janci
October 19, 2017, 9:22am
1
hi, I am searching second day for solution of my problem but not able to find any help. So I decided to ask here.
I did create tunnel at https://tunnelbroker.net/
Problem is that 6to4 interface is not running:
/interface 6to4 print detail
Flags: X - disabled, R - running
0 ;;; Hurricane Electric IPv6 Tunnel Broker
name="sit1" mtu=1280 actual-mtu=1280 local-address=my_static_public_ipv4_address remote-address=216.66.87.14 dscp=inherit clamp-tcp-mss=yes dont-fragment=no
here is ipv6 address of sit1 interfaceitalic font
/ipv6 address print detail
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
0 -----
1 -----
2 -----
3 -----
4 G address=2001:470:xxxx:xxxx::2/64 from-pool="" interface=sit1 actual-interface=sit1 eui-64=no advertise=no no-dad=no
5 -----
6 DL address=fe80::3:xxxx:xxxx/64 from-pool="" interface=sit1 actual-interface=sit1 eui-64=no advertise=no no-dad=no
and here is ipv6 route
/ipv6 route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
0 S dst-address=2000::/3 gateway=2001:470:xxxx:xxxx::1 gateway-status=2001:470:xxxx:xxxx::1 unreachable distance=1 scope=30 target-scope=10
1 DC dst-address=2001:470:xxxx:xxxx::/64 gateway=sit1 gateway-status=sit1 unreachable distance=255 scope=10
2 ADC dst-address=2001:470:xxxx:xxxx::/64 gateway=switch_bridge gateway-status=switch_bridge reachable distance=0 scope=10
please, have somebody any idea what is wrong? thank you
janci
October 20, 2017, 7:15am
2
looks that nobody has idea or tip
pe1chl
October 20, 2017, 7:23am
3
looks that you are very impatient…
janci
October 20, 2017, 7:31am
4
yes, because I did already configured another linux based router with that ipv6 tunner over hurricane electric. And I did spend with configuration of mikrotik router almost one day and not successful …
pe1chl
October 20, 2017, 8:32am
5
I have no experience with that because here we get native IPv6 from the provider, but I hope you realize that this is just a for-users-by-users forum where you have to be lucky for someone to read your message, and spending the time to study your problem and suggest a solution.
Posting a negative and impatient remark just 10 hours after asking a question (with that time being during the night for the European readers) is not going to help.
Flame’s aside about patience vs impatience.
What’s your firewall configuration? Are you able to ping the HE side of the tunnel from the router? A full /export hide-sensitive would be good.
janci
October 23, 2017, 6:07am
7
yes, I can ping HE, ipv4 server address.
here if filter section from firewall:
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=input action=accept log=no log-prefix=""
1 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""
2 ;;; Accept established connections
chain=input action=accept connection-state=established log=no log-prefix=""
3 ;;; Accept releated connections
chain=input action=accept connection-state=related log=no log-prefix=""
4 X chain=input action=accept protocol=ipv6 src-address=216.66.87.14 log=no log-prefix=""
5 X chain=output action=accept protocol=ipv6 log=no log-prefix=""
6 X ;;; Log DoS Attackers
chain=input action=log connection-limit=3,32 protocol=tcp src-address-list=DoS log=no log-prefix="DoS Attackers"
7 X ;;; Tarpit DoS attackers
chain=input action=tarpit connection-limit=3,32 protocol=tcp src-address-list=DoS log=no log-prefix=""
8 ;;; Detection DoS Aattackers
chain=input action=add-src-to-address-list connection-limit=10,32 protocol=tcp src-address-list=!admin address-list=DoS address-list-timeout=1d log=no log-prefix=""
9 ;;; Drop SSH brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
10 ;;; ssh_s3_to_ssh_blacklist
chain=input action=add-src-to-address-list protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1d dst-port=22 log=no log-prefix=""
11 ;;; ssh_s2_to_ssh_s3
chain=input action=add-src-to-address-list protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix=""
12 ;;; ssh_s1_to_ssh_s2
chain=input action=add-src-to-address-list protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix=""
13 ;;; ssh_to_ssh_s1
