HE IPv6 tunnel PPPoE issue - Not MSS related

dodo74 · January 27, 2017, 3:35pm

Hello All,

I have been trying to make the Hurricane Electric IPv6 tunnel work on my RB2011 for a few days now. I had it working in the past but removed the configuration.

Now I am trying to configure it again and I have a strange issue. The tunnel gets setup correctly and I can Ping6 through it without issues and all of the UDP protocols work perfectly. When trying to make this work with TCP the session does not get stablished. I have been doing some packet captures and I am attaching three files; one for the client side, one from the server side and the last one from the ethernet interface in the router that creates the PPPoE session.

The TCP handshake starts normally and the TCP MSS is changed as per the Mangle rule in the IPv6 Firewall section. What happens is strange.

In the client side I can see the SYN (client), SYN-ACK (server); ACK (client) correctly. After that there is a lot of retransmissions for the server´s original SYN-ACK and the clients original ACK.
In the server side I can only see the SYN (client) and SYN-ACK (server) but no ACK from the client. After that I can see a lot of retransmissions of the servers original SYN-ACK.
In the pope facing ethernet port I can see SYN (client), SYN-ACK (server); ACK (client). However in the client ACKs (both original and retransmissions) the PPPoE session has an error in the sniffer capture that the payload length is incorrect/malformed.

So it is clear that the router is not forwarding the traffic contained in the PPPoE frames and it is dropping it.

I have played a lot with the TCP MSS settings, I am fairly certain that it is not the issue, and have removed any IPv6 Firewall rules.

If anyone can check my packet captures and give my any pointers it will be appreciated!

TIA

dodo74 · January 28, 2017, 10:39am

I am adding the pcap files! In case anyone can comment.
captures.zip (2.37 KB)

dodo74 · January 30, 2017, 2:14pm

I am also adding the relevant config as I can still not get this to work properly.

/interface ethernet
set [ find default-name=ether1 ] name=LAN_eth1
set [ find default-name=ether5 ] name=WAN_eth5

/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=WAN_eth5
keepalive-timeout=disabled name=PPPoE password=adslppp use-peer-dns=yes
user=adslppp@telefonicanetpa
/interface 6to4
add comment=“Hurricane Electric IPv6 Tunnel Broker” disabled=yes !keepalive
local-address=79.145.107.238 mtu=1280 name=sit1 remote-address=
216.66.88.98
/ppp profile
set *0 change-tcp-mss=yes
/ip firewall mangle
add action=change-mss chain=forward in-interface=all-ppp new-mss=1380
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=change-mss chain=forward new-mss=1380 out-interface=all-ppp
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ipv6 address
add address=2001:470:1f1c:570::2 advertise=no interface=sit1
add address=2001:470:1979:1::1 interface=LAN_eth1
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1280 out-interface=sit1
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1281-65535
add action=change-mss chain=forward in-interface=sit1 new-mss=1280
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1281-65535
/ipv6 route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref
!bgp-med !bgp-origin !bgp-prepend !check-gateway distance=1 dst-address=
2000::/3 gateway=2001:470:1f1c:570::1 !route-tag
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref
!bgp-med !bgp-origin !bgp-prepend !check-gateway distance=1 dst-address=
2001:470:1979::/48 gateway=2001:470:1979:1::2 !route-tag

Can anyone appreciate any issues with this config?

effndc · February 21, 2017, 10:20pm

Any particular reason you are trying to IPv6 mangle? Your devices should all get native IPv6 addresses, NAT (mangle) shouldn’t be necessary at all.

Here is what I have for my IPv6 firewall:

/ipv6 firewall filter
add action=accept chain=input comment="Allow related&established" connection-state=established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmpv6
add action=drop chain=input comment="Drop input to IPv6 WAN interface" in-interface=sit1 log-prefix="Input Drop v6"
add action=accept chain=input comment="Accept input from LAN" in-interface-list=LAN
add action=accept chain=forward comment="Forward related&established" connection-state=established,related
add action=accept chain=forward comment="Forward ICMP" protocol=icmpv6
add action=drop chain=forward comment="Drop all other client bound" in-interface-list=WAN log-prefix="Forward Drop v6"

effndc · February 22, 2017, 12:26am

Additionally, I don’t see any troubleshooting steps that you’ve taken. Confirm you can ping each of these from routerOS, the Hurricane Electric Server IPv4 Address and HE Server IPv6 Address.

From there you should try to ping some known web site’s IPv6 address:

google.com has IPv6 address 2607:f8b0:400a:808::200e
he.net has IPv6 address 2001:470:0:76::2
forum.mikrotik.com has IPv6 address 2a02:610:7501:1000::201

Verify that routerOS can actually communicate across the IPv6 tunnel before proceeding to troubleshooting client devices.

If that all tests out, look at your IPv6 firewall rules and the IPv6 ND. http://wiki.mikrotik.com/wiki/Manual:IPv6/ND