Sponsored Links

IPv6 wan settings on pfsense and mikrotik passthrough configuration

Lapdog6067

Casual Member
I currently have a proxmox server running two services
- mikrotick chr
- pfsense

CHR is used to manage a cat 16 lte modem to passthrough (bridge) the LTE connection to pfsense. pfsense is then used as the firewall.
Using EE, I'm forced to use cgnat for my connection. To try to circumvent this I'm investigating cloudflare tunnel and ipv6 passthrough.

Ideally I'd like to use ipv6 passthrough but I can't seem to get it to work on mikrotik CHR. I keep getting the following error.

1661891257892.webp
 

EE settings specific to scancom:

Code:
EE - MBB and Voice & Data tariffs
APN: everywhere
Username: eesecure
Password: secure

EE M2M – The APN to use with EE UK and EE UK/EU/USA dynamic IP tariffs)
APN: EEM2M
Username: ee
Password: ee

EE M2M – The APN to use with EE UK and EE UK/EU/USA Private APN tariffs
APN: mm.m2m
Username: - test
Password: – test

Back in a moment
 

EE settings specific to scancom:

Code:
EE - MBB and Voice & Data tariffs
APN: everywhere
Username: eesecure
Password: secure

EE M2M – The APN to use with EE UK and EE UK/EU/USA dynamic IP tariffs)
APN: EEM2M
Username: ee
Password: ee

EE M2M – The APN to use with EE UK and EE UK/EU/USA Private APN tariffs
APN: mm.m2m
Username: - test
Password: – test

Back in a moment

I've used the MBB and Voice & Data tariffs APN settings. Setting IP-type to auto doesn't work. Only IPv4 works with Scancom's sim. When i use another EE sim, auto works. However, for both situations IPv6 passthrough to ether1 doesn't work
 
Sponsored Links
I've used the MBB and Voice & Data tariffs APN settings. Setting IP-type to auto doesn't work. Only IPv4 works with Scancom's sim. When i use another EE sim, auto works. However, for both situations IPv6 passthrough to ether1 doesn't work
EE's IPv6 usually breaks things and their setup is not compatible with mobile routers, it does work well on smartphones though, afaik.
 
This link (from Dec 2020) may be relevant?


"EE firewall unsolicited IPv6 inbound traffic on their 4G network. The primary reason for this is to prevent unnecessary data usage as a lot of 4G customers will have limited data plans. This means you will not be able to host any services behind an EE 4G IPv6 address. The firewall block is being done in their core network. Even if you drop the firewall on the 4GEE Home Router itself entirely, it doesn't matter, as the firewall rules are being applied higher up in the network than the CPE (Customer Premises Equipment) itself. Certain IPv6 traffic like ICMPv6, Router Advertisements and other essential IPv6 traffic to comply with RFC standards are permitted between EE IPv6 prefixes but will not respond outside of the EE network."

I don't know if it's still the case, but it is also consistent with EE 'Unlimited plans' being subject to a FUP of 650GB.
 
@oriodec that actually makes a lot of sense, you wouldn't want phones exposed to the Internet via ipv6, it would be a security nightmare.
That said, it'd be nice if they had a separate APN where they allowed you to have unfiltered IPv6 traffic.. and maybe route you a /64, why not..
 
This link (from Dec 2020) may be relevant?


"EE firewall unsolicited IPv6 inbound traffic on their 4G network. The primary reason for this is to prevent unnecessary data usage as a lot of 4G customers will have limited data plans. This means you will not be able to host any services behind an EE 4G IPv6 address. The firewall block is being done in their core network. Even if you drop the firewall on the 4GEE Home Router itself entirely, it doesn't matter, as the firewall rules are being applied higher up in the network than the CPE (Customer Premises Equipment) itself. Certain IPv6 traffic like ICMPv6, Router Advertisements and other essential IPv6 traffic to comply with RFC standards are permitted between EE IPv6 prefixes but will not respond outside of the EE network."

I don't know if it's still the case, but it is also consistent with EE 'Unlimited plans' being subject to a FUP of 650GB.
This policy refers to inbound request right? So surely IPv6 should still work for outbound communication so that individuals can browse the internet.
 
Sponsored Links
This policy refers to inbound request right? So surely IPv6 should still work for outbound communication so that individuals can browse the internet.
That bit works afaik, when on a smartphone, but does not when using a router or tethering.
 
I'm using RouterOS 7.5rc2 on my Chateau LTE12, all public ipv6 works from what I can see over the normal EE APN, both incoming and outgoing.
Yes, on the router itself it should work, but not for the clients, sorry I should have been more specific.
Maybe something like NAT64 would be required. Wonder if the Mikrotik can do that.
 
Sponsored Links
It might be that only IPv6 passthrough doesn't work which is a shame
It does do IPv6 passthrough:

Code:
/interface lte apn
add apn=fast.t-mobile.com ip-type=ipv4-ipv6 passthrough-interface=LTEWAN

Code the poster used, now they are using RouterOS6, what are you using on your CHR?
 
No it didn't unfortunately. I think the issue might be with Mikrotik. I'll try an earlier version of CHR. At the moment i am using CHR 7.5 Stable
If you could provide a snippet of your configuration exported from terminal not screenshots we may be able to help further
 
Sponsored Links
from terminal, type export and it willgive you the full configuration in text form.

export verbose will give you everything.
 
from terminal, type export and it willgive you the full configuration in text form.

export verbose will give you everything.

Code:
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/disk
set sata1 disabled=no
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=default ip-type=ipv6 use-network-apn=no
add apn=everywhere authentication=pap ip-type=ipv4 name="EE Internet" passthrough-interface=ether1 passthrough-mac=\
    AA:XX:XX:XX:XX:B9 use-network-apn=yes use-peer-dns=no user=eesecure
add apn=3internet authentication=pap name=3 passthrough-interface=ether1 passthrough-mac=AA:XX:XX:XX:XX:B9 \
    use-network-apn=yes use-peer-dns=no
/interface lte
set [ find ] allow-roaming=yes apn-profiles="EE Internet" name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=lte1 list=WAN
add interface=ether2 list=LAN
add list=LAN
/ip address
add address=192.168.0.13/24 interface=ether2 network=192.168.0.0
/ip cloud
set ddns-update-interval=5m
/ip dhcp-client
add interface=ether1
/ip dns
set servers=1.1.1.1
/ip route
add gateway=192.168.0.10
add gateway=192.168.0.10
add gateway=192.168.0.10
/system identity
set name=MTikLTE
/system logging
add topics=lte
/system package update
set channel=testing

Sorry I've been busy setting up a VPS wireguard server to overcome the CGNAT. Seems to be working well so far
 
Code:
/interface lte apn
set [ find default=yes ] apn=default ip-type=ipv6 use-network-apn=no
add apn=everywhere authentication=pap ip-type=ipv4 name="EE Internet" passthrough-interface=ether1 passthrough-mac=\
    AA:XX:XX:XX:XX:B9 use-network-apn=yes use-peer-dns=no user=eesecure
add apn=3internet authentication=pap name=3 passthrough-interface=ether1 passthrough-mac=AA:XX:XX:XX:XX:B9 \
    use-network-apn=yes use-peer-dns=no

Are you using 3 or EE?
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6027)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2440)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules