Vraag: ipv6 rd en mikrotik

dennis · 17 oktober 2019 om 17:47

Hoi,

Wie heeft er een duidelijk voorbeeld om ipv6 rd te configureren voor een mikrotik router.

Groet

Dennis

nescafe · 18 oktober 2019 om 11:22

Allereerst vraag je bij support een vast IP-adres aan. Je krijgt dan een 6RD-prefix toegewezen, dat ziet er ongeveer als volgt uit (afhankelijk van het toegewezen adres & subnet):

6RD relay-server: 217.19.16.17
6RD relay prefix: 82.197.192.0/19
6RD prefix: 2a02:58:80::/43
toegewezen 6RD prefix: 2a02:58:xx:xx00:/56

Op je router maak je een 6to4-interface aan:

/interface 6to4
add !keepalive name=6rd remote-address=217.19.16.17

Je voegt een ipv6-adres toe:

/ipv6 address
add address=2a02:58:xx:xx00::1 interface=bridge-lan

En maakt een route aan:

/ipv6 route
add distance=1 dst-address=2000::/3 gateway=6rd

6rd zorgt voor een lagere MTU, deze kun je adverteren:

/ipv6 nd
set [ find default=yes ] mtu=1480

Let op: zorg voor een goede firewall! Als je ipv6 later ingeschakeld heb, heb je nog geen standaardconfiguratie. Voor het gemak voeg ik deze toe (via /system default-configuration print)

/ipv6 firewall {
  address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
  address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
  address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
  address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
  address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
  address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
  address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
  address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
  address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
  address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
  address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
  address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
  address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
  filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
  filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
  filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
  filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
  filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
  filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
  filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}

dennis · 18 oktober 2019 om 13:47

Dank je wel, het ging mij vooral om het ipv6 deel hoe het ipv6 adres verwerkt wordt.

Gaan we vanavond even aan de klus

Groet,

Dennis