IPv6 inbound timing out most of the time?

This is happening both on the current release and the current RC.

Here is my IPv6 setup:

/ipv6 dhcp-server
add address-pool=twc disabled=yes interface=vlan101 lease-time=15m name=server1
/ipv6 address
add address=xxxx:xxxx:xxxx:xxxx:: from-pool=twc interface=vlan101
/ipv6 dhcp-client
add add-default-route=yes interface=WAN pool-name=twc request=prefix use-peer-dns=no
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=WAN protocol=udp src-port=547
add chain=input dst-port=443 in-interface=WAN protocol=tcp
add action=drop chain=input comment=invalid connection-state=invalid
add action=drop chain=input comment=New connection-state=new in-interface=WAN
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!WAN
add action=drop chain=forward comment=Invalid connection-state=invalid
add action=drop chain=forward comment=New connection-state=new in-interface=WAN
/ipv6 nd
set [ find default=yes ] interface=vlan101 mtu=1480 ra-delay=5s ra-interval=5s-30s ra-lifetime=10m
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

I can access IPv6 resources from inside my network, everything works fine outbound - but I can’t get anything to work inbound - either to my router or inside my network.

When I try to SSH into my router from the outside via IPv6, it works maybe 10% of the time, every other time “operation timed out.” Same with trying to SSH into internal resources.

I can SSH into the router from the outside via IPv4 and it works perfectly. I can also SSH into the router via IPv6 from the inside and it works perfectly.

I did connect a computer directly to my cable modem to ensure I could ssh into it via IPv6 remotely and it worked fine.

What am I missing here?

This is still happening. The connection gets stuck at “syn received” and then eventually just times out. But it occasionally works. What’s going on here?

You need to allow icmpv6 in on the WAN interface.
I would guess that neighbor discovery is getting borked on your wan interface because you’re not allowing ICMPv6. (it would be the same as if you disabled ARP on an IPv4 interface)

I thought I did, but I updated some of my rules to specify the WAN interface, here’s the updated ruleset:

# jan/11/2016 18:57:54 by RouterOS 6.34rc34
# software id = 4MKU-8N2A
#
/ipv6 firewall filter
add chain=input connection-state=established in-interface=WAN
add chain=input connection-state=related in-interface=WAN
add chain=input dst-port=546 in-interface=WAN protocol=udp src-port=547
add chain=input dst-port=443 in-interface=WAN protocol=tcp
add chain=input in-interface=WAN protocol=icmpv6
add action=drop chain=input comment="invalid connections" connection-state=invalid in-interface=WAN
add action=drop chain=input comment="New connections" connection-state=new in-interface=WAN
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!WAN
add action=drop chain=forward comment=Invalid connection-state=invalid in-interface=WAN
add action=drop chain=forward comment=New connection-state=new in-interface=WAN

Same problem is occurring. Intermittently working… failing most of the time.

Also, is it proper that my WAN interface is NOT getting an routable IPv6 address? In the addresses list, it only has its local fe80 address, and vlan101 is the interface that’s getting the public address:

[admin@router] /ipv6 address> export verbose
# jan/11/2016 19:01:29 by RouterOS 6.34rc34
# software id = 4MKU-8N2A
#
/ipv6 address
add address=XXXX:XXXX:XXXX:XXXX::/64 advertise=yes disabled=no eui-64=no from-pool=twc interface=vlan101
add address=::/64 advertise=yes disabled=yes eui-64=no from-pool=twc interface=WAN

That’s fine in IPv6. If you use OSPFv3, you’ll find that it actually uses the link-local addresses as the next hop address. Router-to-router interfaces don’t need public addresses.

One thing I’m not certain about is the host ID in your public address being all zeros… so maybe ::1/64 instead of ::/64 ?
(I’ve seen xxxx:xxxx::/64 used as a loopback address before, so it’s possible that’s not a thing in IPv6 like it was in IPv4)

I’ve had a problem with using the “from-pool=twc” address pool feature. For whatever reason, the router considers the address invalid when I use the feature. Try manually specifying a prefix from your pool.