Community discussions

MikroTik App
 
mfrey
newbie
Topic Author
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

IPv6 response connection state new,invalid

Mon Sep 20, 2021 11:09 am

My hap ac3 (7.1rc3) receives an IPv6 prefix from the ISP router using DHCPv6 and advertises a /64 prefix to multiple interfaces. IPv6 forwarding is enabled.

I now have the issue that firewalling using connection state is not working, because response traffic from WAN (ISP router) always has state new,invalid instead of established. With firewall log enabled I can see the outgoing traffic and the response traffic with matching interfaces and addresses.

I feel like I'm missing some detail, maybe one of you has an idea what causes this behavoiur.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 11:16 am

It's hard to understand what's going on without you providing some more detailed information, such as relevant pieces of configuration (/interface - both configuration and running values - and /ipv6 subtrees) and contents of log (to see what exactly is logged).
 
mfrey
newbie
Topic Author
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 11:41 am

Here is a modified excempt from the configuration:
/interface bridge
add ingress-filtering=no name=bridgeLocal vlan-filtering=yes

/interface bridge port
add bridge=bridgeLocal interface=ether3
add bridge=bridgeLocal interface=ether4
add bridge=bridgeLocal interface=ether5
add bridge=bridgeLocal interface=ether2
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=1000

/interface bridge vlan
add bridge=bridgeLocal comment="VLAN Lab" tagged=ether2,ether3,ether4,ether5,bridgeLocal vlan-ids=10
add bridge=bridgeLocal comment="VLAN Office" tagged=ether2,ether3,ether4,ether5,bridgeLocal vlan-ids=20
add bridge=bridgeLocal comment="VLAN Internet" tagged=bridgeLocal untagged=ether1 vlan-ids=1000

/interface vlan
add interface=bridgeLocal name=office vlan-id=20
add interface=bridgeLocal name=lab vlan-id=10
add interface=bridgeLocal name=wan vlan-id=1000

/interface list
add comment="Interfaces with Internet Access, also includes VPNs" name=wan-access
add name=discovery
add comment="Placeholder for main internet connection" name=wan-main
add name=hotspot
add comment="Prohibit all IPv6 via Firewall" include=hotspot name=prohibit-ipv6

/interface list member
add interface=wan list=wan-access
add interface=bridgeLocal list=discovery
add interface=wan list=wan-main

/ipv6 address
add eui-64=yes from-pool=ipv6-prefix interface=lab   
add eui-64=yes from-pool=ipv6-prefix interface=office

/ipv6 dhcp-client
add add-default-route=yes interface=wan pool-name=ipv6-prefix prefix-hint=::/60 request=address,prefix use-peer-dns=no

/ipv6 firewall filter
add action=drop chain=input comment="Input Drop all IPv6 traffic from prohibited interfaces" in-interface-list=prohibit-ipv6 log-prefix=prohibit_ipv6
add action=drop chain=forward comment="Forward Drop all IPv6 traffic from prohibited interfaces" in-interface-list=prohibit-ipv6 log-prefix=prohibit_ipv6
add action=drop chain=output comment="Output Drop all IPv6 traffic to prohibited interfaces" log=yes log-prefix=prohibit_ipv6 out-interface-list=prohibit-ipv6
add action=accept chain=output comment="Output Accept All" log-prefix=ipv6
add action=accept chain=input comment="Input Accept established and related" connection-state=established,related
add action=accept chain=input comment="Input Accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Input Accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="Input Accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/16
add action=drop chain=input comment="Input: Drop all other traffic" log=yes log-prefix=ipv6
add action=accept chain=forward comment="Forward Accept requested traffic from WAN" connection-state=established,related in-interface-list=wan-main
add action=accept chain=forward comment="Forward: Accept ICMPv6 except WAN" in-interface-list=!wan-access protocol=icmpv6
add action=accept chain=forward comment="Forward Accept All Local Traffic To WAN" in-interface-list=!wan-access log=yes log-prefix=ipv6 out-interface-list=wan-main
add action=drop chain=forward comment="Forward Drop Invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="Forward Drop all other traffic" log=yes log-prefix=ipv6

/ipv6 firewall mangle
add action=mark-connection chain=postrouting comment="Mark new outgoing connections as wan-connection" connection-state=new new-connection-mark=wan-connection out-interface-list=wan-main passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new incoming connection as wan-connection" connection-state=new in-interface-list=wan-main new-connection-mark=wan-connection passthrough=yes
add action=mark-packet chain=postrouting comment="Mark outgoing packets as wan-upload" connection-mark=wan-connection new-packet-mark=wan-upload out-interface-list=wan-main passthrough=yes
add action=mark-packet chain=prerouting comment="Mark incoming packets as wan-download" connection-mark=wan-connection in-interface-list=wan-main new-packet-mark=wan-download passthrough=yes
/ipv6 settings
set accept-redirects=no
The prefix is received from the wan VLAN and distributed to the lab and office VLAN.

