[Q] IPv6 6in4 tunnel SSH woes using RB750Gr3 router

Hi Guys,

I have a strange issue I thought I would see if anyone knows the answer. I have a 6in4 tunnel with an ISP I work for and since I have had this setup on my Mikrotik RB750Gr3, I have been experiencing timeouts on any of the servers that I connect into via SSH from the LAN. This only happens on IPv6 connections, on IPv4, it stays connected fine even to the same server.

I wonder if anyone knows of any additional options I don’t know about (tweaks) which I could add/try and see if that resolves the issue. I am not sure exactly how long it stays connected for but the general operation is fine. Its like an idle timeout somewhere which needs adjusting.

My setup is pretty much standard and you should be able to see the relevant bits below (else I do you a full config)..

I think thats about it, if I am missing any of the configuration that you would like so see, please let me know but I think this issue can be resolved if someone knows what could cause the SSH season timeouts and what options I could add to stop it.

So a quick summery is, this issue only effects IPv6 connectivity which uses the 6in4 tunnel, it is not the server(s) that I am connecting to as they are fine with IPv4 and is likely some form of idle timeout but alias I can’t seem to find any options.

Any help would be greatly received.

[simon@RB750Gr3_2] /ipv6> address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                                                                        ADVERTISE
 0 DL fe80::6e3b:6XXf:fXX0:9bcb/64                          ether1-gateway                                                                                   no       
 1 DL fe80::6e3b:6XXf:XX70:9bcc/64                          ether2-master                                                                                    no       
 2 DL fe80::XX9f:XX0f/64                                    WORK-IPV6                                                                                      no       
 3  G 2a06:2xx1:4XXe::1/64                        WORK-IPV6    ether2-master

[simon@RB750Gr3_2] /ipv6> firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; accept established,related
      chain=forward action=accept connection-state=established,related 

 1    ;;; drop invalid
      chain=forward action=drop connection-state=invalid 

 2    ;;; accept SSH via ACL from WAN
      chain=input action=accept protocol=tcp src-address-list=TRUSTED in-interface=WAN dst-port=220 

 3    chain=input action=accept protocol=tcp src-address-list=TRUSTED in-interface=WAN dst-port=8291 

 4    chain=input action=accept protocol=udp in-interface=WAN dst-port=500 

 5    chain=input action=accept protocol=udp in-interface=WAN dst-port=1701 

 6    chain=input action=accept protocol=udp in-interface=WAN dst-port=4500 

 7    ;;; accept pings
      chain=input action=accept protocol=icmp 

 8    chain=input action=accept connection-state=established 

 9    chain=input action=accept connection-state=related 

10    ;;; drop all WAN
      chain=input action=drop in-interface=WAN

[simon@RB750Gr3_2] /ipv6 nd> print 
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m hop-limit=unspecified 
      advertise-mac-address=yes advertise-dns=no managed-address-configuration=no other-configuration=no

[simon@RB750Gr3_2] /ipv6 nd> prefix print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D prefix=2axx:2xx1:xx1e::/64 interface=ether2-master on-link=yes autonomous=yes valid-lifetime=4w2d preferred-lifetime=1w

[simon@RB750Gr3_2] /interface> 6to4 print 
Flags: X - disabled, R - running 
 #    NAME                          MTU ACTUAL-MTU LOCAL-ADDRESS   REMOTE-ADDRESS                        KEEPALIVE                                                DSCP
 0  R WORK-IPV6                  1280       1280 212.XXX.XX.15   1XX.XX3.XX9.254                       10s,10

did you try running traceroute, did you check ipv6 neighbours. Can you reach the other end of the tunnel?

Hi there,

Thanks for the reply.

Yes I did and I have just tracked down the issue. What the problem is that the IPv6 address is changing thus booting me off the SSH session. I only noticed this when I looked at the auth logs on one of the server and noticed that I am hitting the server from many different IP addresses throughout the day.

I spoke to a network engineer friend of mine and advised me to check the IPv6 ND and the only thing I could find in there which was “ra-lifetime” which make sense as it was 1800 seconds (30 minutes). Now I checked your wiki and I found that the ra-lifetime description was left blank, so no wonder I didn’t know what it was meant for (you might want to adjust that).

http://wiki.mikrotik.com/wiki/Manual:IPv6/ND

Anyway, I tried to set it to one day (86400) but it seems the maximum you can set it to is 2h30m.

What it was set to:

[simon@RB750Gr3_2] /ipv6 nd> print
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=no managed-address-configuration=no other-configuration=no

Trying to set it from the winbox, gives you a very stupid error (forgot what it says but it doesn’t give you a hint on the max, so you may want to fix that error some day to make it clearer) but if you type it in the console you get a reasonable error rather then cryptic message:

[simon@RB750Gr3_2] /ipv6 nd> set ra-lifetime=86400 numbers=0  
invalid value for argument ra-lifetime:
    input does not match any value of special
    value of value is out of range ( .. 02:30:00)

Now i’ve set it to.. 2h30m which is the maximum it seems. I just really don’t know why you (mikrotik) have imposed such a small time unless theres really a valid reason for it, I would really love to hear. Having the IPv6 address change so frequently is a bit much as it breaks existing ongoing connections.

[simon@RB750Gr3_2] /ipv6 nd> print                             
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=2h30m hop-limit=unspecified 
      advertise-mac-address=yes advertise-dns=no managed-address-configuration=no other-configuration=no

I am not 100% sure if this option is the correct one to change as the wiki doesn’t tell you what its for but it at least makes sense by looking at how often I was dropping connections. So far since the change, i’ve stayed connected, so I believe this is the right option.

SSH client uses (from Linux hosts) uses new temporary IPv6 address for each SSH session. You can check for the addresses via $ip -6 addr | grep temporary. That is a normal behaviour.

Thanks for the reply, sadly your right, after doing some research it’s called privacy setting or something and it automatically changes your IP to help hide your identity.

I think I’m just used to a static address on ipv6 and so I’ve never noticed the problem before. Last night I did work out a solution and that’s to add a forward firewall rule which uses tcp-reset which forces the ipv6 on SSH ports only to reject thrus forcing connection using ipv4 instead.

IMO better would be to accept prefix and adjust the thinking for IPv6 - so, work with prefixes and get used to things. While many claim that IPv6 is just longer addresses - that is not so. There are quite a lot of other reasons why use IPv6 that are not so obvious when first time you configure and start using it.

Privacy extensions is client-side stuff, so it can be easily disabled. But even when it’s enabled, there’s always the main address (with lower 64 bits based on MAC address) and it stays the same. You can tell your SSH client to bind outgoing connection to this addres (-b option) and it should not break. Not exactly user friendly, but it should be easy to write some small wrapper script for ssh client to use the right address automatically. Or maybe there’s already some better solution, I didn’t look too hard.

Unfortunately with the amount of SSH sessions that I usually have active at any one time (around 30+), having them disconnect every thirty or so minutes is just extremely painful as every server has a unique password and 2FA login credentials.

I was spending more time connecting to the servers then actual working hence this “temp” solutions I worked out is a suitable work around for now.

Yes I understand in the long run it would be better to just get on and live with the differences and I agree there is much more to IPv6 then just a longer address but when the new features start effecting your work in a negative way, something has to be done about it.

Thank you very much Sob for your reply. I must admit I never noticed that extra “static, type” address. I am just about to revert my changes (forced ssh on ipv4) and replace it with ssh -b option which would be a far better solution in the long run. It also fixes those ipv6 only hosts which I have to manage to as right now I was adding in a static entry to allow the connection to stay on ipv6.

This is so much cleaner and more elegant solution, thank you once again.

Will let you know if it resolves my issues but i’m sure it will.

Thanks again.

p.s. I use RoyalTS for Mac and it accepts additional ssh options

Update

Confirm works, so many thanks. I’m now connecting using the “static” IPv6 address. FYI i’ve updated the ~/.ssh/config file with BindAddress IPv6_ADDR_HERE as RoyalTS honours settings from here as well. This makes it really easy to update the IP address when the network changes (i.e. move to another building). I will knock up a script later to pull the current address and update the file on the fly. Thanks again.