ipv6 - some ips routed correctly, some not

madwolf · June 6, 2022, 12:24pm

Hi,
I’ve created a tunnel to hurricane electric. Most of things seem to be working correctly. M6y LAN devices get proper ipv6 and can connect to most ipv6 servers on the internet. However, not all.
From lan device (windows):
Pinging game.flyingpenguintech.org [2600:3c03:e001:600::1] with 32 bytes of data:
Reply from 2600:3c03:e001:600::1: time=98ms

That works great. However:
Pinging 2a05:XXXX:XXXX:XXXX:5400:4ff:fe05:4b52 with 32 bytes of data:
Request timed out.

If I try pinging my lan device from that other computer it works great:
PING 2001:XXXX:XXXX:XXXX:f0e9:8eff:fe33:2b46 56 data bytes
64 bytes from 2001:XXXX:XXXX:XXXX:f0e9:8eff:fe33:2b46: icmp_seq=1 ttl=57 time=3.50 ms

but not the other way around.

PING from mikrotik to 2a05:XXXX:XXXX:XXXX:5400:4ff:fe05:4b52 works fine, just not from the lan device.

madwolf · June 6, 2022, 12:28pm

My ipv6 firewall config:
[admin@MikroTik] /ipv6/firewall> export

jun/06/2022 14:27:00 by RouterOS 7.2.3

software id = 8QCE-TJQ1

model = RB760iGS

serial number = 87F209F45726

/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=2001:xxxx:xxxx:xxxx::/64 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=2a09:4c0:5e0:12::/64 list=allowed
/ipv6 firewall filter
add action=accept chain=forward dst-address=
2001:xxxx:xxxx:xxxx:f0e9:8eff:fe33:2b46/128
add action=accept chain=input dst-port=55055 in-interface=sit1 protocol=udp
add action=accept chain=input comment="allow established and related"
connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation."
dst-port=546 protocol=udp src-address=fe80::/16
add action=drop chain=input in-interface-list=ipv6 log=yes log-prefix=
dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses"
src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=
established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes
log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface-list=ipv6 protocol=
icmpv6
add action=accept chain=forward comment="local network" in-interface-list=!ipv6
src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6

madwolf · June 6, 2022, 2:19pm

After some time (2 hours or so) it started working without any changes done by me. No idea what’s going on.