Here is a firewall log output generated by calling curl -6 http://google.com on a host in lab:
ipv6 forward: in:lab out:wan, src-mac 04:xx:xx:xx:xx:xx, proto TCP (SYN), [2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:46468->[2a00:xxxx:xxxx:xxxx::xxxx]:80, len 40
ipv6,invalid forward: in:wan out:lab, src-mac 5c:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), [2a00:xxxx:xxxx:xxxx::xxxx]:80->[2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:46468, len 40
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 12:09 pm

Your IPv6 firewall config is IMO a mess. Not sure what you want to do with all of those mangle rules. But they might interfere with connection tracking machinery state ... if you can, disable all of them to check if your (simplified) setup still doesn't work right.

BTW, does your ISP require your WAN interface to have routable IPv6 address? Often that's not the case, link-local address is enough. The prefix-hint property is for expressing your wish, doesn't make ISP's DHCPv6 server to obey it. So you it's possible you can remove it as well (and you'll get the same prefix length regardless). Which means you could change DHCPv6 client setup to
add add-default-route=yes interface=wan pool-name=ipv6-prefix request=prefix use-peer-dns=no
 
mfrey
newbie
Topic Author
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 12:18 pm

Thank you for you answer.

The ISP router gets a /56 prefix from the ISP and gladly obeys the prefix wish as long as it's possible.

The mangle rules are for queue tree. I really haven't found a better way to mark the packets for queuing.
But you are right, disabling the mangle rules fixes the issue. As does disabling the queue tree, with the mangle rules still active. Now I'm even more confused.

My queue config looks like this:
/queue type
add cake-bandwidth=10.0Mbps kind=cake name=cake-upload
add cake-bandwidth=70.0Mbps kind=cake name=cake-download
add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=8KiB pcq-rate=70M pcq-total-limit=320KiB
/queue tree
add name=upload packet-mark=wan-upload parent=global queue=cake-upload
add name=download packet-mark=wan-download parent=global queue=cake-download
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 12:38 pm

I've no idea about queues, so perhaps somebody else will chime in.
 
mfrey
newbie
Topic Author
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 2:14 pm

This issue also arises when I disable the mangle rules and the queue tree and use simple queue instead, which leads me to believe that this might be a bug.

Can anyone else confirm this?
 
Rfulton
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: IPv6 response connection state new,invalid

Mon Sep 20, 2021 4:07 pm

Ive reported IPV6 connection tracking being broken with queues for a long time now.

They repeatedly told me they can't recreate the issue, buy a TP-Link instead.
 
pazuwu
just joined
Posts: 17
Joined: Sat Feb 29, 2020 12:33 am

Re: IPv6 response connection state new,invalid

Sun Jan 09, 2022 6:04 pm

I'm also having a similar issue. Maybe I'm doing something wrong, I'm a noob when it comes to ipv6.
I have a hap ac3, running 7.1.1, connection to ISP via PPPoE, running a DHCPv6 client on the pppoe interface assigns a /56 prefix. I've got multiple vlans in my LAN which work properly with ipv4. I assigned an IPv6 address from the address pool received from the ISP to the `vlan-wifi-ap` interface and configured DHCPv6 server for my wireless clients. They get an ipv6 address and all is ok. Until I add a forwarding rule in the firewall which is supposed to drop invalid packets (connection-state=invalid), but it seems it thinks a lot of traffic is invalid!

