I always used the HE tunnel to get IPv6 working in home. But now, since I’ve changed my ISP for one that only gives me a option to connect with my modem in routed mode, I am having problems to connect.
Just a note: My tunnel is configured with an internal address because it is the address assigned to wan interface of my Mikrotik. That is the only way the interface gets the status running.
The problem is that I can’t even ping the HE router on the other side of tunnel.
Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.
What is IP Protocol 41?
IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.
So make sure your ISP’s router answers pings on its public IP.
I’d recommend having them put it in bridge mode and letting you run dhcp-client / pppoe-client on your router directly.
(EDIT - whoops, I just remembered that you already said they won’t do that - that sucks. Do they offer native IPv6, though?)
I have 2 rules on my firewal allowing the 41 protocol as below. The problem with my ISP is that they’ve changed the modus operandi in the last year, providing the new clients access to the internet through CGNAT (but with native IPv6). So I’m afraid of requesting IPv6 and end with CGNAT.
At least untill now, I prefer to have a valid IPv4 on my modem as having IPv6 with CGNAT.
Well, that makes sense about the CGNat - sort of - because in a sense, you’re already in that boat. You have to put a private IP on your Mikrotik right now - so what’s the difference if the box-you-cannot-control happens to be a SOHO router in your own home or else a big-iron router in a data center somewhere?
I’ve never been behind a CGNat so I’m not sure what the reality of that life is like - I can see the public IP changing randomly all the time on a per-connection basis, and that would be daunting to deal with if you wanted to have NAT pinholes for things…
That is the thing. I have some services at home that I can easily nat with an IPv4 valid address assigned. With CGNAT, I’ll have a 100.64.x.x address, not routeable in the internet.
It just dawned on me that I forgot to address this in your earlier reply.
First of all, the notes on HE’s page specify that you have to be pingable, too. (there’s no allow icmp in your sample code)
However - the “allow ping” and “allow protocol 41” criteria apply to the ISP router with the public IP address on it - not your Mikrotik.
You could allow anything you want in the Mikrotik, but if the router in front of it drops the packets, then you’re never going to get the chance to allow them, yaknow?
Can you ping your public IP from somewhere out in the world? Does your ISP modem allow IP protocol 41? I was dealing with an Adtran router one time where I was frustrated to find that it would simply not forward a packet whose protocol number it didn’t understand, even if I went into the policy-map and specified the protocol as allowed, even if I specified the protocol number…
I configured my ISP modem with DMZ option, so it is forwarding anything that comes from internet to my Mikrotik. And yes, I am pingable from internet and my NAT’s are working pretty well.
Even though, I’ll take a look about the 41 protocol on my modem, and see if that can be some incompatible problem.
Does anybody know if the tunneling protocol validates the local and remote address in both endpoints?
If so, this is the problem, because for HE, my address is the valid IPv4 address, but for my mikrotik is the Lan address, because my modem is in router mode.
Well, I went reading a little more on the subject and found this blog entry:
This all makes sense, and I’m sure you know the difference between port 41 and protocol 41… but I’m wondering if the nat router isn’t being dumb. It might be only forwarding */tcp, */udp, and */icmp to the “dmz host” - this is not quite the same thing as forwarding IP->dmz-host which is what would be necessary.
If you have another site where you can set up a Mikrotik, try setting up a sit0 interface that points to your public IP and then do a sniff on your home router to see if you see any packets coming in or not. If no packets, then chances are good that the router is only doing PAT and not NAT - i.e. layer4 protocols but not 1:1 at the IP layer.
Thanks to ZeroByte, who configured a tunnel for me for debugging the packets arriving.
The think is thaat packets are arriving, at least for now, correctly. The only thing I can think if about the problem being the different local and remote addresses. May the tunnelbroker validates it?
Well, the only thing left to do is sniff the packets from Tunnelbroker, capture them to a file on the Mikrotik, and open the capture file in Wireshark.
Perhaps you can poke around in that.
As far as I can tell, you should put 192.168.100.2 as the local IP of your tunnel, and it should work.
If you want, you can build the other end of my test tunnel on your router and we can see if it comes live or not.
I’m not routing any prefixes over it or anything, and I have firewall rules in place so you can’t go into my LAN through the tunnel or anything, but at least you should be able to ping the link-local address of my end of the tunnel. (check IPv6 neighbors to see it)
Edit
My local address if configured as 192.168.100.2 since the beggining. Actually, only doint this the interface gets the status running. Perhaps it is a validation of Mikrotik to check if the configured local-address field contains any local interface address. It makes some sense, but is a personal though. When I had a pppoe connection, I could put the valid IP address and it worked pretty well.
I’ve tested as your suggestion and it didn’t get your link-local address on my neighbors. Maybe some ND configuration missing in my router?
Also torched the interface looking for HE address and didn’t get any packet comming from them. BTW I don’t know the keepalive configured on their side, but I think it would be minor than a minute, which is the time I’ve spend looking for it.
Your keepalive setting shouldn’t break the tunnel even if it doesn’t match the value (if any) set on HE’s end, because it’s like a ping. Your side pings their side, and if you get replies then it stays up, as far as your router is concerned. PPP is this way - one side can do “no keepalive” and the other side can do “keepalive 15 seconds” and this will work. It’s not like OSPF where both sides have to agree on the hello interval and so forth.
I went ahead and added a /64 address of 2001:db8:1:1::10/64 to my side - feel free to static-assign anything else from that /64 for your end - just in case it wants an address to work (but I don’t think this is necessary)
Okay - I disabled keepalives on my end, and I now have a ping running to 2001:db8:1:1::1 from 2001:db8:1:1::10
The packets look like this:
Untitledxxx.png
Make this the first rule in the IPv4 filter chain:
/ip firewall filter add chain=input src-addr=x.x.x.95 (my public IP)
Make this the first rule in the IPv6 filter chain:
/ipv6 firewall filter add chain=input in-interface=sit1 (or whatever interface is your tunnel interface)
I assume that you have no output filters - but if you do, whitelist my IP and the sit1 interface there as well.
