Thanks to these notes on setting up the route64 tunnelbroker on mikrotik, I can confirm it works. Route64 supports wireguard for the tunnel and give out a /56 subnet, so one can have 256 /64 subnets. The cable modem needs to forward a particular UDP port to the mikrotik router on the internal network which does the wireguard magic.

(1) Create route64 tunnel, enter your public IP, select wireguard, show config:

[Interface]
PrivateKey = <private key>
Address = 2a11:6c7:f03:123::2/64

[Peer]
PublicKey = FkVCzA3bhSrqOUhXNxVHDXSLDvWHUa7BGj75uuh85TE=
AllowedIPs = ::/1, 8000::/1
Endpoint = 165.140.142.113:<port>
PersistentKeepAlive = 30

(2) Note the subnet configuration given by route64

For example: 2a11:6c7:2001:5300::/56

(3) Setup wireguard

(3.1) Add new wireguard interface

/interface wireguard add mtu=1420 name=wireguard1 private-key=<private key>

(3.2) Add new wireguard peer

/interface wireguard peers add allowed-address=::/1,8000::/1 endpoint-address=165.140.142.113 endpoint-port=<port> interface=wireguard1 persistent-keepalive=30s public-key="FkVCzA3bhSrqOUhXNxVHDXSLDvWHUa7BGj75uuh85TE="

(4) Setup IPv6

I find it more convenient to use the command-line...

(4.1) WAN side

Add route64 IPv6 address to wireguard interface and add IPv6 route.

/ipv6 address add address=2a11:6c7:f03:123::2/64 interface=wireguard1
/ipv6 route add dst-address=2000::/3 gateway=wireguard1

(4.2) LAN side

Route64 gives us a /56 subnet, which we can divide into 256 /64 subnets and give out via SLAAC / neighbor discovery (ND). Let's use the 2a11:6c7:2001:5301::/64 prefix.

/ipv6 nd set [ find default=yes ] interface=bridge mtu=1420
/ipv6 address add address=2a11:6c7:2001:5301::/64 advertise=yes interface=bridge

My IPv6 tunnel adventures are coming to an end... Still, I'd like to see Salzburg AG offer native IPv6.

posted at: 20:14 | path: /configuration | permanent link