I use an HE tunnel for IPv6 (ISP is IPv4 only) and it’s worked flawlessly for years from one MT router to the next; currently an RB5009. I recently noticed that pinging IPv6 addresses on the Internet from my LAN gave a lot of failures; about 80% loss, with the occasional successful ping surrounded by time outs. Ping times for the successes are as expected.
On the MT is a Pihole container, so I tried from the Pihole’s console using the Terminal on Winbox. The same happens there; about 80% ping loss.
Yet, if I ping directly from Terminal (not via Pihole) or use the Tools/Ping tool in Winbox, I get complete ping success. I’ve been using 2606:4700:4700::1111 to test, so it should be reliable. Other than this issue, IPv6 seems to work properly. My web browser passes the IPv6 connectivity website tests and can browse ipv6-only websites. I can ping IPv6 LAN address no problem from anywhere to anywhere. The issue is on the router itself.
I’m a bit stumped… I’ve not changed anything related to the IPv6 or HE setup for ages. Pinging directly from the router works perfectly, but pinging from anywhere else on my LAN (even a container on the router, with its interface on the same LAN) gives the above failures. So it can’t be a firewall issue because it works sometimes, plus I haven’t changed the rules, and I can see the ping packets hit the firewall counters on the ‘accept established’ rule in the input or forward chain as appropriate. Nothing hits the few deny rules.
It’s as if the router is simply ‘losing’ the replies that come in if they are forwarded… but only sometimes.
Any suggestions? How best to troubleshoot this?
Maybe ICMP rate limiting?
I don’t think so. There’s nothing here doing that and pings directly from the router are 100% working.
When I get home later I’ll sanitise my config and post it. It really is simple though (only my home network) and I can’t see anything that would cause such an erratic issue.
Packet capture is tedious but a good way to troubleshoot this. You can at least see if the reply is making it to the tunnel endpoint on your side and then getting dropped at the router.
Yeah, I might have to set up packet capture (never needed it on the router before), in the meantime I’ve made one odd discovery…
I disabled my ‘accept related’ rules in the IPv6 firewall, and added accept rules for the ICMP to get a proper packet count of where they were going. I added one on the output chain too.
Then, I set the Pihole container (which just has an IPv6 address on the LAN; it’s not on a separate subnet) pinging the test address. I sent 60 pings and got 20 successful replies. This is what was counted as I watched:
Forward chain, accept ICMPv6 to dst test address: 60 packets
Forward chain, accept ICMPv6 from HE Tunnel: 60 packets
Output chain, accept anything to dst test address: 40 packets
Input chain, accept ICMPv6 from HET: 0 packets
Note that the 40 packets that get counted on the output chain match the 40 missing pings. I repeated this several times and got that correlation every time. I also tested by pinging from a PC on my LAN and saw the very same thing happen with the chains and counts.
Why are packets making it onto the output chain?
Edit… those 40 are ‘Destination Unreachable’ ICMP packets. Doesn’t help then… I’ll check exactly what the incoming packets are when I get back later.
I made a silly mistake before and mistyped an address, so ran it again with a a bit more detail on those packets by accepting only certain ICMP types. I ran a ping for 33 attempts and got 6 successful replies to it:
Forward chain, accept ICMPv6, dst test address, ICMPv6-Echo-Request: 33 packets counted
Forward chain, accept ICMPv6, src test address, ICMPv6-Echo-Reply: 33 packets counted
Output chain, accept ICMPv6, dst test address, ICMPv6-Dest.Unreach: 27 packets counted
So… 33 echo requests sent to the test address and 33 echo replies were received from it. Yet 27 destination unreachable packets were sent by the router back to the test address, matching the missing 27 ping replies that the pinging container (or a PC) never sees.
What’s happening to those 27 packets? I guess I really need to run a packet capture now and see if they ever reach the container, and if so what has happened to make them fail. Time to read up on how to do that on the router… (wish I could just install wireshark on it, lol)
Edit: that’s easy… and looking at the capture in Wireshark showed what I suspected. I can see all the echo request packets come from the container interface (vethPihole) but only a few replies arrive at it.
Where are those missing replies that come into the firewall forward chain and get accepted then? Is the router just losing them?
Making a new reply because I think this is significant.
I captured packets on both the HE tunnel interface (HET) and the container interface (vethPihole) where I’m pinging from.
The HET capture shows all echo requests and a reply for every one of them coming back.
The vethPihole capture shows all the requests leaving (of course) but is missing most of the replies. Nothing else comes in to replace them or anything like that; they are just missing.
I also see the ‘destination unreachable’ packets being sent out of HET from the router, matching the replies which do not make it to vethPihole.
The router is indeed ‘losing’ packets somewhere between accepting them from HET in the forwarding rule, and actually forwarding them to vethPihole. Moreover, it is reporting back to the test address that the destination address (by which I think it means my vethPihole address now) is unreachable (code 3)
One possibly interesting thing is the source/destination addresses that I see. The test address is as expected of course. The container is using a generated address from the prefix on that network instead of the one I assigned the interface in the container config. Regardless, that’s fine and it’s consistent and works (if we ignore the random ping failure). The ‘destination unreachable’ packets though are being sent to the test address from the HE tunnel endpoint address here, not the prefix I’ve assigned everywhere else which is different to the tunnel’s prefix. I guess that’s not important since it’s the router sending it and it has that address on the endpoint so can use it.
The issue is nothing to do with running the in a container I don’t think. I see exactly the same if I try pinging from a PC on my LAN (same prefix as the container in the router).
I’m wondering what to do next now…
If it helps, here’s my full but slightly redacted config, and packet captures showing all echo requests and replies from a capture on the HET interface. The Destination Unreachable packets in that match the number of missing pings. A similar run (not the same one) on the vethPihole interface showing that the missing replies are missing. Those are again redacted to remove my public IPv6 prefix.
I have a /48 prefix from HE, for clarity, and use a:b:c:n::address format, where a:b:c is my redacted /48, n is used on my LAN for different VLANs (1=main LAN, 2=IoT VLAN etc) and I tend to use the matching IPv4 address at the end, for ease of remembering fixed addresses. For instance my router’s IPv6 address on the main LAN VLAN is a:b:c:1::254, it’s IPv4 address is 192.168.1.254. I also have a /29 IPv4 subnet from my ISP.
Config
# 2025-07-01 12:01:00 by RouterOS 7.19.1
# software id = 5P2E-TEBU
#
# model = RB5009UPr+S+
# serial number = HGE09QA6T8F
/container mounts
add dst=/etc/pihole name=etc_pihole src=/usb1/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/usb1/etc-dnsmasq.d
/interface bridge
add admin-mac=02:00:00:00:00:01 auto-mac=no comment="Manual MAC because of Containers" name=B1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off name=Eth1-LAN_Sw1-26
set [ find default-name=ether2 ] loop-protect=off name=Eth2-IoT_Sw1-25
set [ find default-name=ether3 ] name=Eth3-LAN_PH1
set [ find default-name=ether4 ] name=Eth4-LAN_UPS
set [ find default-name=ether5 ] name=Eth5-Proxmox
set [ find default-name=ether6 ] name=Eth6-VOIP
set [ find default-name=ether7 ] name=Eth7-WiFi
set [ find default-name=ether8 ] name=Eth8-WAN
set [ find default-name=sfp-sfpplus1 ] name=SFP
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=Eth8-WAN max-mru=1508 max-mtu=1508 name=WAN user=redacted
/interface 6to4
add !keepalive local-address=x.y.z.17 mtu=1480 name=HET remote-address=w.x.y.z
/interface veth
add address=192.168.1.46/24,a:b:c:1::46/64 gateway=192.168.1.254 gateway6=a:b:c:1::254 name=vethPihole
add address=192.168.1.45/24,a:b:c:1::45/64 gateway=192.168.1.254 gateway6=a:b:c:1::254 name=vethUnbound
add address=192.168.1.47/24,a:b:c:1::47/64 gateway=192.168.1.254 gateway6=a:b:c:1::254 name=vethVLMCSD
/interface wireguard
add listen-port=124 mtu=1420 name=WG
/interface vlan
add interface=B1 loop-protect=off name=IoT vlan-id=3
add interface=B1 loop-protect=off name=LAN vlan-id=2
add interface=B1 loop-protect=off name=VOIP vlan-id=4
/interface list
add include=none name=RestrictedVLANs
add name=PublicInterfaces
/ip pool
add name=LAN_DHCP_Pool ranges=192.168.1.120-192.168.1.149
add name=IoT_DHCP_Pool ranges=192.168.3.120-192.168.3.149
add name=VOIP_DHCP_Pool ranges=192.168.4.120-192.168.4.149
/ip dhcp-server
add address-pool=IoT_DHCP_Pool interface=IoT lease-time=23h59m59s name=IoT_DHCP
add address-pool=LAN_DHCP_Pool interface=LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=VOIP_DHCP_Pool interface=VOIP lease-time=23h59m59s name=VOIP_DHCP
/ipv6 dhcp-server option
add code=23 name=IPv6_DNS value="'2606:4700:4700::1111'"
add code=23 name=IPv6_PiDNS value="'a:b:c:1::46,a:b:c:1::44'"
/ipv6 pool
add name=IoT_DHCP6_Pool prefix=a:b:c:3::/64 prefix-length=128
add name=LAN_DHCP6_Pool prefix=a:b:c:1::/64 prefix-length=128
add name=VOIP_DHCP6_Pool prefix=a:b:c:4::/64 prefix-length=128
/container
add interface=vethUnbound name=f48df351-0525-4789-a33b-1b004f668949 root-dir=usb1/unbound start-on-boot=yes workdir=
add interface=vethVLMCSD name=aa00ef47-eb56-4668-86d5-03ff4f0e8a3a root-dir=usb1/vlmcsd start-on-boot=yes workdir=/home/nonroot
add envlist=pihole_envs interface=vethPihole logging=yes mounts=etc_pihole,dnsmasq_pihole name=pihole:latest root-dir=usb1/pihole start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=redacted
add key=DNSMASQ_USER name=pihole_envs value=root
/interface bridge port
add bridge=B1 frame-types=admit-only-untagged-and-priority-tagged interface=Eth1-LAN_Sw1-26 pvid=2
add bridge=B1 frame-types=admit-only-untagged-and-priority-tagged interface=Eth2-IoT_Sw1-25 pvid=3
add bridge=B1 frame-types=admit-only-untagged-and-priority-tagged interface=Eth3-LAN_PH1 pvid=2
add bridge=B1 frame-types=admit-only-untagged-and-priority-tagged interface=Eth4-LAN_UPS pvid=2
add bridge=B1 interface=Eth5-Proxmox pvid=2
add bridge=B1 interface=Eth6-VOIP pvid=4
add bridge=B1 frame-types=admit-only-vlan-tagged interface=Eth7-WiFi
add bridge=B1 interface=vethPihole pvid=2
add bridge=B1 interface=vethUnbound pvid=2
add bridge=B1 interface=vethVLMCSD pvid=2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=B1 tagged=B1,Eth7-WiFi vlan-ids=2
add bridge=B1 tagged=B1,Eth7-WiFi vlan-ids=3
add bridge=B1 tagged=B1,Eth5-Proxmox vlan-ids=4
/interface list member
add interface=IoT list=RestrictedVLANs
add interface=VOIP list=RestrictedVLANs
add interface=WAN list=PublicInterfaces
add interface=HET list=PublicInterfaces
/interface wireguard peers
add allowed-address=192.168.5.1/32 comment="Rick's iPhone" interface=WG name=Ricks_iPhone public-key=redacted
add allowed-address=192.168.5.2/32 interface=WG name=Ricks_Tablet public-key=redacted
/ip address
add address=192.168.1.254/24 interface=LAN network=192.168.1.0
