Scenario:
My parents live in a different country and would like a VPN back to our native country. Both ends have a Mikrotik Router available, theirs is behind the ISP router. I want to provide both IPv4 and IPv6 addresses which appear local to my country to their devices, so I think an EoIP tunnel bridged to the wireless interface on their Mikrotik will work, and allow their devices to get IPv4/IPv6 addresses directly from my router. In this way it should function like a very long Ethernet cable to an AP in their country.
This is what used to work over an EoIP over IPSec tunnel, but I'm trying to get rid of every last trace of IPSec, and also build the native WG connection directly over IPv6 because... why not?.
What works:
Building the EoIP tunnel over WG works perfectly. I can create an IPv4 /30 either end of the WG link and use that.
What doesn't (seem to) work:
If I add an IPv6/64 address (separate block exclusively used for this VPN purpose) to my end of the tunnel and enable RA on it, the remote Mikrotik receives that RA and adds a /64 in that block to its EoIP interface. I believe this immediately breaks the routing between the ends of the WG tunnel, and the EoIP tunnel no longer functions, likely because the /64 is inside the entire /48 that my ISP route to me (I have multiple /64s in this block) - it makes no sense for this "foreign" remote device to have this address (I think). I believe this is the cause because if I disable RA on this specific /64 then the EoIP tunnel stays up, however their devices will no longer get SLAAC addresses (right?)
What I've tried to fix it:
Here is where I run out of knowledge. I think if I disable Neighbor Discovery on their router this should prevent it getting an address via RA, but still allow devices that connect to its EoIP tunnel/bridge and successfully get IPv6 and IPv4. However, if I set (on their router)
I thought this meant their router should only get IPv6 addresses on ether1 (hardwired to their local router), and ignore stuff on eoip1, yet... here's what I see (I tried playing with hop-limit as well to see if that could change anything)
Here's the config of their router's ND
Any ideas? Have I diagnosed this correctly (I believe I have because I can change the behaviour with a single setting)? Should setting ND like this prevent the behavior that I think I'm seeing? I did try fiddling with /routing/filter, but that's a bit beyond me at the moment.
Edit: v 7.13.5 both ends (latest)
My parents live in a different country and would like a VPN back to our native country. Both ends have a Mikrotik Router available, theirs is behind the ISP router. I want to provide both IPv4 and IPv6 addresses which appear local to my country to their devices, so I think an EoIP tunnel bridged to the wireless interface on their Mikrotik will work, and allow their devices to get IPv4/IPv6 addresses directly from my router. In this way it should function like a very long Ethernet cable to an AP in their country.
This is what used to work over an EoIP over IPSec tunnel, but I'm trying to get rid of every last trace of IPSec, and also build the native WG connection directly over IPv6 because... why not?.
What works:
Building the EoIP tunnel over WG works perfectly. I can create an IPv4 /30 either end of the WG link and use that.
What doesn't (seem to) work:
If I add an IPv6/64 address (separate block exclusively used for this VPN purpose) to my end of the tunnel and enable RA on it, the remote Mikrotik receives that RA and adds a /64 in that block to its EoIP interface. I believe this immediately breaks the routing between the ends of the WG tunnel, and the EoIP tunnel no longer functions, likely because the /64 is inside the entire /48 that my ISP route to me (I have multiple /64s in this block) - it makes no sense for this "foreign" remote device to have this address (I think). I believe this is the cause because if I disable RA on this specific /64 then the EoIP tunnel stays up, however their devices will no longer get SLAAC addresses (right?)
What I've tried to fix it:
Here is where I run out of knowledge. I think if I disable Neighbor Discovery on their router this should prevent it getting an address via RA, but still allow devices that connect to its EoIP tunnel/bridge and successfully get IPv6 and IPv4. However, if I set (on their router)
Code:
/ipv6/nd/set interface=ether1 0Code:
09:42:38 interface,info eoip1 link up 09:42:40 radvd,debug received Router Advertisement on eoip1 from fe80::fc55:d0ff:bbbb:aaaa 09:42:40 radvd,debug prefix: 2001:db8:dead:beef::/64 valid: 2592000 preferred: 604800 # I think this breaks things 09:42:42 radvd,debug received Router Advertisement on ether1 from fe80::da7d:7fff:fed7:99d0 09:42:42 radvd,debug value for hop-limit on interface ether1 doesn't agree with fe80::da7d:7fff:fed7:99d0 09:42:42 radvd,debug neighbor fe80::da7d:7fff:ffff:1234 on interface ether1 uses other stateful configuration 09:42:42 radvd,debug prefix: 2002:db8:cafe:cafe::/64 valid: 86400 preferred: 600 09:42:42 radvd,debug DNS server #1 2002:db8:cafe:cafe:aaaa:bbbb:cccc:dddd valid: 600 09:42:42 radvd,debug DNS server #2 fe80::da7d:7fff:ffff:1234 valid: 600 09:42:42 radvd,debug unknown option 31 09:42:42 radvd,debug mtu 1500Here's the config of their router's ND
Code:
Flags: X - disabled, I - invalid; * - default 0 * interface=ether1 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=1 advertise-mac-address=yes advertise-dns=yes managed-address-configuration=no other-configuration=no dns="" pref64=""Edit: v 7.13.5 both ends (latest)
Statistics: Posted by davis65536 — Sat Feb 24, 2024 11:53 am