Hi

Has anyone had any experience with a load balanced multi-wan setup (in our case 3 ADSL lines using PPPoE) and adding a tunnelbroker (hurricane electric) IPv6 6in4 tunnel into the mix?
Hurricane provides good instructions and there are a number of locations online with information on basic config.
However, while we seem to have got it "mostly working" and the SIT interface connected, the IPv6 routing is not stable and there are what can only be described as "anomalies".
(the mikrotik is sharing prefixes and doing neighbour discovery etc... and some ipv6 routing works.)

I'm wondering it anyone has any experience getting it to work, and if so, what did you use for mangles etc to ensure that the traffic was flowing correctly to/from the HE tunnel IPv4 endpoint ... and firewall rules to make sure that both v4 and v6 flowed correctly for the tunnel to work reliably.

any thoughts?

I didn't test it, but as far as I know, HE tunnel just uses 6to4 interface between your public address and theirs. So if you set the local address correctly and make sure that outgoing IPv4 protocol 41 packets used by tunnel are routed to right uplink, there shouldn't be anything to break.

Thanks Sob,

where should the rule to ensure the traffic to the other end of the ipv4 tunnel sit? output chain? forward?
(i.e. since the logic of the 6in4 tunnel is in the router, presumably the tunnel is an "internal" process and you need to intercept it somewhere there)

apologies for the newbie questions.. but I can not find much information online that fits this situation.. everything assumes you have only one WAN... and multi-homed IPv6 seems even more of a nightmare

Output chain in "/ip firewall mangle" is the right place. You should already have different routing tables for your WAN interfaces, so just mark routing for tunnel packets, to use the right one. There will be no load balancing, unless HE offered support for that (you'd need multiple tunnels). My guess is that they probably don't (but it's just a guess).

And multihoming with IPv6 seems to be another interesting story.

Thanks again.
For clarity, my understanding is that protocol 41 needs to pass to/from the router via IPv4 (output chain mangle taking to the right place and then presumably it is an established connection? Or might there be a need for an explicit rule allowing it on the input chain .. limited to the HE endpoint IP perhaps)

... and then, within IPv6 I understand we need to be careful not to block ICMPv6 messages as they are the means by which routers communicate?

I didn't test if contrack sees it as established connection, perhaps it does. But the first packet can also come from the other side, so I'd add a rule to allow it (just from HE endpoint). As for ICMPv6, you're right, let it pass (unless you know exactly what you want to block and why).