Working IPv6 config, ping from my wifi station to google works:
# jan/09/2022 17:27:51 by RouterOS 7.1.1
# software id = TANH-DJAS
#
# model = RBD53iG-5HacD2HnD
# serial number = D96xxxxxxx
/ipv6 dhcp-server
add address-pool=rds-ipv6 interface=vlan-wifi-ap lease-time=1h name=server-wifi
/ipv6 address
add from-pool=rds-ipv6 interface=vlan-wifi-ap
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-rds pool-name=rds-ipv6 rapid-commit=no request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment="Accept related/established/untracked packets" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=invalid log=yes log-prefix="(D/invalid)"
add action=accept chain=input comment="allow DHCPv6 client" dst-port=546,547 protocol=udp
add action=accept chain=input
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid disabled=yes log=yes log-prefix="(D/fw_inval)"		<---- THIS CAUSES TROUBLE AND IS DISABLED HERE
add action=accept chain=forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no
add interface=vlan-lan
add interface=vlan-mgmt
add interface=vlan-wifi-ap
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192
The firewall was more complex, but i've trimmed most rules to reproduce the issue.

And with the rule enabled:
# jan/09/2022 17:26:29 by RouterOS 7.1.1
# software id = TANH-DJAS
#
# model = RBD53iG-5HacD2HnD
# serial number = D96C0C077B23
/ipv6 dhcp-server
add address-pool=rds-ipv6 interface=vlan-wifi-ap lease-time=1h name=server-wifi
/ipv6 address
add from-pool=rds-ipv6 interface=vlan-wifi-ap
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-rds pool-name=rds-ipv6 rapid-commit=no request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment="Accept related/established/untracked packets" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=invalid log=yes log-prefix="(D/invalid)"
add action=accept chain=input comment="allow DHCPv6 client" dst-port=546,547 protocol=udp
add action=accept chain=input
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="(D/fw_inval)"
add action=accept chain=forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no
add interface=vlan-lan
add interface=vlan-mgmt
add interface=vlan-wifi-ap
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192
In this case, this happens:
(D/fw_inval) forward: in:pppoe-rds out:vlan-wifi-ap, src-mac 40:a6:b7:xx:xx:xx, proto ICMP (type 129, code 0), 2001:4860:4860::8844->2a02:2f00:3214:f600:xxxx:xxxx:xxxx:xxxx, len 40
Is this a bug or am I doing something wrong?
 
User avatar
slackR
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat May 23, 2009 1:46 pm
Location: Buffalo, New York, USA

Re: IPv6 response connection state new,invalid

Tue Jan 11, 2022 3:26 am

I experienced problems with IPv6 and connection tracking when using VLAN sub interfaces. When I removed the subinterface and placed the IPv6 address directly on ether3 connection tracking worked as expected.

Are you using any special interfaces like VLANs or EoIP?
 
pazuwu
just joined
Posts: 17
Joined: Sat Feb 29, 2020 12:33 am

Re: IPv6 response connection state new,invalid

Mon Jan 17, 2022 2:30 pm

I experienced problems with IPv6 and connection tracking when using VLAN sub interfaces. When I removed the subinterface and placed the IPv6 address directly on ether3 connection tracking worked as expected.

Are you using any special interfaces like VLANs or EoIP?
Yes, I have multiple vlan interfaces defined over a bridge.
 
yozik04
just joined
Posts: 4
Joined: Sat Sep 11, 2021 3:13 pm

Re: IPv6 response connection state new,invalid

Tue Feb 01, 2022 3:03 pm

I can confirm that IPv6 Connection State tracking stops working as soon as I enable Simple Queues. It does not matter if Mangle rules are enabled or not.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 response connection state new,invalid

Tue Feb 01, 2022 3:16 pm

It is a known bug in RouterOS v7. You need to downgrade e.g. to 6.49.2 to solve it for now.
 
ErnyTech
just joined
Posts: 4
Joined: Tue Jan 11, 2022 3:14 pm

Re: IPv6 response connection state new,invalid

Tue Feb 01, 2022 5:04 pm

We have reported it several times but the support continues not to take charge of the problem.
I don't know how we should do to get mikrotik support interested in the issue
 
yozik04
just joined
Posts: 4
Joined: Sat Sep 11, 2021 3:13 pm

Re: IPv6 response connection state new,invalid

Tue Feb 01, 2022 6:11 pm

I have submitted another bug report to them. Will see...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 response connection state new,invalid

Tue Feb 01, 2022 7:09 pm

"nobody ever asks for IPv6"
 
Bloof
just joined
Posts: 1
Joined: Sat Feb 05, 2022 10:37 pm

Re: IPv6 response connection state new,invalid

Sun Feb 06, 2022 11:36 am

Can confirm that enabled queue (fq_codel) on interface with IPv6 address break connection tracker completely.
ROS 7.1.1 (stable), hAP ac^2

Who is online

Users browsing this forum: No registered users and 23 guests