多线接入IPv6的策略路由怎么弄

vancho

答案，用NETMAP搞定，下面以Mikrotik的路由器为例

先来个图，这是通过IPV4连接wireguard回家，我路由器给我的电脑peer分配的ipv6地址是fd00:172:31:1::101
我访问6.ipw.cn这个网站显示我的来源是联通的前缀，后缀是 1:101
我访问中国科技大学测速网站显示我的来源是联通的前缀，后缀也是 1:101


实现详细过程：

1.给PPPOE接口配置一个《静态》IPv6的前缀，这个前缀不能说完全静态，只要你不重启光猫和路由器或者局端不维护，基本上都是你在用了

1. /ipv6 dhcp-client
   
2. add interface=pppoe-out1 pool-name=pppoe-out1 pool-prefix-length=60 prefix-hint=2408:xxxx:xxx:72d0::/60 request=prefix use-peer-dns=no
   
3. add interface=pppoe-out2 pool-name=pppoe-out2 pool-prefix-length=60 prefix-hint=2408:xxxx:xxx:7f30::/60 request=prefix use-peer-dns=no
   
4. add interface=pppoe-out3 pool-name=pppoe-out3 pool-prefix-length=60 prefix-hint=2408:xxxx:xxx:8be0::/60 request=prefix use-peer-dns=no
   
5. add interface=pppoe-out4 pool-name=pppoe-out4 pool-prefix-length=60 prefix-hint=2409:xxxx:xxx:71a0::/60 request=prefix use-peer-dns=no
   
6. add interface=pppoe-out5 pool-name=pppoe-out5 pool-prefix-length=60 prefix-hint=2409:xxxx:xxx:9960::/60 request=prefix use-peer-dns=no

复制代码

2.给局域网配置一个 IPv6 ULA 地址，我给我家分配的是fd00:172:31::/50，基本就是基于IPv4直接转义，方便识别。

2.1 先给lo配置一个地址，因为做了ospf3，这个步骤就不能忽略

1. /ipv6 address
   
2. add address=fd00:172:31:3fff::ffff/50 advertise=no interface=lo

复制代码

2.2 再给局域网的接口分配一个地址

1. /ipv6 address
   
2. add address=fd00:172:31:2::ffff interface=sfp-sfpplus1
   
3. add address=fd00:172:31:3::ffff interface=vlan3103
   
4. add address=fd00:172:31:4::ffff interface=vlan3104

复制代码

2.3 在公司或者外出我喜欢直接通过家里的路由器转发流量，所以所以我也给回家的wireguard1配置了个地址

1. /ipv6 address
   
2. add address=fd00:172:31:1::/119 advertise=no interface=wireguard

复制代码

从上看出来，我都是沿着fd00:172:31:1--fd00:172:31:4这4个64位的ipv6地址进行配置的，这个很关键。

2.4 最后给pppoe-out{1..5}接口配置ipv6的地址，但是不写前缀，接口配置在lookback1上，这个也很关键，否则路由器本身无法通过ipv6发出连接请求。比如ddns我就靠着下面的配置

1. /interface bridge
   
2. add name=loopback1 port-cost-mode=short
   
3. /ipv6 address
   
4. add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out1 interface=loopback1
   
5. add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out2 interface=loopback1
   
6. add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out3 interface=loopback1
   
7. add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out4 interface=loopback1
   
8. add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out5 interface=loopback1

复制代码

3. 创建一些策略路由表

1. /routing table
   
2. add disabled=no fib name=wireguard1-routing
   
3. add disabled=no fib name=pppoe-out1-routing
   
4. add disabled=no fib name=pppoe-out2-routing
   
5. add disabled=no fib name=pppoe-out3-routing
   
6. add disabled=no fib name=pppoe-out4-routing
   
7. add disabled=no fib name=pppoe-out5-routing

复制代码

4.创建ipv6默认路由，我把属于移动宽带的pppoe-out5和pppoe-out6的默认路由禁用了，但是策略路由，我都开启了。gateway那个位置的fe80开头的本地链路地址需要查看你的dhcp-client上显示的信息才能正确匹配

1. /ipv6 route
   
2. add comment=pppoe-out1 disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:xxx:b3ad%pppoe-out1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
   
3. add comment=pppoe-out2 disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:xxx:b3ad%pppoe-out2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
   
4. add comment=pppoe-out3 disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:xxx:b3ad%pppoe-out3 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
   
5. add comment=pppoe-out4 disabled=yes distance=1 dst-address=::/0 gateway=fe80::62f1:xxxx:xxxx:106%pppoe-out4 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
   
6. add comment=pppoe-out5 disabled=yes distance=1 dst-address=::/0 gateway=fe80::96db:xxxx:xxxx:106%pppoe-out5 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
   
7. add comment=pppoe-out1-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:b3ad%pppoe-out1 routing-table=pppoe-out1-routing scope=30 suppress-hw-offload=no target-scope=10
   
8. add comment=pppoe-out2-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:b3ad%pppoe-out2 routing-table=pppoe-out2-routing scope=30 suppress-hw-offload=no target-scope=10
   
