic by countries. Provider's subnet with his routing only for Russian IPv6 hosts, except all other via tunnel broker
But one trouble, that I got dynamic V6 pool from my provider and cannot use IP pool as source.
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Fri Jul 16, 2021 6:30 pm

If a host uses a source IPv6 address from the HE prefix, then your router must send that traffic through the HE tunnel, regardless of the destination address, because your ISP will almost certainly drop these packets.

If the host uses a source IPv6 address from the provider prefix, then your router must send these packets through the provider directly, also regardless of the destination address, because HE will drop this traffic.

The destination IPv6 address (geolocated in Russia or whatever) simply does not play into the routing decision, because neither the ISP nor HE will normally carry traffic that was sent from an IPv6 address assigned by the other. This is called ingress filtering and it's used to prevent address spoofing.

What you're doing is called multihoming with PA address space, in case you want to look up more information.
 
Foxeh
just joined
Topic Author
Posts: 10
Joined: Mon Oct 05, 2015 12:42 pm

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Sat Jul 17, 2021 9:44 am

But from mikrotik's manual page (but example for IPv4:
Let's consider a basic example where we want to resolve 8.8.8.8 only in the routing table named myTable to the gateway 172.16.1.1:

/routing table add name=myTable fib
/routing rule add dst-address=8.8.8.8 action=lookup-only-in-table table=myTable
/ip route add dst-address=8.8.8.8 gateway=172.16.1.1@main routing-table=myTable
so, only when i make
/ipv6 route add comment="" disabled=no distance=1 dst-address
=2000::/3 gateway=*****::1@main scope=30 target-scope=10 routing-table=h
enet
i got timeouts in traceroute (traceroute from mikrotik)
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Sat Jul 17, 2021 11:02 am

As I wrote before, with IPv4 you can do this because NAT changes the source address to the address which is assigned to the interface through which the packets are sent out. It doesn't work with IPv6 because there is no NAT. The packets are sent out exactly how they arrive from the device, so the device's choice of source IPv6 address for the connection determines the route the packets have to take. The router can't choose the route independently of the source address.

Also, this is not a v7 Beta issue. It would not work with any other version or any other router. What you're seeing is expected behaviour.
 
Foxeh
just joined
Topic Author
Posts: 10
Joined: Mon Oct 05, 2015 12:42 pm

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Sat Jul 17, 2021 6:44 pm

On 6.49beta54 i can make routing rules by destination address but it only works if devices under bridge got one of IPv6 subnet (if advertise only broker's subnet)
tracert to google:
Трассировка маршрута к google.com [2a00:1450:4010:c1e::71]
с максимальным числом прыжков 30:

  1    <1 мс    <1 мс    <1 мс  2001:***:***:224::1
  2     *        *        *     Превышен интервал ожидания для запроса.
  3    58 ms    57 ms    98 ms  e0-15.core2.ber1.he.net [2001:470:0:220::1]
  4    79 ms   107 ms    62 ms  e0-35.core2.ham1.he.net [2001:470:0:134::2]
  5    63 ms    62 ms    61 ms  ipv6.de-cix.ham.de.as15169.google.com [2001:7f8:3d::3b41:0:1]
  6    62 ms    62 ms    62 ms  2001:4860:0:12e5::4
  7    88 ms    88 ms    88 ms  2001:4860::c:4001:ebe
^C
Трассировка маршрута к mail.ru [2a00:1148:db00:0:b0b0::1]
с максимальным числом прыжков 30:

  1    <1 мс    <1 мс    <1 мс  2001:***:***:224::1
  2     *        *        *     Превышен интервал ожидания для запроса.
  3    59 ms    59 ms    59 ms  2a02:2168:0:1034::1
  4    63 ms    63 ms    63 ms  2a02:2168:0:1023::111
  5    52 ms    50 ms    50 ms  mailru-2-bgw-1.msk.ip6.ncnet.ru [2a02:2168:0:1007::2]
  6  ^C
as we can see, both traces have different third hop. But lan devices have only one subnet.

but same configuration drops all ipv6 traceroute on v7 beta
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Sat Jul 17, 2021 7:53 pm

In that case your ISP may not be doing ingress filtering. That is bad. (HE certainly filters.) You can send packets with alien source addresses through your ISP, but the return traffic to these addresses will still arrive through the HE tunnel, so you've created asymmetric routing. If the router does reverse path filtering, these packets could get caught in that. RP-filtering is an option in the IPv4 settings. There is no configurable option for IPv6. Put a logging rule matching ICMP packets in the IPv6 firewall prerouting chain of the raw table and see if any packets from the traceroute make it to the router. You could also try looking at the egress traffic with the packet sniffer and see if the router actually sends the packets.
 
Foxeh
just joined
Topic Author
Posts: 10
Joined: Mon Oct 05, 2015 12:42 pm

Re: Multiple IPv6 Gateways and geo routing on 7.1 Beta 6

Tue Jul 20, 2021 7:34 am

So , maybe is possible to sent that routes ro clients?
like if dst ip a, go via gw b
if dst ip = y, go via gw z

Who is online

Users browsing this forum: No registered users and 10 guests