IPv6 forwarding not working in 7.1beta6

robertpenz · May 23, 2021, 10:41am

Hi!

UPDATE: IPv6 forwarding is not working at all - does not matter if I add 2 vlans and I try to ping between them or the below setup. The counters of the ipv6 firewall rules are not incremented (also the invalid drop rules. I’ve also disabled all queues - so that can’t also be the problem.

I was running following on 6.x without problems

/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 name=pppoeDslInternet
/ipv6 dhcp-client add interface=pppoeDslInternet pool-name=poolIPv6ppp request=prefix use-peer-dns=no
/ipv6 address add address=::1 from-pool=poolIPv6ppp interface=vlanInternal

With 7.1beta6 I’ve the problem that the IPv6 traffic from the clients are not forwarded into pppoeDslInternet - I see the traffic in the sniffer on the vlanInternal going to the router but no going out on pppoeDslInternet. The routing table looks like this:

> /ipv6/route/print 
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
        DST-ADDRESS                         GATEWAY                   D
  DAv   ::/0                                pppoeDslInternet          1
  DAd   xxxx:xxxx:xxxx:5f60::/60                                      1
  DAc   xxxx:xxxx:xxxx:5f61::/64            vlanInternal              0

Forwarding is enabled:

/ipv6 settings set accept-router-advertisements=no max-neighbor-entries=1024

I’ve no bridge configured on the router (/interface/bridge/export is empty), the vlan is directly attached to the interface

/interface vlan add interface=ether2 name=vlanInternal vlan-id=1

Also I can ping the ::1 on vlanInternal from the Internet, so IPv6 itself works. Also the firewall allows all packages origin from the internal network into the internet.

/ipv6 firewall filter
add action=log chain=forward log=yes
add action=accept chain=forward comment="just the answer packets --> pass" connection-state=established
add action=accept chain=forward comment="just the answer packets --> pass" connection-state=related
add action=accept chain=forward comment="from our secure internal network --> pass" in-interface=vlanInternal

ps: I’ve tried disabling/enabling ipv6 as a workaround, but it did not help.

Any help is welcome!

Regard,
Robert

robertpenz · May 23, 2021, 5:24pm

Downgrade to 7.1beta4 makes ping working, but TCP traffic is still not forwarded.

aliclubb · May 25, 2021, 1:32pm

From my testing, the issue is with IPv6 connection tracking being broken for the forward chain. Input chain appears to be fine with connection tracking.

noradtux · May 25, 2021, 5:34pm

Strange, works fine for me.

StubArea51 · May 25, 2021, 5:41pm

What hw platform are you using or is it CHR?

robertpenz · May 26, 2021, 5:37am

I’m running a hEX (model: RB750Gr3) - I don’t believe it’s a connection tracking issue as I don’t see matches on the “invalid” rule also. And yes input is working, just forward not.

noradtux · June 3, 2021, 7:45am

I use an RB4011. I have found an issue with v6 on my system, though. After reboot it seems I cannot get data forwarded through my wireguard interfaces. Doing an export of /ipv6/firewall/filter, removing all entries and then reapplying the export seems to help, though. Didn't have time to investigate any further.

robertpenz · June 8, 2021, 6:07pm

Thx for the tip - at least for beta4 that also worked for me … deleted all ipv6 firewall rules and it started working and kept working after appling them again - at least for the last few minutes.

volkirik · July 12, 2021, 5:47pm

bug exists on my rb4011 with 7.1beta6…

I rolled-back to 6.49beta54 until v7.1 ipv6 bugfix becomes available.

cleaning firewall rules and then re-importing didnt help. all TCP connections become untracked and invalid on 7.1beta6

Cablenut9 · July 12, 2021, 6:23pm

7.1beta6 is super buggy on the RB4011, so good thing you made that downgrade.

volkirik · July 12, 2021, 6:55pm

Thank you for your response. Yes lots of bugs to fix, it seems.

mducharme · July 13, 2021, 3:42am

The issues that I have with the RB4011 and IPv6 are to do with missing link-local addresses. When the router first boots, I get link-local IPv6 addresses for some interfaces, but not the bridge. Without this, the hosts on the bridge cannot get connectivity to the Internet. Disabling IPv6 through IPv6->Settings, and immediately re-enabling it, causes the missing link-local to be applied to “bridge” and the other interfaces that are missing the link-local.

robertpenz · July 13, 2021, 5:32am

I don’t have a bridge on my setup, everything is routed. So these seem to be separated problems.