9. add comment=pppoe-out3-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:b3ad%pppoe-out3 routing-table=pppoe-out3-routing scope=30 suppress-hw-offload=no target-scope=10
   
10. add comment=pppoe-out4-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::62f1:xxxx:106%pppoe-out4 routing-table=pppoe-out4-routing scope=30 suppress-hw-offload=no target-scope=10
    
11. add comment=pppoe-out5-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::96db:xxxx:106%pppoe-out5 routing-table=pppoe-out5-routing scope=30 suppress-hw-offload=no target-scope=10
    
12. add comment=wireguard1-routing disabled=no distance=1 dst-address=::/0 gateway=wireguard1 routing-table=wireguard1-routing scope=30 suppress-hw-offload=no target-scope=1

复制代码

6. IPv6的一些防火墙，我这里只能给你参考，默认情况下全部拒绝，按照白名单转发，比如我开启了5201和3389的入账，还有pt下载的22653端口

6.1 先定义下接口

1. /interface list
   
2. add name=WAN
   
3. add name=LAN
   
4. /interface list member
   
5. add interface=pppoe-out1 list=WAN
   
6. add interface=pppoe-out2 list=WAN
   
7. add interface=pppoe-out3 list=WAN
   
8. add interface=pppoe-out4 list=WAN
   
9. add interface=pppoe-out5 list=WAN
   
10. add interface=sfp-sfpplus1 list=LAN
    
11. add interface=vlan3103 list=LAN
    
12. add interface=vlan3104 list=LAN

复制代码

6.2 配置入站和转发策略

1. /ipv6 firewall filter
   
2. add action=passthrough chain=input
   
3. add action=passthrough chain=output
   
4. add action=accept chain=forward comment=established,related connection-state=established,related
   
5. add action=drop chain=forward comment=invalid connection-state=invalid
   
6. add action=accept chain=forward comment=icmpv6 protocol=icmpv6
   
7. add action=accept chain=forward out-interface-list=WAN
   
8. add action=accept chain=forward out-interface=wireguard1
   
9. add action=accept chain=forward dst-address=fd00:172:31::/50 src-address=fd00:172:31::/50
   
10. add action=accept chain=forward comment=tcp dst-port=22653 in-interface-list=WAN protocol=tcp
    
11. add action=accept chain=forward comment=udp dst-port=22653 in-interface-list=WAN protocol=udp
    
12. add action=accept chain=forward comment=tcp disabled=yes dst-port=5201 in-interface-list=WAN protocol=tcp
    
13. add action=accept chain=forward comment=udp disabled=yes dst-port=500,4500,5201 in-interface-list=WAN protocol=udp
    
14. add action=drop chain=input comment=udp disabled=yes dst-port=53,161 in-interface-list=WAN protocol=udp
    
15. add action=drop chain=forward

复制代码

6.3 路由标记，从哪个接口进入，就从哪个接口出来

1. /ipv6 firewall mangle
   
2. add action=mark-connection chain=prerouting comment=pppoe-out1 connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=pppoe-out1-in passthrough=yes
   
3. add action=mark-connection chain=prerouting comment=pppoe-out2 connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=pppoe-out2-in passthrough=yes
   
4. add action=mark-connection chain=prerouting comment=pppoe-out3 connection-mark=no-mark in-interface=pppoe-out3 new-connection-mark=pppoe-out3-in passthrough=yes
   
5. add action=mark-connection chain=prerouting comment=pppoe-out4 connection-mark=no-mark in-interface=pppoe-out4 new-connection-mark=pppoe-out4-in passthrough=yes
   
6. add action=mark-connection chain=prerouting comment=pppoe-out5 connection-mark=no-mark in-interface=pppoe-out5 new-connection-mark=pppoe-out5-in passthrough=yes
   
7. add action=mark-routing chain=output comment=pppoe-out1 connection-mark=pppoe-out1-in new-routing-mark=pppoe-out1-routing passthrough=yes
   
8. add action=mark-routing chain=output comment=pppoe-out2 connection-mark=pppoe-out2-in new-routing-mark=pppoe-out2-routing passthrough=yes
   
9. add action=mark-routing chain=output comment=pppoe-out3 connection-mark=pppoe-out3-in new-routing-mark=pppoe-out3-routing passthrough=yes
   
10. add action=mark-routing chain=output comment=pppoe-out4 connection-mark=pppoe-out4-in new-routing-mark=pppoe-out4-routing passthrough=yes
    
11. add action=mark-routing chain=output comment=pppoe-out5 connection-mark=pppoe-out5-in new-routing-mark=pppoe-out5-routing passthrough=yes
    
12. add action=mark-routing chain=prerouting comment=pppoe-out1 dst-address-list=pppoe-out1 new-routing-mark=pppoe-out1-routing passthrough=yes
    
13. add action=mark-routing chain=prerouting comment=pppoe-out2 dst-address-list=pppoe-out2 new-routing-mark=pppoe-out2-routing passthrough=yes
    
