0

I am at a colo provider that supplies a single IPv6 /64 block.

The goal was to route the provided /64 of IPv6 addresses to the hosts behind the Mikrotik running RouterOS 6.24.

Some Mikrotik examples and that I found always had the user getting a /48 or at least a /64 and another small block to connect with the gateway, or blogger major.io describing the possibility, however not recommended to use the link address to connect with the uplink router.

I didn't have access to this so I tried to do it another way.

What I had tried was a router IPv6 address on the gateway port as a /126 block aaaa.bbbb.cccc.dddd::2/126 to talk to the uplink router at aaaa.bbbb.cccc.dddd::1/126.

Then I created another router IPv6 address on the master port behind the firewall with the mask aaaa.bbbb.cccc.dddd:8000:1/65. I also configured neighbour discovery so that the clients could autoconfigure.

From the router terminal, I was able to ping the internet, and ping the hosts behind the firewall. From the hosts, I was able to ping the router addresses on both sides of the firewall but not when it needed to go to to the uplink.

From another network, I could ping the external router addresses in front of the firewall, but could not access the aaaa.bbbb.cccc.dddd:8000:1/65 that had a static route entry in place the master port behind the firewall. I had no rules in my firewall during testing.

Is my theory wrong, or is there problem with this model being used on the Microtik?

craigdfrench
  • 158
  • 8
  • Is your /64 prefix routed to `aaaa.bbbb.cccc.dddd::2/126` by your provider? – Cha0s Aug 13 '15 at 02:54
  • @Cha0s, I don't think so. I was able to change the IPv6 address to aaaa.bbbb.cccc.dddd::6/64 and it responded to a ping. – craigdfrench Aug 13 '15 at 02:59
  • In order for your provider's routers to know how to reach your prefix they need to 'route' it to your IP. Contact your provider and ask them to route your IPv6 prefix to your router. They will know what that means and how to do it. – Cha0s Aug 13 '15 at 11:00
  • Sounds like you may be confusing a residential set-up in which the broadband provider uses DHCP prefix delegation to distribute prefix(es) to the home network with a business-type set-up. As others are writing, your provider should be routing a prefix (preferably larger than /64) to your WAN interface IPv6 address. RouterOS will have no problems accomplishing what you want to do. – Jeff Loughridge Aug 13 '15 at 17:21
  • You could *use* proxy-arp to achieve what you want – damolp Aug 27 '15 at 15:27

1 Answers1

4

You need to get yourself a better colo provider. They should be giving you much larger allocations than a /64 for a routed infrastructure.

That being said, in properly implemented equipment, there's no need to use a full /64 subnet, so in principle what you've described should be workable, modulo your provider being setup correctly, all your equipment being sensible (some older gear made some unwarranted assumptions about "every subnet is a /64"), and your configuration being exactly correct.

Still, in your situation, I'd be reading your colo provider the riot act about recommended IPv6 deployment practices, and getting a proper block from them.

womble
  • 95,029
  • 29
  • 173
  • 228
  • 1
    The riot act is RFC 6177. – Michael Hampton Aug 13 '15 at 03:07
  • Agreed. The setup is for a _not-for-profit organization_ and is with a super low cost colo provider where we have a package that is designed for a single host but we have jammed in a 1U router along with a 2U - 4 Node SuperMicro SuperServer. I know we are getting exceptional value with them. – craigdfrench Aug 13 '15 at 03:09
  • 2
    "Low price" does not equal "exceptional value". Presumably your time, to make this pig fly, is worth something? What about the time of everyone who comes after you, who has to maintain the pig's altitude? – womble Aug 13 '15 at 03:18
  • Sage advice @womble. The colo provider gave me another /64 and I am good to go. – craigdfrench Aug 16 '15 at 13:12