[SOLVED] IPv6 pings work, webpage won't load

Hi, I have a Mikrotik RB751U-2HnD running the latest firmware, connected to a fiber ONT in bridge mode. My ISP has good support for IPv6, and when using the ONT directly in router mode clients have IPv6 connectivity out of the box.

With the ONT in bridge mode and the Mikrotik obtaining the IPv6 prefix, I can ping IPv6 addresses from the router’s ping tool, but clients do not have IPv6 connectivity. I tried with multiple Linux and Windows clients as well as Android, and none of them work. Are there any obvious errors here with my configuration?




Thanks in advance.

Other than “Accept Router Advertisements” need to be set to “no” or to “yes, if forwarding disabled” everything else looks fine.

Thanks for the reply. I tried changing that, and it doesn’t seem to make any difference.

Does the ip a from a Linux client help at all?

3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 6x:xx:xx:xx:xx:x0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.30/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
       valid_lft 527sec preferred_lft 527sec
    inet6 fxxx::xxxx:xxxx:xxxx:xxxb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Just to clarify: do clients get the addresses but still they have no connectivity, or they don’t get any addresses at all?

Yes, the clients do get an IPv6 address.

I made some significant progress with neighbor discovery:

Now clients can ping IPv6 addresses, resolve most domains to their IPv6 address by default, and access most websites. But there is a really weird issue where I can not browse most or all of the IPv6-capable websites that I have been testing with, such as the http://ipv6-test.com and this forum. They hang at the TLS handshake stage. There’s also another website that I know supports IPv6 and does NOT have SSL enabled that also fails to load via IPv6 although I can ping it. But if I visit a random website that I do NOT normally visit that supports IPv6 it DOES load. This behavior is the same across all browsers and clients, which I have tried restarting several times and even tried starting with fresh browser profiles to eliminate the possibility of cache problems, as well as restarting the Mikrotik and the ONT.

Try adding some static ipv6 dns servers to /ip dns (for example the ones from google: 2001:4860:4860::8888 and 2001:4860:4860::8844) and check “Advertise DNS”

Hmm, I tried that, but unfortunately it’s still very erratic.

It sounds like it might be MTU related issues. Are your clients allowing all icmpv6 from everywhere? You should be able to ping the clients with IPv6 from anywhere on the Internet.

Hmm. Should I try setting MTU to something under IPv6 > ND ?

Are your clients allowing all icmpv6 from everywhere? You should be able to ping the clients with IPv6 from anywhere on the Internet.

I haven’t specifically blocked anything on the clients. I was wondering if the Mikrotik IPv6 firewall was causing the problem, although I haven’t done anything to it, they’re all defconf rules.

Generally there is no need to do this.

I haven’t specifically blocked anything on the clients. I was wondering if the Mikrotik IPv6 firewall was causing the problem, although I haven’t done anything to it, they’re all defconf rules.

The default MikroTik IPv6 firewall allows ICMPv6 in the forward chain from all to all, so the MikroTik firewall would not block this. It may be blocked by default on a firewall on your devices. I have McAfee installed (it is a freebie that came with my Internet service) and by default it blocks ICMP on IPv6.

Maybe go to this site and see if it can ping your computer’s IPv6 address, if it can’t, then ICMPv6 is getting blocked. http://www.ipv6now.com.au/pingme.php

Thanks for the explanation. I don’t run any antivirus or device-level firewalls.
I’m a bit confused why I can ping out to domains over IPv6 but can’t load the site in the browser.

With IPv6, your computer and the website you are accessing both have to make the packet small enough for the entire path, routers in between cannot fragment the packet. If the website cannot successfully ping your computer, it will probably send a 1500 byte HTTP/IPv6 packet to you, which would be dropped because it cannot make it across your PPPoE with the overhead of 8 bytes.

Did you try going to that site and verifying that your device or computer responds to pings?

Hmm, you might be onto something. The ipv6now.com.au website won’t load for me, although I can ping it. However https://www.ultratools.com/tools/ping6 was able to ping my device’s IPv6 address. So how would I go about changing the MTU?

If pings work in both directions then generally there should be no MTU issue because path MTU discovery should work, unless there is a misconfiguration somewhere. Can you share your PPPoE interface settings? Obscure the user/password.

I occasionally see issues with MTU negotiation between PPPoE client and server, where they have a different understanding of the MTU of the other and this results in silent drops for packets that are too big.

Sure, here you go:

And here’s the default profile:

Try setting Max MTU and Max MRU both to 1492, and check the status tab for the PPPoE interface to see what MTU and MRU is being negotiated.

Done, the status shows it at 1492.

And? any change? Do those sites work now? Do you see any different behavior than before? etc.

If your ISP supports RFC4638 PPP-Max-Payload, then it is possible to increase both to 1500, and require no fragmentation.

Unfortunately I don’t see any difference.

If your ISP supports RFC4638 PPP-Max-Payload, then it is possible to increase both to 1500, and require no fragmentation. This would rule out MTU issues.

Otherwise, at this point you might need to do packet captures to try to figure out what is going on.

Do you maybe have another device on your LAN that is sending IPv6 router advertisements, and your computer is sometimes routing through that device instead of your main router?