14. add action=mark-routing chain=prerouting comment=pppoe-out3 dst-address-list=pppoe-out3 new-routing-mark=pppoe-out3-routing passthrough=yes
    
15. add action=mark-routing chain=prerouting comment=pppoe-out4 dst-address-list=pppoe-out4 new-routing-mark=pppoe-out4-routing passthrough=yes
    
16. add action=mark-routing chain=prerouting comment=pppoe-out5 dst-address-list=pppoe-out5 new-routing-mark=pppoe-out5-routing passthrough=yes

复制代码

6.4 还有下面最重要的tcp-mss修改，我的联通和移动的pppoe接口的mtu都是1480，所以我的tcp-mss直接改成1420，而wireguard接口的mtu是1400，所以tcp-mss我改成了1340。这个很关键的。

1. /ipv6 firewall mangle
   
2. add action=change-mss chain=forward new-mss=1420 out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1420
   
3. add action=change-mss chain=forward new-mss=1340 out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1340

复制代码

7. netmap来了
fd00:xxx的地址在出站和入站的时候进行一次翻译，目前的配置内网设备是无法拿到公网IPv6的，但是我要求访问IPv6网站的时候，目标看到我的源地址不是fd00开头，而是正儿八经的2408，2409这种开头的公网地址。联通和移动都是给我60位的ipv6前缀，那就可以分配16个64位的子网。所以才有前面严格的地址约束，否则超出范围无法翻译

1. /ipv6 firewall nat
   
2. add action=netmap chain=srcnat out-interface=pppoe-out1 src-address=fd00:172:31::/60 to-address=2408:xxxx:xxx:72d0::/60
   
3. add action=netmap chain=srcnat out-interface=pppoe-out2 src-address=fd00:172:31::/60 to-address=2408:xxxx:xxx:7f30::/60
   
4. add action=netmap chain=srcnat out-interface=pppoe-out3 src-address=fd00:172:31::/60 to-address=2408:xxxx:xxx:8be0::/60
   
5. add action=netmap chain=srcnat out-interface=pppoe-out4 src-address=fd00:172:31::/60 to-address=2409:xxxx:xxx:71a0::/60
   
6. add action=netmap chain=srcnat out-interface=pppoe-out5 src-address=fd00:172:31::/60 to-address=2409:xxxx:xxx:9960::/60
   
7. add action=netmap chain=dstnat dst-address=2408:xxxx:xxx:72d0::/60 in-interface=pppoe-out1 to-address=fd00:172:31::/60
   
8. add action=netmap chain=dstnat dst-address=2408:xxxx:xxx:7f30::/60 in-interface=pppoe-out2 to-address=fd00:172:31::/60
   
9. add action=netmap chain=dstnat dst-address=2408:xxxx:xxx:8be0::/60 in-interface=pppoe-out3 to-address=fd00:172:31::/60
   
10. add action=netmap chain=dstnat dst-address=2409:xxxx:xxx:71a0::/60 in-interface=pppoe-out4 to-address=fd00:172:31::/60
    
11. add action=netmap chain=dstnat dst-address=2409:xxxx:xxx:9960::/60 in-interface=pppoe-out5 to-address=fd00:172:31::/60

复制代码

8. 最后做个策略路由，移动的ipv6地址走移动出去，联通负责所有

1. /routing rule
   
2. add action=lookup disabled=no dst-address=2409:8000::/20 table=pppoe-out4-routing
   
3. add action=lookup disabled=no dst-address=2409:8000::/20 table=pppoe-out5-routing

复制代码

8.1 我加了一段教育网的的地址走移动接口

1. /routing rule
   
2. add action=lookup disabled=no dst-address=2001:da8::/32 table=pppoe-out4-routing

复制代码

8.2 记得wireguard1的peer都要分配fd00:172:31:1::/119内的地址给客户端，否则无法完成翻译

1. /routing rule
   
2. add action=lookup-only-in-table comment=wireguard-roadwarrior disabled=no dst-address=fd00:172:31:1::/119 table=wireguard1-routing

复制代码

8.3 如果pt要绑定某一个接口，然后还要ipv6，也简单
首先给pt的机器手动配置一个静态的ipv6地址，然后设定好默认路由，最后在ros做一个接口绑定策略，比如我想ipv6地址是fd00:172:31:2::140/128的下载机，通过pppoe-out1来跟pt其他的ipv6的peer互联就下面这样配置

1. add action=lookup comment=bypass disabled=yes src-address=172.31.2.140/32 table=pppoe-out1-routing
   
2. add action=lookup comment=bypass disabled=yes src-address=fd00:172:31:2::140/128 table=pppoe-out1-routing

复制代码

如果你能通过BGP收到其他的IPv6地址全表，走策略后还能下图这样：


参考来源；使用 NETMAP 获得稳定的 IPv6 地址并进行源地址控制

过时技术研究所

给我整乐了。

mpls

确实好用，不过本论坛各种排斥NAT66，好像上了NAT66后IPv6就没有意义一样。