IPv6 Troubles

RouterOS General
1

I’m running a RB5009.
With the default configuration and just setup the ipv6 i can ping the default gateway. When I apply my ECMP config I can no longer ping the default gateway.

# 2024-07-22 19:01:12 by RouterOS 7.15.2
# software id = PLYK-91SV
#
# model = RB5009UPr+S+
# serial number = HFK09A8DDCA
/interface bridge add name=bridge1 port-cost-mode=short
/interface ethernet set [ find default-name=ether1 ] name=AiNET poe-out=off
/interface ethernet set [ find default-name=ether2 ] name=Drei poe-out=off
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/caps-man configuration add country=austria datapath.bridge=bridge1 .client-to-client-forwarding=yes .local-forwarding=yes mode=ap name=centraal security.authentication-types=wpa2-psk .encryption=aes-ccm ssid=CENTRAAL
/caps-man interface add configuration=centraal disabled=no l2mtu=1600 mac-address=18:FD:74:76:FB:8A master-interface=none name=cap1 radio-mac=18:FD:74:76:FB:8A radio-name=18FD7476FB8A
/caps-man interface add configuration=centraal disabled=no l2mtu=1600 mac-address=18:FD:74:76:FB:8B master-interface=none name=cap2 radio-mac=18:FD:74:76:FB:8B radio-name=18FD7476FB8B
/caps-man interface add configuration=centraal disabled=no l2mtu=1600 mac-address=78:9A:18:F3:26:96 master-interface=none name=cap3 radio-mac=78:9A:18:F3:26:96 radio-name=789A18F32696
/caps-man interface add configuration=centraal disabled=no l2mtu=1600 mac-address=78:9A:18:F3:26:97 master-interface=none name=cap4 radio-mac=78:9A:18:F3:26:97 radio-name=789A18F32697
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=pool1 ranges=10.66.6.1-10.66.7.254
/ip dhcp-server add address-pool=pool1 interface=bridge1 lease-time=10m name=server1
/ipv6 pool add name=pool1 prefix=xxxx:xxxx:xxxx:xxxx::/64 prefix-length=64
/caps-man aaa set mac-format=""
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface add disabled=no interface=bridge1
/caps-man provisioning add action=create-dynamic-enabled master-configuration=centraal
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=ether6
/interface bridge port add bridge=bridge1 interface=ether7
/interface bridge port add bridge=bridge1 interface=ether8
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add interface=AiNET list=WAN
/interface list member add interface=Drei list=WAN
/interface list member add interface=bridge1 list=LAN
/interface list member add interface=wireguard1 list=LAN
/interface wireguard peers add allowed-address=0.0.0.0/0 client-address=192.168.3.1/24 endpoint-address=xxx endpoint-port=13231 interface=wireguard1 name=peer1 public-key="xxx"
/ip address add address=10.66.4.1/22 interface=bridge1 network=10.66.4.0
/ip address add address=xx.xxx.xx.xxx/24 interface=AiNET network=xx.xxx.xx.x
/ip address add address=192.168.2.13/24 interface=Drei network=192.168.2.0
/ip address add address=192.168.3.13/24 interface=wireguard1 network=192.168.3.0
/ip dhcp-server lease add address=10.66.4.50 mac-address=74:4D:28:FA:42:B3
/ip dhcp-server lease add address=10.66.4.51 mac-address=74:4D:28:FA:47:97
/ip dhcp-server lease add address=10.66.4.52 mac-address=74:4D:28:FA:42:D7
/ip dhcp-server lease add address=10.66.4.53 mac-address=74:4D:28:FA:47:F7
/ip dhcp-server lease add address=10.66.4.64 mac-address=EE:DF:70:11:CC:76
/ip dhcp-server lease add address=10.66.4.65 mac-address=50:E6:36:E3:12:30
/ip dhcp-server lease add address=10.66.4.10 mac-address=30:05:5C:6B:19:A8
/ip dhcp-server lease add address=10.66.4.63 mac-address=E8:DF:70:15:6E:0C
/ip dhcp-server lease add address=10.66.4.66 mac-address=E8:DF:70:15:5B:E0
/ip dhcp-server lease add address=10.66.4.62 mac-address=42:49:79:FB:E3:32
/ip dhcp-server lease add address=10.66.4.61 mac-address=E8:DF:70:15:6E:0D