Foxeh · July 16, 2021, 5:49am

agreed.
951G-2HnD 7.1 beta6 after reboot doesn’t have IPv6 in the bridge. Re enabling IPv6 in settings resolve that.

hacky · November 25, 2021, 2:36pm

Having issues with IPv6 in 7.1beta6+ as well.

7.1 beta4 works fine. Tested on 750G r3.

I’m using the following configuration which works fine with 7.1 beta4, but RA seems not to be working with 7.1 beta6 and later. Clients do not get any IPv6 assigned from the pool.
Strange thing is I had this problem before on RouterOS 6.48 or 6.49 stable as well and I had to switch to long-term branch in order to have it functional. So I suspect it may be regression (“ported features and fixes introduced in v6.49” in the beta6 changelog).

Is there something wrong or unusual in my configuration? I receive /56 IPv6 pool from my DSL provider and use Mikrotik’s RA to distribute IPv6 to the devices on the network…
I’m happy to provide more info if you find it useful.

[admin@MikroTik] /ipv6> export 
# nov/25/2021 15:30:03 by RouterOS 7.1beta4
#
# model = RouterBOARD 750G r3
/ipv6 dhcp-server
add disabled=yes interface="VDSL" name=ipv6
/ipv6 address
add from-pool=ppp-ipv6-pool interface=bridge no-dad=yes
/ipv6 dhcp-client
add add-default-route=yes interface="VDSL" pool-name=ppp-ipv6-pool pool-prefix-length=56 prefix-hint=::/56 request=prefix use-peer-dns=no
/ipv6 firewall filter
add chain=input comment="Router - Allow IPv6 ICMP" protocol=icmpv6
add chain=input comment="Router - Accept established connections" connection-state=established
add chain=input comment="Router - Accept related connections" connection-state=related
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid
add chain=input comment="Router- UDP" dst-port=546 protocol=udp src-address=fe80::/64
add action=drop chain=input comment="Router - Drop other traffic"
add action=drop chain=forward comment="LAN - Drop invalid Connections" connection-state=invalid
add chain=forward comment="LAN - Accept ICMPv6 " protocol=icmpv6
add chain=forward comment="LAN - Accept established Connections" connection-state=established
add chain=forward comment="LAN - Accept related connections" connection-state=related
add action=log chain=forward comment="LAN - Log everything else" disabled=yes log-prefix="Log IPv6"
add action=drop chain=forward comment="LAN - Drop everything else" connection-state=new in-interface="VDSL"
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=bridge
/ipv6 settings
set accept-redirects=no
[admin@MikroTik] /ipv6>

mkx · November 26, 2021, 5:21am

Set prefix-length to 64 on DHCP client. This property sets the prefix length as used when IPv6 address is assigned and has nothing to do with requesting pool from ISP (the prefix-hint is for that).

hacky · November 26, 2021, 10:55am

Thank you for your response!
Changed it to 64, updated to latest 7.1rc7 and clients do get IPv6, but the traffic does not go though on IPv6. So I guess I’m facing this IPv6 forward issue. I’ve also tried disabling and enabling IPv6 in the IPv6->settings, but no dice. Even the ping6 does no go though.

edit: once I’ve downgraded back to 7.1beta4 it immediately started to work again. Without any configuration changes. It works with either prefix-length 64 and even 56. So for me it seems like the forwarding is indeed broken in the later revisions of 7.1 (and I still believe it’s something with merging 6.49 features in the beta6, because I had same issue on the 6.48 or 6.49 - can’t remember the exact version now).

Znevna · November 26, 2021, 11:12am

Are you sure your issue isn’t related to this? http://forum.mikrotik.com/t/v7-1rc1-development-is-released/151250/1

hacky · November 26, 2021, 11:58am

Thank you very much! This fixed it. Removed add-default-route from the DHCPv6 client, upgraded to rc7 and it now works like a charm.

It’s quite strange that it worked long time with default route from the DHCPv6 client.

lightbulb703 · December 29, 2021, 10:57pm

I had this issue in v7.1.1 (stable). Maybe this will help someone else. I set up a rule in the Mangle table to mark packets in the prerouting chain for new connections coming from Global Addresses on the LAN (using an address list dynamically updated when DHCPv6-Client renews) and then excluding those packets from invalid drops (add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid packet-mark=!ipv6-packet-from-LAN) in the forward chain in the Filter table:

/ipv6 firewall address-list
add address=2001:db8::/56 comment=ipv6pool list=globalallowed
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid packet-mark=!ipv6-packet-from-LAN
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-packet chain=prerouting connection-state=new in-interface-list=LAN new-packet-mark=ipv6-packet-from-LAN \
    passthrough=yes src-address-list=globalallowed
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn