IPV6 passthrough rules

RouterOS General
1

I have now an old router I am replacing it is an ASUS with IPv6 Passthrough.
I have both the providers router and this other network within, where a Windows machine get’s ipv6 traffic passed through without any problems.
I replace it with my new fully updated to 6.44.1 Mikrotik RB4011 router with ipv6 enabled and unfortunately nothing is passed through it doesn’t get an ipv6 address at all.

What are the minimal firewall rules and settings that would enable the same function as the ASUS’ passthrough achieves (with the providers modem in the same state too)?

Originally I tried getting a DHCPv6 Client to get the prefix but it’s stuck searching (without a static ipv6 registered with them). Alas the ASUS allows passthrough so now I see that’s not needed.
Therefore I don’t need to run DHCPv6 Server as those request seem to be “passed through”, that I guess doesn’t work anyway without the client even though I put the prefixes that the providers router gets.

These are the firewall rules I found in a post here but it nothing for default post install like the ipv4 gets/has.

/ipv6 firewall filter
add action=drop chain=input comment=“defconf: rfc4890 drop ll if hop-limit!=255” dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN

And the settings

admin@MikroTik] > /ipv6 settings export

apr/02/2019 05:33:33 by RouterOS 6.44.1

software id = SGPV-6UCC

model = RB4011iGS+5HacQ2HnD

[admin@MikroTik] > /ipv6 settings
[admin@MikroTik] /ipv6 settings> print
forward: yes
accept-redirects: yes-if-forwarding-disabled
accept-router-advertisements: yes-if-forwarding-disabled
max-neighbor-entries: 8192
[admin@MikroTik] /ipv6 settings>

Am I missing a static ipv6 route or something?

Oh it looks like I’m getting ipv6 address on Windows now when I added the “Other Configuration” checkbox in thew ipv6 ND Neighbor Discovery .

[admin@MikroTik] /ipv6> nd print
Flags: X - disabled, I - invalid, * - default
0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m
hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes managed-address-configuration=no other-configuration=yes
[admin@MikroTik] /ipv6>

Unfortunately the http://test-ipv6.com/ other test I use fails NO IPv6 address but windows shows it does.
So I’m still missing something.

DNS yes or no makes no difference

It looks like when I turned off Other Config renew6 still has those IPv6 addresses so maybe something else is going on. It’s confusing this should work like passthrough does out of the box?

2

Just for clarity I have realized it was not the Other Configuration flag it is adding this ipv6 address

[ It seems windows cached it, and unplugging the cable reset it, while doing a refresh via ipconfig /renew6 does not. ]


/ipv6 address
add address=2001:568:8561:39ff:82f1:86ff:fe85:1531 disabled=yes interface=ether1
add address=2001:568:8561:39ff:82f1:86ff:fe85:1530 interface=bridge

It points to the providers router’s ipv6 addresses for LAN 1530 the WAN is 1531 (which is disabled in this stage where windows does get an ipv6 address).

It creates a route on ‘bridge’ that’s reachable (that is not exported but prints of course).

[admin@RB4011] > /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable

DST-ADDRESS GATEWAY DISTANCE

0 ADC 2001:568:8561:39ff::/64 bridge 0

Again it still does not route through (firewall?) or bypass aka passthrough, so it is not working yet.

Windows actually picks up an IPv6 just from turning on (enabling above record) the provider’s Router’s LAN IPv6 address assigned to bridge in the mikrotik, so no need for the renew6.

In Mikrotik world I think passthrough is just a go ahead to next firewall (or mangle) rule, and does not mean forward to WAN from LAN and visa versa. I guess it’s only used like a do nothing when ‘Marking’ or something?

3

/ipv6 address
add address=2001:568:8561:39ff:82f1:86ff:fe85:1531 disabled=yes interface=ether1
add address=2001:568:8561:39ff:82f1:86ff:fe85:1530 interface=bridge

Two IPs from same subnet on LAN and WAN interfaces? What are you expecting to happen here?

Perhaps reconnect your old router and “ip -6 route”, “ip -6 addr” to see how it was configured.

4

Maybe this is f’ed?!

IPv6 BGP recursion doesn’t work on RouterOS version 6. Gotta wait for version 7.

from


https://www.reddit.com/r/mikrotik/comments/8kbqdp/ipv6_bgp_unreachable_nexthop_through_loopback/

Is this what’s happening here?

http://forum.mikrotik.com/t/ipv6-recursive-nexthops-via-ibgp/38211/1

here it says …

This is a known bug.
Recursive lookup is not working if gateway is link local address. To make BGP routes work you need static route with global address as gateway.

I originally did have it like so…

0 A S dst-address=::/0 gateway=2001:568:8561:38ff:72f1:86ff:fe85:1531 gateway-status=2001:568:8561:38ff:72f1:86ff:fe85:1531 reachable via bridge distance=1 scope=30 target-scope=10

It is the address of the providers router’s ipv6 for WAN. Still ping is Destination host unreachable while firewall rule accept input shows in: bridge out:(unknown 0) src-mac *.*15.30 proto ICMP type 136 code 0 the pinger’s ipv6->ff02::1 len 96 so it’s going to the broadcast doing Discovery? but it can’t sent the ICMP type 128 which it does for local address pinging.

Same problem it seems…

I can ping IPv6 gateways and routes appear to install correctly but I can not ping remote IPv6 addresses

https://forum.mikrotik.com/viewtopic.php?f=14&t=42268&start=50#p688104

5

Thanks for comment first off one is marked disabled so I was just toggling to determine if I was mixed up.
The other suggestion I will try and report back after assessing what I might learn and try.

6

Passthrough most likely means that you need to bridge WAN and LAN port, so that client can directly get the address from provider.
What was the original config on the Asus router?

7

Okay so I tried what you say. windows the information is via ipconfig /allcompartments /all
Anyway I have a VM running on there and can also ip route and ip addr
Of course the Default Gateway is different and the hardware it can handle working on local addresses so that is expected.
On Mikrotik it was suggested at some point that the local address didn’t get out and their global prefix address was preferred I have of course tried all 4 in ever possible permutation.
[Basically the take the local address from the device internal first 1530 and then the WAN side gets +1 so that would be 1531, same pattern for local address versions of ‘bridge’ and ‘ether1’.]

I can as is well documented ping locally but not beyond.
If I place logging on an ipv6 firewall rule for forward one can see the forward being accepted and showing pings 128 going out to ipv6.google.com from the machine’s correct ipv6 address.

Here is what is output currently from Mikrotik setup.

root@vmserver:/tmp# ip -6 route
2001:568:8561:38ff::/64 dev enp0s3 proto kernel metric 256 expires 2591902sec pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default via fe80::764d:28ff:fe4b:d71 dev enp0s3 proto ra metric 1024 expires 1702sec pref medium

root@vmserver:/tmp# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:568:8561:38ff:a00:28ff:fe2f:68ff/64 scope global dynamic mngtmpaddr
       valid_lft 2591900sec preferred_lft 604700sec
    inet6 fe80::a00:28ff:fe2f:68ff/64 scope link
       valid_lft forever preferred_lft forever

And with the working system from the Virtual Machine running on windows who reports similar info in a different way.

root@vmserver:/tmp# ip -6 route
2001:568:8561:3800::/64 dev enp0s3 proto kernel metric 256 expires 14679sec pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default via fe80::4a5b:38ff:fd25:120 dev enp0s3 proto ra metric 1024 expires 1779sec hoplimit 64 pref medium
root@vmserver:/tmp# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:568:8561:3800:a00:28ff:fe2f:68ff/64 scope global dynamic mngtmpaddr
       valid_lft 14677sec preferred_lft 14377sec
    inet6 fe80::a00:28ff:fe2f:38ff/64 scope link
       valid_lft forever preferred_lft forever

I am seeing a gateway of 3800 vs 38ff the provider router has a 56 prefix though.

If I switch the ipv6 address that auto-generates the route from a /64 to /56 it complains not to advertise and doing so changes the ff’s to 00’s but the problem of no traffic getting through persist.

So I eventually got similar output via Mikrotik but then even the link-local addresses would not ping.

8

Thank you for commenting.
They call it passthrough but it’s more likely in ROS terms ‘forwarding’.
I’ve tried yes as well as yes if not forwarding in the ipv6 settings

/ipv6 settings print
              forward: yes
              accept-redirects: yes-if-forwarding-disabled
              accept-router-advertisements: yes-if-forwarding-disabled
              max-neighbor-entries: 8192

I have no DHCPv6 Client or Server running on the Mikrotik. Client searches in vien as you need a static plan for them to enable replies. I don’t have one but as you can tell with ASUS passthrough/forwarding it works perfectly easy almost out of the box. [one switch to turn on.]

Hmmm what’s DHCP Replay? I’ll look into that. What should I do there?

Anyway it says bridge and ether1 in various situations, putting the default 0:: Gateway to the ‘reachable bridge’ via it’s global 2001::/64 name.
I guess if you could be clearer on what you mean by bridging the ether1 and the bridge those LAN and WAN have prefix address, link-local address, local temp address, and those are the ones it connects.
I am not clear on what you mean there, how to check and/or set please?

9

Ok then it is important to know what kind of configuration you had on Asus, by looking at asus config they allow you to choose between:
native tunnel and static

if it is native then you also have options to use dhcp-pd or static. All of this can be translated to routeros configuration if you know exactly what type of configuration is needed. If you are not sue what exactly was set on Asus router, then ask your ISP details about ipv6 service they provide. Whether it is dhcpv6-pd, whetner static subnet is routed or pppoe + prefix delegation etc.

10

Well I can get a fair amount from the Providers Modem which of course how it’s setup doesn’t affect it’s always on in both situations.
The ASUS is pretty graphical and limited, but I think I might be able to ssh into it and see what better information I can get from it.
Really the ASUS RT-N16 just has a pull down for stateful, stateless and then there’s the passthrough that works. I’ll try to dig deeper into the working one’s settings to see thanks for this recommendation.
Okay wait these are the options there. Disabled, Native, Static, Passthrough (works), FLET’s Service, Tunnels 6to4, 6in4, 6rd

ASUS RT-N16 Manual https://www.asus.com/ca-en/Networking/RTN16/HelpDesk_Manual/

I can do a netstat from Network Tools with UDP names resolved this stands out

udp        0      0 node-1kr3r9qlysoefhrqy4e.ipv6.telus.net:domain :::*
which not resolved is
udp        0      0 2001:568:8561:3800:4a5b:38ff:fe25:120:53 :::*

The domain or port 53 is DNS and gateway I guess.
Saving settings looks in Chinese Binary only.

11

There is not much on the Asus other then what they call passthrough.
The providers modem is on a modern Optic network, consumer line I have their wifi router functioning, and on a separate business setup their router is bridged so true complete passthrough.
Neither is paying for the static ips that in theory allow PD Prefix requests to return something.
I would say it’s not PPPoE and there’s no sign of that
The ASUS under LAN Route tab is Basic Config Enabled Static routes NO with no entries.
Something called Switch-Control has Jumbo Frames disabled and NAT Acceleration Auto or Disabled is set to Auto and it says CTF Cut Through Forwarding is enabled.
WAN NAtr Passthrough has all but PPPoE Replay enabled so only PPoE is disabled. The ones enabled are PPTP L2TP IPSec RTSP H.323 SIP all enabled.
This is just for Virtual Private Networks VPN to bypass the router to the network. All other features for WAN are OFF, other then automatic IP with Yes for WAN, NAT, and UPnP.

