Need help configuring ipv6. Cannot access internet from client using ipv6. (Resolved)

vette · October 4, 2023, 9:26pm

Hi.

I just bought a Mikrotik hex router and now I have a problem with it when configuring ipv6 network.

I have a 2a02:2340:1203::/48 network which is routed to routing network 2a02:2340:1200::/64
My address in that network is 2a02:2340:1200::1203/64 and ISP:s side is 2a02:2340:1200::1.

I take 1 /64 subnet from that /48 network and configured it to the brigde (lan) side.

[@RouterOS] > ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
 #    ADDRESS                                     FROM-POOL INTERFACE                                                                                                          ADVERTISE
 0 DL fe80::4aa9:8aff:fec6:aaf4/64                          bridge                                                                                                             no
 1 DL fe80::4aa9:8aff:fec6:aaf3/64                          ether1                                                                                                             no
 2  G 2a02:2340:1200::1203/64                               ether1                                                                                                            no 
 3  G 2a02:2340:1203::1/64                                   bridge                                                                                                               yes

[@RouterOS] > ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2a02:2340:1200::1                     1
 1 ADC  2a02:2340:1200::/64      ether1                          0
 2 ADC  2a02:2340:1203::/64      bridge                          0

I can ping the gateway or google from the router and bridge side ip from client but cannot ping gateway or google from client or client from router ether1 interface

[@RouterOS] > ping 2a02:2340:1200::1 interface=ether1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 2a02:2340:1200::1                          56  64 1ms   echo reply
    1 2a02:2340:1200::1                          56  64 1ms   echo reply
    2 2a02:2340:1200::1                          56  64 1ms   echo reply
    sent=3 received=3 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=1ms

[@RouterOS] > ping 2a00:1450:4026:802::200e interface=ether1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 2a00:1450:4026:802::200e                   56  58 4ms   echo reply
    1 2a00:1450:4026:802::200e                   56  58 4ms   echo reply
    sent=2 received=2 packet-loss=0% min-rtt=4ms avg-rtt=4ms max-rtt=4ms

C:\Users\xxx>ping 2a02:2340:1203::1

Pinging 2a02:2340:1203::1 with 32 bytes of data:
Reply from 2a02:2340:1203::1: time<1ms
Reply from 2a02:2340:1203::1: time<1ms
Reply from 2a02:2340:1203::1: time<1ms

Ping statistics for 2a02:2340:1203::1:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms


C:\Users\xxxxx>ping 2a02:2340:1200::1

Pinging 2a02:2340:1200::1 with 32 bytes of data:
Control-C
^C

[@RouterOS] > ping 2a02:2340:1203::1 interface=ether1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 2a02:2340:1203::1                                       timeout
    sent=1 received=0 packet-loss=100%

It seems to be some kind of routing issue because outside access works in both directions. Traffic stops when it tries to go from bridge to ether1 or thw other way around. What I am missing? Can you help?

br
Vette

vette · October 5, 2023, 8:37am

Hi,

Do I have to configure somewhere that traffic goes throught ether1 ↔ bridge?

br
Vette

mkx · October 5, 2023, 9:49am

You should check IPv6 firewall rules (or post them here for us to help you assessing them). Bridge and ether1 are two interfaces of same device and traffic doesn’t go from one side to another side if the end destination is one of router’s own IPv6 addresses, it’s handled by same CPU entity … passing via chain=input (or chain=output if traffic is actually initiated by router itself).

Which makes me wonder why this issue bothers you so much? What is actual problem?

vette · October 5, 2023, 11:42am

Hi mkx,

Thanks for the reply.

I did not explain the problem clear enough. The problem is that my client cannot access to the internet using ipv6 and cannot figure out why is that. The topology of the network is like this:

client ↔ LAN ↔ router ↔ routing network ↔ internet

client
2a02:2340:1203:0:4eda:9a85:ced6:4686/64
  |
LAN - 2a02:2340:1203/64
  |
interface Bridge: 2a02:2340:1203::1
Router
interface Ether1: 2a02:2340:1200::1203
  |
GW:2a02:2340:1200::1
Routing Network
  |
Internet

I can ping internet and gateway from the router and client from the router but not internet from the client.

The firewall rules are default ones.

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

br
Vette

mkx · October 5, 2023, 11:58am

How does routing info on client look like? How is client getting its address, via SLAAC?

vette · October 5, 2023, 12:06pm

Hi,

The address is advertised to the client. And here is the routing table.

