Can ping IP's/Websites, but no internet.

So Mikrotik.com has IPv6 and IPv4. Then when you use to ping with the IPv4 address then you did not get an answer. This due to as it has become clear by now the you have DS-lite and Mikrotik does not support that. This only allows IPv6 traffic and you are not able to use IPv4 at all. Was I wrong that t-mobile blocks any external DNS servers? Try this:

nslookup mikrotik.com 2001:4860:4860::8888

This will show if Google DNS is reachable or not. Or that t-mobile intercepts and answer for Goorgle:
Server: yyyyyyyyyy
Address: xxxxxxxxxxxxx

Non-authoritative answer:
Name: mikrotik.com
Addresses: 2a02:610:7501:1000::2
159.148.147.196

If xxxxxxxxxxxx is 2001:4860:4860::8888 then Google was allowed by t-mobile to answer
if xxxxxxxxxxxx is fd00:976a::9 or fd00:976a::10 then t-mobile answered instead.

Just because you ask a DNS server for an address over IPv6 doesn’t mean you’ll get an IPv6 address back. Here, it gave you an IPv4 address, which we know won’t work under DS-Lite until you get the IPIP tunnel working per the tdw postings in the other thread I linked, combined with the DHCPv6 RFC 6334 results.

I don’t see a way to force the matter in RouterOS short of disabling IPv4 entirely, and I don’t even know how to do that for certain.

The CLI tools for the various desktop operating systems are generally more powerful, and therefore can force an IPv6 address lookup, even when IPv4 is enabled. Example:

C:\> nslookup
> set type=aaaa
> server 2606:4700:4700::64
Default server: 2606:4700:4700::64
Address: 2606:4700:4700::64#53
> mikrotik.com
Server:		2606:4700:4700::64
Address:	2606:4700:4700::64#53

Non-authoritative answer:
mikrotik.com	has AAAA address 2a02:610:7501:1000::2

The nslookup tool is installed by default on Windows. The key is the “set type=aaaa” command, forcing an IPv6 address record (AAAA) lookup. The default is “a”, being IPv4 address (A) record lookup.

This pattern repeats in other areas, such as in the “-6” flag to the Windows implementation of ping, to force an ICMPv6 ping packet instead of the default IPv4.

ping 2620:12e:1000::a00:f

Pinging 2620:12e:1000::a00:f with 32 bytes of data:
PING: transmit failed. General failure.

>

I'm not sure what's up with that. I can ping it from here, but I'm doing it with "ping6", the standard Linux/BSD/macOS tool for this, roughly equivalent to Windows' "ping -6". You need a tool that can be forced to speak IPv6 as long as IPv4 is known-broken in your setup.
\
<br>
> ping fd00:976a::9 // Tmobile DNS

This one I can't help you with because fc00::/7 is the IPv6 equivalent of RFC 1918 private LAN addressing. (That scope includes fd00::/8.) If that address is a valid DNS server, it's only available on your local T-Mobile subnet.

It's possible that it is a real DNS server, but it isn't pingable. It's not a nice thing to do, but in this wide crazy world, there are network operators that do a lot of not-nice things.

nslookup results for msatter:

>nslookup mikrotik.com 2001:4860:4860::8888
Server:  UnKnown
Address:  2001:4860:4860::8888

*** UnKnown can't find mikrotik.com: No response from server

Ping -6 and nslookup results for tangent:

>ping -6 mikrotik.com
Ping request could not find host mikrotik.com. Please check the name and try again.

>ping -6 2620:12e:1000::a00:f

Pinging 2620:12e:1000::a00:f with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2620:12e:1000::a00:f:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

ping -6 v6.testmyipv6.com
Ping request could not find host v6.testmyipv6.com. Please check the name and try again.

>ping -6 2606:4700:4700::1111

Pinging 2606:4700:4700::1111 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2606:4700:4700::1111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

>ping -6 fd00:976a::9

Pinging fd00:976a::9 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for fd00:976a::9:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
	
	>nslookup
Default Server:  UnKnown
Address:  192.168.88.1

> set type=aaaa
> server 2606:4700:4700::64
Default Server:  dns64.cloudflare-dns.com
Address:  2606:4700:4700::64

> mikrotik.com
Server:  dns64.cloudflare-dns.com
Address:  2606:4700:4700::64

*** dns64.cloudflare-dns.com can't find mikrotik.com: No response from server

BTW, I’m trying to keep up, but I’m somewhat incapacitated due to the flu (covid test was negative).

