Unable to ping client PCs on IPv6 through TunnelBroker

RouterOS Beginner Basics
1

Hello guys,

I have configured my RB951Ui-2nD to have a working HE.NET tunnelbroker. I am able to ping the outside IPv6 world from connected clients and Mikrotik allocates single IPv6s to them from the default /64 (I couldn’t figure out changing the commands to allocate /64s from the /48 which HE provide, so it’s sitting unused but I’ll bang my head with that at some later date).

Questions is: How to enable inbound ping to the public single IPv6 addresses which clients receive from /64 on the Mikrotik? Probably something in IPv6 firewall, but I don’t know. I have all default configuration.

I’m failing the ICMP test on ipv6-test.com and would like to get 20/20 just to brag to my ISP about how cool IPv6 is.

2

The default IPv6 firewall configuration (at least, in its current iteration) allows all ICMPv6 basically. You should find “accept” rules in both the input and forward chain for icmpv6. If you do not have those rules, you can create them.

3

I do have them. Yet I cannot ping the clients over IPv6.

4

Check also clients, they can have firewall too. For example Windows block ping by default, except from local subnets.

5

C:\WINDOWS\system32>netsh advfirewall show allprofiles state

Domain Profile Settings:

State OFF

Private Profile Settings:

State OFF

Public Profile Settings:

State OFF
Ok.

Now I am able to ping the PC from outside, but the website still gives me 17/20 with ICMP blocked. Is there anything else I should allow in any firewall?

6

While you can see your router’s config and what exactly the test complains about, other people in this forum can’t, so … (that was a hint).

7

Hi,
My apologies for the late reply.

I am sorry - I didn’t get your hint. Which part of the router config should I post and how to print it out? Supout.rif file?

The test complains about the following:

“Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.”

However, the host is perfectly pingable from outside server over IPv6. This only bugs me, because this is the website mentioned on “Mikrotik Wiki” - https://wiki.mikrotik.com/wiki/Manual:Hurricane_Electric_Tunnel_Broker_Example_for_Home and I am just curious what I may have missed to fail this part.


Side question: How to tell the router to assign a static pre-defined IPv6 to each client?

Please forgive me for the dumb questions. I really didn’t want to offend you or anyone else. :frowning:

8

I don’t think you have dumb questions. And even if you did, it wouldn’t be big deal, especially in Beginners Basics forum.

Relevant part of config in this case would be “/ipv6 firewall”. But if ping works from another server, it’s probably ok. You can try to post it anyway. Use export command in terminal to get it (e.g. /ipv6 firewall export file=myipv6firewall).

You can also use packet sniffer to see what exactly is going on. Either on client device, or Tools->Packet sniffer on router. It would allow you to see what the remote server is sending, if client gets it, what it sends back in response, etc.

Router doesn’t assign IPv6 addresses, it’s different from IPv4. What you use now (because RouterOS currently doesn’t support anything else) is autoconfiguration (SLAAC). Router just announces available subnet and clients select addresses themselves. Originally they were derived from interface’s MAC address, so they stayed the same. But since that would allow tracking between different networks, they invented so-called Privacy Extensions, and in the end addresses are pretty much random, and on top of that changing all the time, because clients use multiple short-lived temporary addresses. It can be influenced by client config. There’s also DHCPv6, which may be a little more controllable, but even that doesn’t prevent clients from getting different temporary addresses. And RouterOS currently doesn’t support it for addresses, only DHCPv6-PD for prefixes.

9

Here’s an export of the firewall. I will have a look at the sniffer.

# aug/27/2020 17:45:34 by RouterOS 6.46.4
# software id = JXNP-9UWT
#
# model = RB951Ui-2nD
# serial number = BLURRED-OUT
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "Disable IPv6 Firewall - Forward Chain (CUSTOM-RADI)" disabled=yes
add action=accept chain=input comment=\
    "Disable IPv6 Firewall - Input Chain (CUSTOM-RADI)" disabled=yes
add action=accept chain=output comment=\
    "Disable IPv6 Firewall - Output Chain (CUSTOM-RADI)" disabled=yes

In regards to the other question, all I need to do in that case is configure static IPv6 on each device and I should be good to go then?