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12    281 ::/0                     fe80::4aa9:8aff:fec6:aaf4
  1    331 ::1/128                  On-link
 12    281 2a02:2340:1203::/64      On-link
 12    281 2a02:2340:1203:0:4eda:9a85:ced6:4686/128
                                    On-link
 12    281 2a02:2340:1203:0:892d:2ed:1929:4a2c/128
                                    On-link
 12    281 fe80::/64                On-link
 12    281 fe80::198:6ce1:dec8:4e45/128
                                    On-link
  1    331 ff00::/8                 On-link
 12    281 ff00::/8                 On-link
===========================================================================

   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (7) I219-V
   Physical Address. . . . . . . . . : 04-92-26-BE-36-B1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2a02:2340:1203:0:4eda:9a85:ced6:4686(Preferred)
   Temporary IPv6 Address. . . . . . : 2a02:2340:1203:0:892d:2ed:1929:4a2c(Preferred)
   Link-local IPv6 Address . . . . . : fe80::198:6ce1:dec8:4e45%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, 5 October 2023 13.44.07
   Lease Expires . . . . . . . . . . : Thursday, 5 October 2023 15.06.08
   Default Gateway . . . . . . . . . : fe80::4aa9:8aff:fec6:aaf4%12
                                       192.168.1.1

and that GW: fe80::4aa9:8aff:fec6:aaf4 is a link local address in the router

[admin@MikroTik] > ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
 #    ADDRESS                                     FROM-POOL INTERFACE                                                      ADVERTISE
 0 DL fe80::4aa9:8aff:fec6:aaf4/64                          bridge                                                         no
 1 DL fe80::4aa9:8aff:fec6:aaf3/64                          ether1                                                         no
 2  G 2a02:2340:1203::1/64                        myPool    bridge                                                         yes
 3  G 2a02:2340:1200::1203/64                               ether1                                                         yes

vette · October 5, 2023, 12:56pm

Hi.

More information to this. So the router forwards the traffic out to the internet. Here is a capture from target server. It sees the traffic and sends it back

15:50:57.715024 IP6 2a02:2340:1203:0:892d:2ed:1929:4a2c > <target_server>: ICMP6, echo request, id 40582, seq 8, length 64
15:50:57.715049 IP6 <target_server> > 2a02:2340:1203:0:892d:2ed:1929:4a2c: ICMP6, echo reply, id 40582, seq 8, length 64

So it seems that the traffic is dropped on the router when it is coming back.

br
Vette

vette · October 5, 2023, 1:08pm

and packet capture from the router shows no return traffic

1   0.821 ether2            2a02:2340:1203:0:892d:2ed:1929:4a2c       2001:708:<TARGET>:2639        icmpv6        118   1 no
 2   0.821 bridge            2a02:2340:1203:0:892d:2ed:1929:4a2c       2001:708:<TARGET>:2639        icmpv6        118   1 no
 3   0.821 ether1            2a02:2340:1203:0:892d:2ed:1929:4a2c       2001:708:<TARGET>:2639        icmpv6        118   1 no

 5   1.821 ether2            2a02:2340:1203:0:892d:2ed:1929:4a2c       2001:708:<TARGET>:2639        icmpv6        118   1 no
 6   1.821 bridge            2a02:2340:1203:0:892d:2ed:1929:4a2c       2001:708:<TARGET>:2639        icmpv6        118   1 no
 7   1.821 ether1           2a02:2340:1203:0:892d:2ed:1929:4a2c        2001:708:<TARGET>:2639        icmpv6        118   1 no

Is it the firewall? That might block it before I can capture the traffic.

br
Vette

vette · October 5, 2023, 1:24pm

Hi,

I see that the traffic goes out throught firewall rule
15 ;;; defconf: accept ICMPv6 chain=forward action=accept protocol=icmpv6

but I do not see where it comes back and where it is dropped.

Is it possible that the ipv4 fasttrack affects this?

br
Vette

vette · October 5, 2023, 4:03pm

Hi,

There was a configuration error on isp side. The routing network was not routed like they told it is. I complained and now it is fixed.

br
Vette

mkx · October 5, 2023, 4:09pm

IPv4 fasttrack should not affect IPv6 traffic in any way.

The return ICMPv6 packets should be allowed by first rule for chain=forward (allow established,related). However, if those would be dtopped, then you’d still see them on packet capture on ether1 … firewall drop comes later, router’s IPv6 stack (which does firewalling) is between ether1 and bridge. So this seems to be something upstream from your router (usually that’s ISP).

[Edit] glad to see things are fixed already.