So no answer. Then try directly from RouterOS and the command in terminal is:

:put [:resolve mikrotik.com server=2001:4860:4860::8888]

and then

:put [:resolve mikrotik.com server=fd00:976a::9]

I wish you and your family the best of health and that flu will be over soon.

Here you go:

> :put [:resolve mikrotik.com server=2001:4860:4860::8888] 
159.148.147.196
> :put [:resolve mikrotik.com server=fd00:976a::9] 
159.148.147.196

And thanks for the well wishes.

Thanks, it is not what I expected so the next one should certainly not work:

:put [:resolve mikrotik.com server=8.8.8.8]

If it works then the DNS resolver of the router answers the resolve request.

Also clear DNS cache: IP DNS Cache and then click flush.

Cleared DNS cache, and correct, it doesn’t work.

> :put [:resolve mikrotik.com server=8.8.8.8]
failure: dns server failure

Can you do the same flushing with this again:

:put [:resolve mikrotik.com server=2001:4860:4860::8888]

If so then you can use an other DNS resolver then the one of t-mobile.

Then you still lack the conversion of IPv4 traffic to DS-lite so over the LTE you only can use IPv6.

I don’t know much about DS-lite.

> :put [:resolve mikrotik.com server=2001:4860:4860::8888]
159.148.147.196

I don’t see the point of proceeding with RouterOS commands that can’t force IPv6 AAAA lookups and such. You’re just confusing yourselves with all this IPv4 admixture.

As for the “Ping -6 and nslookup results for tangent” above, that’s total failure, but I wonder if you have an IPv6 network set up on the Windows box, and if the RouterOS box is a member of it. What are the IPs? What’s the Windows box’s IPv6 gateway? etc.

MobiusToad, realize that you have the itch, the hardware, and the network. I don’t think any of your respondents in this thread have any one element matching that, much less all three elements together. At some point, I think you’re going to have to carry this ball over the line.

Even if — wild thought — you bought one or even some of us the gear you’re using and subscribed us to T-Mobile, the very fact that we’re in different parts of the world might be enough to prevent us from properly advising you beyond a certain point. National-scale networks are complex; a solution that works in one region may well fail in another.

There’s no substitute for knowing what you’re doing.

The only thing I was intersted in if there was the choice to usea third party DNS.

The DNS of the router does not prefer IPv4 or IPv6 but you could create a DNS resolver that only return IPv6.

Or even better DNS64 adresses if it are IPv4 resovled ones.

https://github.com/NLnetLabs/unbound/blob/master/doc/README.DNS64

DNS64 Module Options

The dns64 module must be configured in the module-config: “dns64 validator iterator” directive and be compiled into the daemon to be enabled. These settings go in the server: section.

dns64-prefix:

This sets the DNS64 prefix to use to synthesize AAAA records with. It must be /96 or shorter. The default prefix is 64:ff9b::/96.
dns64-synthall:

Debug option, default no. If enabled, synthesize all AAAA records despite the presence of actual AAAA records.
dns64-ignore-aaaa:

List domain for which the AAAA records are ignored and the A record is used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given.

Testing:

:put [:resolve mikrotik.com server=2001:4860:4860::6464]
:put [:resolve mikrotik.com server=2001:4860:4860::64]

https://developers.google.com/speed/public-dns/docs/dns64

If Moses can not go to the mountain, then the mountain has to go to Moses.

DUH…is DS-lite just an DNS server returning adapted IPv4 addresses in special IPv6 format. The NAT is on the side of the ISP and that takes care of the converting and connecting to the IPv4 only device and return traffic on the IPv6 address of the client.

If it is only the DNS rewriting the addresses then it should not be to difficult for Mikrotik to implement that. The drawback is that IPv4 firewall becomes useless and confuse the user because they think I am using an IPv4 address. Then it gets complicated when the IPv4 is handled as IPv6 address but still gets handled by the IPv4 firewall…a kind of split horizon…to many different options.