add address=192.168.3.254/24 interface=IoT network=192.168.3.0
add address=192.168.4.254/24 interface=VOIP network=192.168.4.0
add address=192.168.5.254/24 interface=WG network=192.168.5.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1 domain=foxy gateway=192.168.1.254 ntp-server=192.168.1.254
add address=192.168.3.0/24 dns-server=1.1.1.1 domain=foxy gateway=192.168.3.254
add address=192.168.4.0/24 dns-server=1.1.1.1 domain=foxy gateway=192.168.4.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.1.30 list=CCTV
add address=192.168.1.31 list=CCTV
add address=192.168.1.214 list=NAS
add address=192.168.1.215 list=NAS
add address=192.168.1.216 list=NAS
add address=192.168.1.217 list=NAS
add address=81.187.30.110/31 list=AAVOIP
add address=81.187.30.112/29 list=AAVOIP
add address=90.155.3.0/24 list=AAVOIP
add address=90.155.103.0/24 list=AAVOIP
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack Established, Related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="VOIP AA" dst-address=192.168.4.2 dst-port=5060-5082 protocol=udp src-address-list=AAVOIP
add action=drop chain=forward comment="Drop non-public destinations going to WAN" dst-address-list=NotPublic log-prefix=privateip out-interface=WAN
add action=jump chain=forward comment="NAS Forward VPN checks" jump-target=nas out-interface=WAN src-address-list=NAS
add action=jump chain=forward comment="CCTV Forward checks" in-interface=LAN jump-target=CCTV out-interface=WAN src-address-list=CCTV
add action=drop chain=forward comment=SonyTV_to_WAN disabled=yes out-interface=WAN src-mac-address=5C:85:7E:3B:37:FB
add action=fasttrack-connection chain=forward comment="Fastrack Anything > WAN" hw-offload=yes out-interface=WAN
add action=accept chain=forward comment="Allow LAN to anywhere" in-interface=LAN
add action=accept chain=forward comment="Allow VPN to LAN" disabled=yes in-interface=WG
add action=drop chain=forward comment="Drop Restricted VLANs not going to WAN" in-interface-list=RestrictedVLANs out-interface=!WAN
add action=jump chain=forward comment="WAN Forward ICMP checks" in-interface=WAN jump-target=icmp protocol=icmp
add action=accept chain=forward comment="Allow internal ICMP anywhere" protocol=icmp
add action=drop chain=forward comment="Drop at end for In-WAN" in-interface=WAN
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established, Related" connection-state=established,related
add action=accept chain=input comment="Allow from LAN" in-interface=LAN
add action=accept chain=input comment="Allow Local Services" dst-port=53,123 in-interface-list=!PublicInterfaces protocol=udp
add action=accept chain=input comment="Allow WireGuard" dst-address=x.y.z.17 dst-port=124 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.5.0/24
add action=jump chain=input comment="WAN Input ICMP checks" in-interface=WAN jump-target=icmp protocol=icmp
add action=accept chain=input comment="Allow ICMP Internally" in-interface-list=!PublicInterfaces protocol=icmp
add action=drop chain=input comment="Drop at End for Input chain"
add action=accept chain=icmp comment="ThinkBroadband Ping" dst-address=x.y.z.17 icmp-options=8:0-255 protocol=icmp src-address=a.b.c.d
add action=accept chain=icmp comment="Allow ICMP from HE" dst-address=x.y.z.17 protocol=icmp src-address=a.b.c.d
add action=accept chain=icmp comment="Allow Echo Reply" icmp-options=0:0-255 protocol=icmp
add action=accept chain=icmp comment="Allow Destination Unreachable" icmp-options=3:0-255 protocol=icmp
add action=accept chain=icmp comment="Allow Time Exceeded" icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp comment="Final drop for WAN ICMP"
