Issues with IPv6 routing via WAN

Zendorea · June 16, 2024, 6:40am

Hi Everyone,

I have been trying to tshoot this issue for the last 6 months off and on.

I have read and followed the “getting started with IPv6” guide.
I am unable to get a default route out the WAN and am unable to ping to any public addresses.
I can get a IPv6 public address from my ISP via DHCPv6 and able to get hosts to be assigned within that subnet via ND

I’ve sent a ticket into Mikrotick but was told that i should reach out to the community or a local Mikrotik pro.
seeing how the closest pro is nine hundred miles away, im reaching out to the community for some assistance.

mkx · June 16, 2024, 10:50am

Please describe in detail how your WAN connectivity looks like (plain DHCP vs. PPPoE) and provide full export of /ipv6 configuration subtree (as to sensitive data, don’t omit it, obfuscate it and mention it when providing export). Also provide output of /ipv6/address/print and /ipv6/route/print (again obfuscate public addresses but leave the variable part, e.g. only obfuscate the left-most part of addresses).

Then we might be able to help you.

Zendorea · June 16, 2024, 7:50pm

Thanks mkx,

I wanted to approach this with humility and ask from a place of ignorance,

local = Bridge
sfp28-1 = WAN
pool6 = DHCPv6 pool built from my ISP lease

my ISP is directly connected via Fiber. They use DHCPv6 from what I can see and SLAAC does not work (Or I’ve been misconfiguring it)
below is the output you asked for:

https://pastebin.com/AC1aXeVs

mkx · June 17, 2024, 8:07am

I don’t particularly like all the firewall stuff, it’s dropping lots of traffic (perhaps even too much … in IPv6 ICMP is very important to be working).

I also don’t know if the restrictive /ipv6/nd setup is OK (I have doubts about advertise-mac-address=no).

I don’t see anything very off in the address/route part of setup though.

Just for reference, here’s default IPv6 setup for SOHO-class of MT devices (CCR fall into pro-line and that one comes without default config):

/ipv6 firewall {
                       address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
                       address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
                       address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
                       address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
                       address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
                       address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
                       address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
                       address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
                       address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
                       filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
                       filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
                       filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
                       filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
                       filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
                       filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
           }

There’s nothing else for /ipv6, nothing special about nd nor other stuff. And IMO this is pretty decently safe setup and good base to build setup further.

On one of “my” routers, where ISP is running “plain DHCP” (as it’s in your case) I also have this:

/ipv6 settings
set accept-router-advertisements=yes
/ipv6 dhcp-client
set [ find ] add-default-route=no

The add-default-route property of DHCPv6 client is a cludge to work around problems with getting proper default gateway … by default, the first setting above is set to yes-if-forwarding-disabled which normally means router is not accepting upstream RAs … however, this is the proper way of getting information about available routers in IPv6 while add-default-route sets default route to DHCPv6 server’s address … which may or may not work (depends on ISP’s setup).

anovojr · June 17, 2024, 8:37am

Have you double-checked your firewall rules? Sometimes, they can block IPv6 traffic even if everything else seems fine.

CGGXANNX · June 17, 2024, 9:10am

Echoing @mkx, OP’s firewall has too many rules. However, from the export, all the rules are currently disabled. Which means the issue is not firewall related. It’s probably the wrong default route which picks the DHCPv6 server address as gateway like @mkx wrote. To verify, maybe you try, from outside (from the internet) to ping & trace route to [REDACTED]:d100::1 (your router’s address)?

Zendorea · June 21, 2024, 4:29am

I’ve nuked my full IPv6 config… anyone has a clean config i can use?
Interesting point: I’ve notice that none of my interfaces have link-local addresses on the router

mkx · June 21, 2024, 5:16am

On all “non-pro” devices[*] one gets default by running /system/default-configuration/print in a really wide terminal window. Scroll down until /ipv6/firewall section. Which is exactly what I provided in my previous post. It seems you’re ignoring that post so I will likely ignore your questions from now on.

[*]non-pro devices are all but CHR, CRS, CCR and RB1100 series of devices.

Zendorea · June 29, 2024, 5:40am

I see this now.. my apologies… I am rather frustrated with the issue…
I appreciate your help and I thank you for your time you spent replying to my posts.