System Logs on the ASUS shows a tab for IPV6 with this

              IPv6 Connection Type: Passthrough
              WAN IPv6 Address: 2001:568:8561:3800:4a5b:38ff:fe27:120/64
              WAN IPv6 Gateway: fe80::72f1:86ff:fe95:1530
              LAN IPv6 Address: 2001:568:8561:3800:4a5b:38ff:fe25:120/64
   LAN IPv6 Link-Local Address: fe80::4a5b:38ff:fe27:120/64
               LAN IPv6 Prefix: 2001:568:8561:3800::/64
                   DNS Servers: 

IPv6 LAN Devices List
-------------------------------------------------------------------
Hostname                         MAC Address       IPv6 Address                           
                                 08:00:28:2f:68:ff 2001:568:8561:3800:a00:28ff:fe2f:69ff  
WinComp                     00:1c:c0:8f:ee:22 2001:569:8561:3800:b062:b408:8281:c86f

[I smudged the numbers some.]

Anyway the Routing Table shows 1530 WAN as the default gateway of course.
Typical Linked Local address and one vlan2 on fe80::4a5b:38ff:fe27:120
with the other bridge and ether routes using 2001:568:8561:3800:

12

Anyway thanks for the feedback, you’d think it’s possible simple and default mode for activating IPv6, but it does not seem to work. Many say it won’t until version 7 of RouterOS and that’s been ten years of waiting, which is totally ridiculous.
Now I understand why it does not come turned on by default.

13

It is not going to work properly on RouterOS if you add addresses on different interfaces from the same subnet. The same applies to ipv4, too.
So in summary setup shown in Asus System Logs i snot possible on RouterOS.

14

I totally disconnect the other router so only one is on at a time? There is no possible chance of interference.
I will try rebooting the Provider router but they also get different IPs being different hardware MACs so I again don’t see a chance for one affecting the other. I’ll report back if anything is different after countless reboots for the providers router.

15

How much have you “smudged” them, exactly? Are they really the same address on LAN and WAN apart from the 7th hextet?
It’s not clear to me why the WAN interface would need a global address. Your gateway is link-local address anyway, so try manually configuring it like that.

16

Well 4 years later now that OS7 is ready I decided to give Mikrotik another try.
Nothing worked again and all the information provided and discussions seem to go no where for a lot of people.
It seems in the end despite my other ASUS router just working perfectly by default. The only way is…

To enable the Telus providers router to Bridge on Port 1 only.

Then it will work but that’s another story of it working and then not working and the HP printer and scanner needing reinstallation and alternate software (to scan).

If I can at this early stage add something about those steps it would be this…
The DHCPv6 Client got a prefix only, and create a pool with just the name added
But you have to add manually an address entry for the clients ether-port with the dynamically created pool (typed in not from list/dropdown bug? probably) that has basically anything within the space of the pool and it automatically creates one based on the ether address (via EUI64 checkbox) forgetting whatever you tried to put.
Anyway I can’t seem to access clients within the prefix from outside but I am assuming there is a firewall rule or maybe NAT needed.
Although my understanding is that should not need NAT but maybe the missing firewall rule is needed, but I remove the rules and nothing so it’s probably blocked by the provider, so it might be a port number translation needed and you’d have to ping some odd port# or whatever service but typically they block port 80 and the likes so you can’t use it in a typical commercial situation being a consumer connection.

It was the Asus that called it passthrough, and the wrong words in RouterOS I think but now it’s like reverse pass-back-through I am thinking should be possible but is not working… yet. [Maybe another 4 years ha ha just kidding… hopefully.]

17

I have a working IPv6 with ROSv7 (which did also work on ROSv6). Address over DHCPv6-Client works. Prefix over DHCPv6-Client works. Prefix-advertisement works. SLAAC on clients works. IPv6 NAT works. DHCPv6-Server for managed configuration works. WAN can reach LAN over IPv6 where I allow.

Divide what you want to do into subtasks and do them in order. Tinkering around with random options won’t work.