/ip dhcp-server lease add address=10.66.4.67 mac-address=56:E6:36:E3:B8:2A
/ip dhcp-server lease add address=10.66.4.54 mac-address=18:FD:74:76:FB:89
/ip dhcp-server lease add address=10.66.4.55 mac-address=78:9A:18:F3:26:95
/ip dhcp-server lease add address=10.66.4.151 mac-address=80:5E:C0:31:4C:F1
/ip dhcp-server lease add address=10.66.4.152 mac-address=00:17:88:2B:A0:DC
/ip dhcp-server lease add address=10.66.4.101 mac-address=FC:67:1F:78:AF:29
/ip dhcp-server lease add address=10.66.4.100 mac-address=18:DE:50:47:66:60
/ip dhcp-server lease add address=10.66.4.102 mac-address=FC:67:1F:78:C6:F1
/ip dhcp-server lease add address=10.66.4.105 mac-address=BC:DD:C2:8E:44:A0
/ip dhcp-server lease add address=10.66.4.103 mac-address=18:DE:50:47:52:22
/ip dhcp-server lease add address=10.66.4.104 mac-address=18:DE:50:47:3E:D3
/ip dhcp-server lease add address=10.66.4.150 mac-address=00:0B:82:E2:38:41
/ip dhcp-server network add address=10.66.4.0/22 dns-server=10.66.4.1 domain=A4204.free-hoster.at gateway=10.66.4.1 ntp-server=10.66.4.1
/ip dns set allow-remote-requests=yes cache-size=131072KiB servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns adlist add ssl-verify=no url="https://pgl.yoyo.org/adservers/serverlist.php\?hostformat=hosts&showintro=0&mimetype=pla"
/ip dns adlist add ssl-verify=no url=https://adaway.org/hosts.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/AdguardDNS.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/Admiral.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/static/w3kbl.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/Easyprivacy.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/Prigent-Ads.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
/ip dns adlist add ssl-verify=no url=https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
/ip dns adlist add ssl-verify=no url=https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/Prigent-Crypto.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
/ip dns adlist add ssl-verify=no url=https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
/ip dns adlist add ssl-verify=no url=https://phishing.army/download/phishing_army_blocklist_extended.txt
/ip dns adlist add ssl-verify=no url=https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/RPiList-Malware.txt
/ip dns adlist add ssl-verify=no url=https://v.firebog.net/hosts/RPiList-Phishing.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts
/ip dns adlist add ssl-verify=no url=https://urlhaus.abuse.ch/downloads/hostfile/
/ip dns adlist add ssl-verify=no url=https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=xx.xxx.xx.x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no dst-address=10.66.8.0/22 gateway=192.168.3.1 routing-table=main suppress-hw-offload=no
/ip route add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=xx.xxx.xx.x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=xx.xxx.xx.x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.2.12 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route add disabled=no distance=1 dst-address=::/0 gateway=xxxx:xxxx:xxxx:xxxx::x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 address add address=::1 from-pool=pool1 interface=bridge1
/ipv6 address add address=xxxx:xxxx:xxxx:xxxx::x/112 advertise=no interface=AiNET
/ipv6 dhcp-server add address-pool=pool1 interface=bridge1 name=server1
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd set [ find default=yes ] interface=bridge1 managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix add interface=bridge1
/system clock set time-zone-name=Europe/Vienna
/system identity set name=PLR01
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set enabled=yes
/system ntp client servers add address=at.pool.ntp.org