DS-lite looks simple but when is an IPv4 address an IPv4 address and when is it a special IPv6 address. If you put an check on the WAN and only the WAN that it is an DS-lite connection then check if for any plain IPv4 addresses and convert those to a special IPv6 address. Routing, VPN etc. can still work as before and only if the traffic reaches the WAN the IPv4 addresses, source and destination are exchanged for IPv6 ones. When traffic returns the opposite is done. Then it should be transparent for RouterOS

Then you can’t indeed not ping any plain written IPv4 addresses because the IPv4 stack is missing it’s own lane to the ISP. You can ping domain names because that are rewritten by the DNS server of the ISP here to an special IPv6 format.

How about DNSSEC then. The DNS provider can check and set the DS flag but a check on the client side should fail if the target does not have also a IPv6 address.

https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/

As for the “Ping -6 and nslookup results for tangent” above, that’s total failure, but I wonder if you have an IPv6 network set up on the Windows box, and if the RouterOS box is a member of it. What are the IPs? What’s the Windows box’s IPv6 gateway? etc.

Stock W10pro network settings, just reinstalled a little over a week ago when my nvme drive decided to die on me. IPv6 seems to be activated for each adapter and each lists both IPv4 and IPv6 addresses. Though I knew of it and the reason it exists, I haven’t dealt with IPv6 until now, and I am doing research, but I’m not quite sure how to tell if the routerboard “is a member of it”.

Even if — wild thought — you bought one or even some of us the gear you’re using and subscribed us to T-Mobile, the very fact that we’re in different parts of the world might be enough to prevent us from properly advising you beyond a certain point. National-scale networks are complex; a solution that works in one region may well fail in another.

I wish I could afford that, but the setup wasn’t cheap and things are tight right now due to “inflation” (some for legitimate reasons, most of it not so much) and a bad string of medical related downtime’s and expenses (sure wish we had universal healthcare), and now the flu getting us and a car having problems. The most I could possibly offer right now is maybe a small bounty for a working configuration.

MobiusToad, realize that you have the itch, the hardware, and the network. I don’t think any of your respondents in this thread have any one element matching that, much less all three elements together. At some point, I think you’re going to have to carry this ball over the line.

There’s no substitute for knowing what you’re doing.

I’ve always built my own PC’s, I’m a self taught programmer, and I’ve even done some php/java/sql web development in the past, so I normally have the same viewpoint. I had planned on simply getting more knowledgeable as I slowly expanded the network to include a Mikrotik PoE router, switch, and some access points. If I had plenty of time on my hands I could probably reach that point, but I’m pretty busy and have the family getting very impatient with the internet situation, including myself, and outside of pure luck don’t see myself getting it working in a reasonable time frame without help, especially if people far more experienced in Mikrotik and networking here don’t have the solution.

Same way you do with IPv4: look at the addresses on both sides and look at the subnet masks. If both hosts aren’t part of the same IPv6 subnet and the RouterOS box isn’t set as the Windows box’s IPv6 gateway, then it’s no wonder you can’t ping through the router.

The most I could possibly offer right now is maybe a small bounty…

It was a hypothetical put out to show that even if you did everything within reason to help us, a solution we made here for our local piece of the world-wide T-Mobile network might not apply to the network you have there.

I’m pretty busy and have the family getting very impatient with the internet situation

Then I recommend one of two paths:

1. Change ISPs. It’s rare for an ISP to pose the difficulties you’re seeing. The only reason to put up with it is if they’re offering you something compelling, and you have the skills to use their oddball setup. I’m pretty sure you lack those skills, and you complain of lack of time to acquire them.

2. Buy an off-the-shelf commodity solution known to work with your local network. Surely T-Mobile would be happy to sell you such a thing. Why are you trying to avoid buying and using their first-party offering? I assume there is a good answer to that question, so let me add a follow-on question: Did you expect a third-party lash-up to work without effort and expertise?

reply to msatter:

> :put [:resolve mikrotik.com server=2001:4860:4860::6464]
159.148.147.196                                                                                          
> :put [:resolve mikrotik.com server=2001:4860:4860::64]
159.148.147.196

Thanks for the info. I’ll definitely look further into that once my head stops feeling like it going to explode. Even if I end up copy/pasting something from the forum that gets everything working, I’d still like to fully understand said solution.

