hEX Poe IPv6 ULA not pingable

MikroTokkie · March 10, 2022, 8:07pm

Hi all,
First post here so be gentle
Running on a hEX PoE

# mar/10/2022 20:40:26 by RouterOS 7.1
# software id = MGZY-P571
#
# model = RB960PGS
/ipv6 address
add address=fd87:cc61:ad56:28::ff interface=bridge.28
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
add advertise-dns=no interface=bridge.28

This gives me a nice https://en.wikipedia.org/wiki/Unique_local_addres on both a windows pc as well on a debian pc.fd87:cc61:ad56:28::ff is NOT pingable. As soon as i change the address on brige.28 to something outside fc00::/7 it IS pingable.

You would suspect some input firewall rule blocking this but the IPv6 firewall is compleet stock and I find no reference to anything fc00::/7

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-polic
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interf
...

To make things more interesting; there is no doubt the MikroTik is recieving the icmp6 echo request:

\[admin@mikrotik\] /ipv6/firewall/connection> print where PROTOCOL=ICMPv6
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TIMEOUT
# PROTOCOL  SRC-ADDRESS                            DST-ADDRESS            TIMEOUT
3 icmpv6    fd87:cc61:ad56:28:701b:575f:9665:e46d  fd87:cc61:ad56:28::ff  29s

So question, why does MikroTik threat ULA any other than Global Routable Addresses?

MikroTokkie · March 29, 2022, 7:19pm

Found it. Lesson learned: look outside of /ipv6/

\[admin@mikrotik\] > /routing/rule/export
# mar/29/2022 21:10:49 by RouterOS 7.1.5
# model = RB960PGS
add action=drop comment=multicast disabled=no dst-address=224.0.0.0/4
add action=unreachable comment=ULA disabled=no dst-address=fc00::/7