add action=accept chain=nas comment="NAS VPN port" dst-port=1912 protocol=udp
add action=accept chain=nas comment="NAS VPN Port" dst-port=443 protocol=udp
add action=accept chain=nas comment="NAS DNS" dst-port=53 protocol=udp
add action=drop chain=nas comment="Drop NAS > WAN direct" out-interface=WAN
add action=accept chain=CCTV comment="Only allow CCTV to DNS and email on WAN" dst-port=53 protocol=udp
add action=accept chain=CCTV dst-port=587 protocol=tcp
add action=drop chain=CCTV log=yes log-prefix=Cam
/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect G-DNS" dst-address=8.8.8.8 dst-port=53 protocol=udp to-addresses=192.168.1.46 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect G-DNS" dst-address=8.8.4.4 dst-port=53 protocol=udp to-addresses=192.168.1.46 to-ports=53
add action=src-nat chain=srcnat comment=".21 for Panther" out-interface=WAN src-address=192.168.1.2 to-addresses=x.y.z.21
add action=src-nat chain=srcnat comment=".19 for NASs" out-interface=WAN src-address-list=NAS to-addresses=x.y.z.19
add action=src-nat chain=srcnat comment=".18 for Viper" out-interface=WAN src-address=192.168.1.15 to-addresses=x.y.z.18
add action=src-nat chain=srcnat comment=".20 for VOIP" in-interface=VOIP out-interface=WAN to-addresses=x.y.z.20
add action=src-nat chain=srcnat comment="Main NAT" out-interface=WAN src-address=192.168.0.0/16 to-addresses=x.y.z.17
add action=dst-nat chain=dstnat comment="VOIP Incoming Port Map" dst-address=x.y.z.20 dst-port=5060-5082 protocol=udp src-address-list=AAVOIP to-addresses=192.168.4.2
/ip firewall service-port
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=[my tunnel gateway]::1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 address
add address=a:b:c:3::254 interface=IoT
add address=a:b:c:1::254 interface=LAN
add address=[my tunnel gatewal]::2 interface=HET
add address=a:b:c:4::254 interface=VOIP
add address=a:b:c:1::46 interface=vethPihole
add address=a:b:c:1::45 interface=vethUnbound
add address=a:b:c:1::47 interface=vethVLMCSD
/ipv6 dhcp-server
add address-pool=LAN_DHCP6_Pool dhcp-option=IPv6_PiDNS interface=LAN name=LAN_DHCP6
add address-pool=IoT_DHCP6_Pool dhcp-option=IPv6_DNS interface=IoT name=IoT_DHCP6
add address-pool=VOIP_DHCP6_Pool dhcp-option=IPv6_DNS interface=VOIP name=VOIP_DHCP6
/ipv6 firewall address-list
add address=a:b:c:1::30/128 list=CCTV
add address=a:b:c:1::31/128 list=CCTV
add address=a:b:c:1::214/128 list=NAS6
add address=a:b:c:1::215/128 list=NAS6
add address=a:b:c:1::216/128 list=NAS6
add address=a:b:c:1::217/128 list=NAS6
add address=2001:8b0:0:30::5060:0/112 list=AAVOIP6
add address=2001:8b0:5060::/48 list=AAVOIP6
/ipv6 firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack established,related,untracked" connection-state=established,related
add action=accept chain=forward comment=TESTING disabled=yes dst-address=2606:4700:4700::1111/128 icmp-options=128:0-255 log-prefix=Ticmp6out protocol=icmpv6
add action=accept chain=forward comment=TESTING disabled=yes icmp-options=129:0-255 log=yes log-prefix=Ticmp6 protocol=icmpv6 src-address=2606:4700:4700::1111/128
add action=accept chain=forward comment="Allow Established " connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=forward comment="AA VOIP" disabled=yes dst-address=a:b:c:4::2/128 dst-port=5060-5082 protocol=udp src-address-list=AAVOIP6
add action=drop chain=forward comment="Drop from NAS" out-interface=HET src-address-list=NAS6
add action=drop chain=forward comment="Drop from NAS MAC to be sure" out-interface=HET src-mac-address=00:11:32:7D:96:D1