chain=input action=add-src-to-address-list protocol=tcp src-address-list=!admin address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix=""
14 ;;; Drop WinBox brute forcers
chain=input action=drop protocol=tcp src-address-list=winbox_blacklist dst-port=8291 log=no log-prefix=""
15 ;;; winbox_s3_to_winbox_blacklist
chain=input action=add-src-to-address-list protocol=tcp src-address-list=winbox_stage3 address-list=winbox_blacklist address-list-timeout=1d dst-port=8291 log=no log-prefix=""
16 ;;; winbox_s2_to_winbox_s3
chain=input action=add-src-to-address-list protocol=tcp src-address-list=winbox_stage2 address-list=winbox_stage3 address-list-timeout=1m dst-port=8291 log=no log-prefix=""
17 ;;; winbox_s1_to_winbox_s2
chain=input action=add-src-to-address-list protocol=tcp src-address-list=winbox_stage1 address-list=winbox_stage2 address-list-timeout=1m dst-port=8291 log=no log-prefix=""
18 ;;; winbox_to_winbox_s1
chain=input action=add-src-to-address-list protocol=tcp address-list=winbox_stage1 address-list-timeout=1m dst-port=8291 log=no log-prefix=""
19 ;;; Log blocked address detected by PSD chain
chain=input action=log src-address-list=port_scanners log=no log-prefix="PSD"
20 ;;; Drop blocked address detected by PSD chain
chain=input action=drop src-address-list=port_scanners log=no log-prefix=""
21 ;;; Jump to PORT SCAN DETECTION
chain=input action=jump jump-target=port_scann_det log=no log-prefix=""
22 ;;; Jump to ICMP chain
chain=input action=jump jump-target=icmp protocol=icmp log=no log-prefix=""
23 ;;; WinBox_TCP-8291
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
24 ;;; DUDE
chain=input action=accept protocol=tcp dst-port=81 log=no log-prefix=""
25 ;;; DUDE
chain=input action=accept protocol=tcp dst-port=2211 log=no log-prefix=""
26 ;;; PPtP
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
27 X ;;; eoip
chain=input action=accept protocol=tcp dst-port=47 log=no log-prefix=""
28 ;;; PPtP
chain=input action=accept protocol=gre log=no log-prefix=""
29 ;;; Web_TCP-80
chain=input action=accept protocol=tcp in-interface=switch_bridge dst-port=8080 log=no log-prefix=""
30 ;;; DNS_TCP-53
chain=input action=accept protocol=tcp in-interface=switch_bridge dst-port=53 log=no log-prefix=""
31 ;;; DNS_TCP-53
chain=input action=accept protocol=tcp in-interface=ether10 dst-port=53 log=no log-prefix=""
32 ;;; DNS_UDP-53
chain=input action=accept protocol=udp in-interface=switch_bridge dst-port=53 log=no log-prefix=""
33 ;;; DNS_UDP-53
chain=input action=accept protocol=udp in-interface=ether10 dst-port=53 log=no log-prefix=""
34 ;;; SSH_TCP-22
chain=input action=accept protocol=tcp in-interface=switch_bridge dst-port=22 log=no log-prefix=""
35 ;;; SSH_TCP-22
chain=input action=accept protocol=tcp in-interface=ether11 dst-port=22 log=no log-prefix=""
36 ;;; Other Input Drop
chain=input action=drop log=no log-prefix=""
37 ;;; PSD detection to adress list
chain=port_scann_det action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
38 ;;; NMAP FIN stealth scan
chain=port_scann_det action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
39 ;;; SYN FIN scan
chain=port_scann_det action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
40 ;;; SYN RST scan
chain=port_scann_det action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
41 ;;; FIN PUSH URG scan
chain=port_scann_det action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
42 ;;; ALL ALL scan
chain=port_scann_det action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
43 ;;; NMAP NULL scan
chain=port_scann_det action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port_scanners address-list-timeout=1d log=no log-prefix=""
44 ;;; Navrat do Input
chain=port_scann_det action=return log=no log-prefix=""
45 ;;; Limittde ping allow
chain=icmp action=accept connection-state=new protocol=icmp limit=50,5:packet log=no log-prefix=""
46 ;;; Echo replay 0:0
chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""
47 ;;; Echo reques 8:0
chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""
48 ;;; Time exceeded 11:0
chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""
49 ;;; Destination unreachable 3:3
chain=icmp action=accept protocol=icmp icmp-options=3:3 log=no log-prefix=""
50 ;;; Destination unreachable 3:4
chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""
51 ;;; Other ICMP Drop
chain=icmp action=drop protocol=icmp log=no log-prefix=""
52 ;;; Navrat do Input
chain=icmp action=return log=no log-prefix=""
53 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""
54 ;;; Accept established connections
chain=forward action=accept connection-state=established log=no log-prefix=""
55 ;;; Accept releated connections
chain=forward action=accept connection-state=related log=no log-prefix=""
enabling rules 4 and 5 is not helping
thank you
janci
October 23, 2017, 7:54am
8
here is export, if you see that something about ipv6 is disabled, I did it … anyway, it is not working so …
/export hide-sensitive
# oct/23/2017 09:34:42 by RouterOS 6.40.4
# software id = 5II5-8949
#
# model = 1100AHx2
# serial number =
/interface bridge
add name=switch_bridge
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=yes !keepalive local-address=my_public_IP mtu=1280 name=sit1 remote-address=216.66.87.14
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lokalka ranges=192.168.1xx.128-192.168.1xx.240
add name=lokalka_dva ranges=192.168.2xx.100-192.168.2xx.200
/ip dhcp-server
add address-pool=lokalka disabled=no interface=switch_bridge name=lokalka
add address-pool=lokalka_dva disabled=no interface=ether10 name=lokalka_dva
/interface bridge port
add bridge=switch_bridge interface=ether1
add bridge=switch_bridge interface=ether6
add bridge=switch_bridge interface=ether12
add bridge=switch_bridge interface=ether13
/interface pptp-server server
set enabled=yes
/ip address
add address=x.x.x.x/24 interface=ether11 network=x.x.x.0
add address=192.168.1xx.1/24 interface=switch_bridge network=192.168.1xx.0
add address=192.168.2xx.1/24 interface=ether10 network=192.168.2xx.0
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=192.168.1xx.0/24 dns-server=192.168.1xx.1 gateway=192.168.1xx.1
add address=192.168.2xx.0/24 dns-server=192.168.2xx.1 gateway=192.168.2xx.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=5d cache-size=4096KiB servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input disabled=yes
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment="Accept established connections" connection-state=established
add action=accept chain=input comment="Accept releated connections" connection-state=related
add action=accept chain=input disabled=yes protocol=ipv6 src-address=216.66.87.14
add action=accept chain=output disabled=yes protocol=ipv6
add action=log chain=input comment="Log DoS Attackers" connection-limit=3,32 disabled=yes log-prefix="DoS Attackers" protocol=tcp src-address-list=DoS
add action=tarpit chain=input comment="Tarpit DoS attackers" connection-limit=3,32 disabled=yes protocol=tcp src-address-list=DoS
add action=add-src-to-address-list address-list=DoS address-list-timeout=1d chain=input comment="Detection DoS Aattackers" connection-limit=10,32 protocol=tcp src-address-list=!admin
add action=drop chain=input comment="Drop SSH brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input comment=ssh_s3_to_ssh_blacklist dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment=ssh_s2_to_ssh_s3 dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment=ssh_s1_to_ssh_s2 dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment=ssh_to_ssh_s1 dst-port=22 protocol=tcp src-address-list=!admin
add action=drop chain=input comment="Drop WinBox brute forcers" dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=1d chain=input comment=winbox_s3_to_winbox_blacklist dst-port=8291 protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1m chain=input comment=winbox_s2_to_winbox_s3 dst-port=8291 protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m chain=input comment=winbox_s1_to_winbox_s2 dst-port=8291 protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=1m chain=input comment=winbox_to_winbox_s1 dst-port=8291 protocol=tcp
add action=log chain=input comment="Log blocked address detected by PSD chain" log-prefix=PSD src-address-list=port_scanners
add action=drop chain=input comment="Drop blocked address detected by PSD chain" src-address-list=port_scanners
add action=jump chain=input comment="Jump to PORT SCAN DETECTION" jump-target=port_scann_det
add action=jump chain=input comment="Jump to ICMP chain" jump-target=icmp protocol=icmp
add action=accept chain=input comment=WinBox_TCP-8291 dst-port=8291 protocol=tcp
add action=accept chain=input comment=DUDE dst-port=81 protocol=tcp
add action=accept chain=input comment=DUDE dst-port=2211 protocol=tcp
add action=accept chain=input comment=PPtP dst-port=1723 protocol=tcp
add action=accept chain=input comment=eoip disabled=yes dst-port=47 protocol=tcp
add action=accept chain=input comment=PPtP protocol=gre
add action=accept chain=input comment=Web_TCP-80 dst-port=8080 in-interface=switch_bridge protocol=tcp
add action=accept chain=input comment=DNS_TCP-53 dst-port=53 in-interface=switch_bridge protocol=tcp
add action=accept chain=input comment=DNS_TCP-53 dst-port=53 in-interface=ether10 protocol=tcp
add action=accept chain=input comment=DNS_UDP-53 dst-port=53 in-interface=switch_bridge protocol=udp
add action=accept chain=input comment=DNS_UDP-53 dst-port=53 in-interface=ether10 protocol=udp
add action=accept chain=input comment=SSH_TCP-22 dst-port=22 in-interface=switch_bridge protocol=tcp
add action=accept chain=input comment=SSH_TCP-22 dst-port=22 in-interface=ether11 protocol=tcp
add action=drop chain=input comment="Other Input Drop"
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="PSD detection to adress list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="NMAP FIN stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="SYN FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="SYN RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="FIN PUSH URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="ALL ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=port_scann_det comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=return chain=port_scann_det comment="Navrat do Input"
add action=accept chain=icmp comment="Limittde ping allow" connection-state=new limit=50,5:packet protocol=icmp
add action=accept chain=icmp comment="Echo replay 0:0" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="Echo reques 8:0" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="Time exceeded 11:0" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Destination unreachable 3:3" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp comment="Destination unreachable 3:4" icmp-options=3:4 protocol=icmp
add action=drop chain=icmp comment="Other ICMP Drop" protocol=icmp
add action=return chain=icmp comment="Navrat do Input"
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment="Accept established connections" connection-state=established
add action=accept chain=forward comment="Accept releated connections" connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether11
add action=dst-nat chain=dstnat dst-port=5xxx in-interface=ether11 protocol=tcp to-addresses=192.168.1xx.3 to-ports=5xxx
add action=dst-nat chain=dstnat dst-port=5xxx in-interface=ether11 protocol=tcp to-addresses=192.168.1xx.3 to-ports=5xxx
add action=dst-nat chain=dstnat dst-port=x5xx in-interface=ether11 protocol=tcp to-addresses=192.168.2xx.3 to-ports=xx
/ip route
add distance=1 gateway=xx.x.xx.1
/ip service
set telnet disabled=yes
set www port=8080
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=2001:470:xxxa:618::2 advertise=no interface=sit1
add address=2001:470:xxxb:618::1 disabled=yes interface=switch_bridge
/ipv6 route
add disabled=yes distance=1 dst-address=2000::/3 gateway=2001:470:xxxa:618::1
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=xxxxx
janci
October 25, 2017, 9:59am
9
problem solved
I have IPv4 public address, but it is bit tricky. My ISP is forwarding all ports to my router from mentioned public ipv4 address. So I am basicaly behind the NAT. So I did change local address in configuration os sit interface and hooray.
so mistake on my side