Same way you do with IPv4: look at the addresses on both sides and look at the subnet masks. If both hosts aren’t part of the same IPv6 subnet and the RouterOS box isn’t set as the Windows box’s IPv6 gateway, then it’s no wonder you can’t ping through the router.

Sorry, my brain isn’t working today. My adapter says no network access under IPv6 Connectivity and no IPv6 default gateway in details. I assume the reason Windows hasn’t filled those in itself is because the routerboard isn’t supplying those details to Windows. I’ll try and look through all the IPv6 documentation when my head stops feeling like it’s going to explode.

1. Change ISPs. It’s rare for an ISP to pose the difficulties you’re seeing. The only reason to put up with it is if they’re offering you something compelling, and you have the skills to use their oddball setup. I’m pretty sure you lack those skills, and you complain of lack of time to acquire them.

That oddball setup didn’t exist when I got it. I switched to tmobile from tracfone because I needed to move to a full data family plan and tmobile seemed like it was best option. My only other option is possibly AT&T and/or getting on the starlink waiting list and probably not getting it until 2023.

2. Buy an off-the-shelf commodity solution known to work with your local network. Surely T-Mobile would be happy to sell you such a thing. Why are you trying to avoid buying and using their first-party offering? I assume there is a good answer to that question, so let me add a follow-on question: Did you expect a third-party lash-up to work without effort and expertise?

The answer to that question is that tmobile (or any other service) wasn’t offering home internet to this address or any proxy address I could use at the time of us moving, plus most people disliked the modem they were using, and so I needed to go the modem+phone sim card route in order to get the internet. I wanted a PoE modem located outdoors next to an outdoor antenna for the best possible connection I could muster. I couldn’t find an off the shelf option available, all were outdated (no 5G capability or lacking bands) or were indoor wireless router combos (if I can’t get this setup working, I might have to purchase one and configure/mod it for my purposes if one of those is a working option). And in my defense, I was able to get the modem up and running properly before moving and it did work well for a few months.

You have no v6 configuration on the LAN side at all. You need a static IP for the router and a DHCPv6 server at minimum.

Still feeling like crap from the flu, but I did make a bit of progress today. I messed around a bit with the DHCP servers, made no progress, and decided to reset my RBM11G configuration and start from scratch. I did my basic configuration, minus DHCP servers and IP Pools. I did the usual srcnat masquerade rules under IPv4 NAT, and IPv6 NAT (don’t know if this is needed), the TTL mangle rules (doesn’t seem to exist under IPv6…), added cloudflare IPv6 DNS addresses, and then went to mess with the APN settings. Under APN, I set it to IPv6 and then changed the IPv6 interface to ether1 (vs lte1)… and under windows the adapter did pickup the RMB11G as the default IPv6 gateway and I now have IPv6-only internet at the moment. Definitely not the correct configuration yet, but at the very least it gives me some much needed hope and verifies the speculation of what my issue is.

Unrelated WTF, for a few minutes I lost said internet because it decided to pickup a tower 2000 miles away in the British Virgin Islands . Saw the red “no roaming allowed” text on my LTE interface and did a cellmapper search for the tower I was connected to. How on earth is that possible?

I now have IPv6-only internet at the moment

Hallelujah!

Now you just need to wrap your head around the IPIP and DHCPv6 stuff from the other threads to get IPv4 working.

And when you’re done, you can sell preconfigured T-Mobile routers to your social circle.

IPv6 NAT (don’t know if this is needed)

It shouldn’t be. Your router’s DHCPv6 client should be set for “request=address,prefix”. The prefix request should yield a big fat /64 or similar, giving you enough IPs for an Internet’s worth of Internets in your house.

Should be enough.

Soooo… I got IPv4 working. Just an idea that suddenly popped into my head. Apparently it was as simple as changing IP type to IPv4 in APN settings. My original configuration was set to auto, and I guess my internet had stopped working because auto had simply started choosing IPv6 instead of IPv4.

I’m terribly sorry to all those that helped me that it was such an face palmingly simple fix. At the very least I learned quite bit through this process…

I still plan on getting IPv6 working at some point to get rid of the whole double NAT on game consoles issue, but only after the TTL firewall mangle rules are implemented for IPv6.