Any Idea what in my config could cause the issue?

2

If I get it right, you mean ECMP in IPv4, the IPv6 is mentioned only as the only other difference with regard to the default configuration, can you confirm?

If so, the ECMP configuration is the following one:
/ip route
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=xx.xxx.xx.x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=xx.xxx.xx.x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=xx.xxx.xx.x routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.2.12 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

From where are you pinging the default gateway, from the Mikrotik itself or from some device in its LAN subnet? Is the gateway of the first three routes the same one (so your intention is a 3:1 distribution of traffic between xx.xxx.xx.x and 192.168.2.12) or there are actually 4 distinct gateways?

3

ECMP and IPv4 connection is working as expected. The only problem I have is with IPv6 connection. I try to ping my IPv6 default gateway and receive 3 timeouts followed by an address unreachable.

4

I am still confused. Your configuration contains only a single IPv6 route, so no ECMP in IPv6. Are you saying that adding IPv4 ECMP affects IPv6 functioning? Or you have exported the configuration that works as it has just a single IPv6 route, rather than the one with multiple IPv6 routes that doesn’t work?

5

Exactly something in my config is affecting the IPv6 configuration. I’m not able to exactly figure out what it is. With just the default config and added IPv6 Address the ping is working, when I configure the ECMP for IPv4 and thus the interface lists and bridge interface it stops working.

6

Ah, so we are getting somewhere :smiley: :

I would never assume that setting up ECMP routing for IPv4 would involve changes to interface lists or even the bridge interface (expecially given that the bridge interface is part of the default configuration on SOHO devices).

But jokes aside, the IPv6 firewall refers to just a single interface list, LAN, the accept established,related,untracked rules are present at the top of both the input and forward chains so the drop the rest if not from LAN rules at their bottom cannot drop responses, plus there are permissive rules for icmpv6 in both chains, so I cannot see any relationship between the firewall and the issue.

So I repeat my question - are you pinging the default gateway from the Mikrotik itself or from an external device connected to it?

Either way, make a command line window as wide as your screen permits, run /tool sniffer quick ipv6-address=ip:of:the:default:gateway in it, repeat the ping and post the outcome (copy it as text, use find&replace to obfuscate the first 48 bits of the addresses systematically and paste the result here).

7

I’m pinging in a Terminal in Winbox.
The sniffer tool does not produce any output.
Internally I can ping in my ipv6 subnet and the link net ipv6 of the router but not the default gateway of the ISP.
When I ping from my workstation the sniffer shows the following:

INTERFACE  TIME     NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS                              DST-ADDRESS             PROTOCOL     SIZE  CPU
ether3     151.9      1  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
bridge1    151.9      2  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
ether3     153.2      3  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
bridge1    153.2      4  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
ether3     157.368    5  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
bridge1    157.368    6  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
ether3     161.52     7  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
bridge1    161.52     8  <-   C8:7F:54:05:C8:18  78:9A:18:F5:AF:E8  xxxx:xxxx:xxxx:xxxx:18c8:1b6b:c11e:e504  xxxx:xxxx:xxxx:xxxx::1  ipv6:icmpv6    94    2
8

OK. There are no rules at all in chain output of /ipv6/firewall/filter and nevertheless the router itself is unable to send a packet to the IP of the default gateway. That means that the issue is not related to firewall and the reason is most likely that the router is unable to determine how to reach the default gateway, i.e. to determine its unicast MAC address.

I did know why I asked for substituting just 48 most significant bits of the addresses, but OK, I suppose there is no typo and default gateway does fit into the same /112 prefix like the own adress attached to the AiNET interface; so now, try /tool sniffer quick mac-protocol=ipv6 interface=AiNET and ping from the default gateway address from the router itself again. I may be wrong, but I think you should see icmpv6 multicast packets that substitute ARP for IPv6 on that interface, attempting to determine the MAC address of the defaut gateway.

9

There is a lot of stuff going on. But I think I was able to capture the relevant traffic:

AiNET      38.3    309  <-   9C:05:D6:3A:F7:5F  33:33:FF:CE:98:6B  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ffce:986b  ipv6:icmpv6    86    1
AiNET      38.3    310  <-   9C:05:D6:3A:F7:5F  33:33:FF:B7:36:85  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ffb7:3685  ipv6:icmpv6    86    0
AiNET      38.767  311  ->   78:9A:18:F5:AF:E6  33:33:FF:00:00:01  xxxx:xxxx:xxxx:xxxx::2     ff02::1:ff00:1     ipv6:icmpv6    86    1
AiNET      38.933  312  <-   44:E9:68:59:F9:46  33:33:FF:38:D9:CA  fe80::46e9:68ff:fe59:f946  ff02::1:ff38:d9ca  ipv6:icmpv6    86    3
AiNET      39.114  313  <-   44:E9:68:59:F9:46  33:33:FF:01:E0:E0  fe80::46e9:68ff:fe59:f946  ff02::1:ff01:e0e0  ipv6:icmpv6    86    2
AiNET      39.116  314  <-   44:E9:68:59:F9:46  33:33:FF:02:6F:AE  fe80::46e9:68ff:fe59:f946  ff02::1:ff02:6fae  ipv6:icmpv6    86    3
AiNET      39.117  315  <-   44:E9:68:59:F9:46  33:33:FF:38:D9:CA  fe80::46e9:68ff:fe59:f946  ff02::1:ff38:d9ca  ipv6:icmpv6    86    3
AiNET      39.329  316  <-   9C:05:D6:3A:F7:5F  33:33:FF:50:1D:1B  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ff50:1d1b  ipv6:icmpv6    86    1
AiNET      39.331  317  <-   9C:05:D6:3A:F7:5F  33:33:FF:59:F9:46  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ff59:f946  ipv6:icmpv6    86    0
AiNET      39.518  318  <-   9C:05:D6:3A:F7:5F  33:33:FF:52:99:95  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ff52:9995  ipv6:icmpv6    86    3
AiNET      40.116  319  <-   44:E9:68:59:F9:46  33:33:FF:02:6F:AE  fe80::46e9:68ff:fe59:f946  ff02::1:ff02:6fae  ipv6:icmpv6    86    3
AiNET      40.118  320  <-   44:E9:68:59:F9:46  33:33:FF:38:D9:CA  fe80::46e9:68ff:fe59:f946  ff02::1:ff38:d9ca  ipv6:icmpv6    86    3
AiNET      40.168  321  <-   44:E9:68:59:F9:46  33:33:FF:E5:A8:6E  fe80::46e9:68ff:fe59:f946  ff02::1:ffe5:a86e  ipv6:icmpv6    86    3
AiNET      40.217  322  <-   C8:0E:14:89:DA:EE  33:33:FF:59:F9:46  fe80::ca0e:14ff:fe89:daee  ff02::1:ff59:f946  ipv6:icmpv6    86    2
AiNET      40.332  323  <-   44:E9:68:59:F9:46  33:33:FF:7C:FE:67  fe80::46e9:68ff:fe59:f946  ff02::1:ff7c:fe67  ipv6:icmpv6    86    3
AiNET      40.393  324  <-   9C:05:D6:3A:F7:5F  33:33:FF:89:0F:CA  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ff89:fca   ipv6:icmpv6    86    2
AiNET      40.465  325  <-   9C:05:D6:3A:F7:5F  33:33:FF:51:3D:CF  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ff51:3dcf  ipv6:icmpv6    86    0
AiNET      40.588  326  <-   9C:05:D6:3A:F7:5F  33:33:FF:B7:35:58  fe80::9e05:d6ff:fe3a:f75f  ff02::1:ffb7:3558  ipv6:icmpv6    86    2
AiNET      40.731  327  ->   78:9A:18:F5:AF:E6  33:33:FF:00:00:01  xxxx:xxxx:xxxx:xxxx::2     ff02::1:ff00:1     ipv6:icmpv6    86    3
AiNET      41.037  328  <-   44:E9:68:59:F9:46  33:33:FF:7C:AE:6F  fe80::46e9:68ff:fe59:f946  ff02::1:ff7c:ae6f  ipv6:icmpv6    86    0
10

Wunderschön. So now run the same again (because the sniffer clears the buffer after some time) until you spot the icmpv6 packets from your own global address again; then stop sniffing and save the buffer using /tool/sniffer/save file-name=icmpv6.pcap . Then download the file to your PC and open it using Wireshark. It should show you that those icmpv6 packets from your global address are asking for the MAC of the default gateway; if they do and there is no response, the issue is either a typo in the prefix or something must have changed at the ISP side.

11

So I found the actual issue. As soon as I enable DHCPv4 on the AiNET interface and get a dynamic IPv4 the ping on IPv6 is working. So it actually is an ISP issue. Thanks for your help sindy.