add action=drop chain=forward comment=SonyTV_to_WAN disabled=yes out-interface=HET src-mac-address=5C:85:7E:3B:37:FB
add action=jump chain=forward comment="CCTV FrontCam Jump on MAC out WAN" jump-target=CCTV out-interface=HET src-mac-address=94:E1:AC:5E:16:9F
add action=jump chain=forward comment="CCTV RearCam Jump on MAC out WAN" jump-target=CCTV out-interface=HET src-mac-address=94:E1:AC:3D:9C:86
add action=accept chain=forward comment="Allow all from LAN" in-interface=LAN
add action=jump chain=forward comment="Allow ICMP Forward from HET" in-interface=HET jump-target=icmp protocol=icmpv6
add action=drop chain=forward comment="Only allow Restricted VLANs to HET" in-interface-list=RestrictedVLANs log-prefix="p " out-interface=!HET
add action=drop chain=forward comment="Drop at end for in-HET Forward" in-interface=HET
add action=accept chain=output comment="Echo Request" dst-address=2606:4700:4700::1111/128 icmp-options=1:0-255 protocol=icmpv6
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established" connection-state=established,related
add action=accept chain=input comment="Allow Local Services" dst-port=53,123 in-interface-list=!PublicInterfaces protocol=udp
add action=jump chain=input comment="Allow ICMP Input from HET" in-interface=HET jump-target=icmp protocol=icmpv6
add action=drop chain=input comment="Drop at end for in-HET Input" in-interface=HET
add action=drop chain=input comment="Drop Restricted VLANs" in-interface-list=RestrictedVLANs
add action=accept chain=icmp icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp icmp-options=3:0 protocol=icmpv6
add action=accept chain=icmp icmp-options=4:1 protocol=icmpv6
add action=accept chain=icmp icmp-options=4:2 protocol=icmpv6
add action=accept chain=icmp icmp-options=128:0-255 protocol=icmpv6
add action=accept chain=icmp icmp-options=129:0-255 protocol=icmpv6
add action=drop chain=icmp comment="Drop any other icmp"
add action=accept chain=CCTV comment="Only allow CCTV to DNS and email on WAN" dst-port=53 protocol=udp
add action=accept chain=CCTV dst-port=587 protocol=tcp
add action=drop chain=CCTV log=yes log-prefix=Cam
/ipv6 nd
add hop-limit=64 interface=LAN managed-address-configuration=yes other-configuration=yes
add hop-limit=64 interface=IoT managed-address-configuration=yes other-configuration=yes
add hop-limit=64 interface=VOIP managed-address-configuration=yes other-configuration=yes
/system clock
set time-zone-name=Europe/London
/system logging
add topics=container
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
HET Capture
vethPihole Capture
(I hope all of that formatted OK… I don’t like this forum software.
Investigating further… the IPv6 neighbour list clearly shows the vethPihole with the correct IPv6 and MAC address. It goes from Stale to Reachable as soon as I start pinging from the container, yet the replies still get mostly dropped as ‘destination address unreachable’.
Also from that container, I can ping a PC on the LAN by its IPv6 address with no failures. Pinging the router’s IPv6 address on that same LAN interface from the container completely fails. Yet pinging the container Pihole’s IPv6 address from another router terminal works 100%.
Remember also that the exact same ping loss/unreachable issue happens if I ping from a PC on the LAN. It’s not an issue with the container.
It’s looking like something to do with neighbour discovery and the neighbour table on the router… but I haven’t changed anything in that to break it, and it still works randomly.
