IPV6 Firewall

jasons6930 · Tue Oct 06, 2020 5:03 pm

Hi guys, for various reasons i managed to lose the back up and config for my rb4011, and whilst i have managed to get it back up and running, i am having a couple of issues with the IPv6 firewall rules.

I looked at my previous posts on here and copied them but for some reason, running the inline test, i cannot get icmpv6 to work.

Here is my current config of the firewall..

/ipv6 firewall address-list
add address=::/128 comment=defconf:lo list=badipv6
add address=fec0::/10 comment=site-local list=badipv6
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::/4 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf:drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf:accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsecESP" protocol=\
    ipsec-esp
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=\
    "defconf:accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf:drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop=limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="deeconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf:accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

Hopefully you guys might be able to spot something i have messed up (again!)

Cheers!

Sob · Tue Oct 06, 2020 8:40 pm

I don't see anything breaking icmpv6. But the very first rule makes all other chain=input rules useless, because it accept everything. And second last rule allows incoming connections to LAN, which you may or may not want, but if you do, then last rule is useless.

nescafe2002 · Tue Oct 06, 2020 8:53 pm

Try enabling logging for the invalid rule. I've had some problems with lan-to-lan connections which were flagged invalid.

jasons6930 · Tue Oct 06, 2020 10:38 pm

I don't see anything breaking icmpv6. But the very first rule makes all other chain=input rules useless, because it accept everything. And second last rule allows incoming connections to LAN, which you may or may not want, but if you do, then last rule is useless.

Thanks.

Thing is, i lose ipv6 completely if i remove the first rule..?

add action=accept chain=input

Should there be another rule i need to add?

Sob · Tue Oct 06, 2020 10:51 pm

I missed a thing, you broke default config. This rule:

/ipv6 firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=established,related,untracked

should have action=accept (and comment is wrong too).

jasons6930 · Wed Oct 07, 2020 12:11 am

I missed a thing, you broke default config. This rule:
Code: Select all
/ipv6 firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=established,related,untracked
should have action=accept (and comment is wrong too).

Thanks,

changed that and removed first rule but still no icmp being passed.

Sob · Wed Oct 07, 2020 12:23 am

With original config, router accepted *all* traffic to itself, it didn't block anything at all. And forwarded traffic could be affected only by:

/ipv6 firewall filter
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

So you can try to temporarily disable this rule (or add logging to it, as previously suggested). If it still doesn't help, the next question is how exactly you test it.

jasons6930 · Wed Oct 07, 2020 12:42 am

With original config, router accepted *all* traffic to itself, it didn't block anything at all. And forwarded traffic could be affected only by:
Code: Select all
/ipv6 firewall filter
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
So you can try to temporarily disable this rule (or add logging to it, as previously suggested). If it still doesn't help, the next question is how exactly you test it.

Ok, temporarily disabled and still no go.

I am using https://ipv6-test.com/ on a macbook & W10 laptop with various browsers.

Oddly, i have just used this test on my iphone (using Safari), and it seems to work ok!?

Sob · Wed Oct 07, 2020 12:51 am

Then also check firewall on those devices. I don't know about Mac, but if the testing site sends echo request (ping), then Windows block it by default.

jasons6930 · Wed Oct 07, 2020 8:59 am

Thanks.

Just checked those and all seems to be set up properly.

I tried another test site and got this, so i have no idea whats going on.

Also, there doesn't seem to be any packets at all recorded across most of the rules...

jasons6930 · Wed Oct 07, 2020 4:52 pm

Just tried comparing configs from last year and now and it seems things have changed a bit so not sure if my current config is correct anyway?

set [ find default-name=ether1 ] comment=Internet
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/ipv6 dhcp-server
add address-pool=Pool1 interface=bridge name=server1
/ipv6 pool
add name=pool1 prefix=::/64 prefix-length=64
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=159.xxx.xxx.xxx/30 interface=ether1 network=159.xxx.xxx.xxx
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    1.1.1.1,2606:4700::1111,1.0.0.1,2606:4700::1001
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=159.xxx.xxx.xxx
/ipv6 address
add address=2a00:xxxx:yyyy:1::1 interface=bridge
add address=2a00:xxxx:yyyy::2 interface=ether1
/ipv6 firewall address-list
add address=::/128 comment=defconf:lo list=badipv6
add address=fec0::/10 comment=site-local list=badipv6
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::/4 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" \
    connection-state="" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf:accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsecESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf:accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: Drop Invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf:drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop=limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="deeconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf:accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no interface=\
    bridge managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridge prefix=::/0
add autonomous=no interface=bridge
/ipv6 route
add distance=1 gateway=2a00:xxxx:yyyy::1
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

jasons6930 · Wed Oct 07, 2020 6:09 pm

Just to add, i realised my IPV6 DNS was incorrect but after correcting it, still the same,

mducharme · Wed Oct 07, 2020 7:37 pm

Just to add, i realised my IPV6 DNS was incorrect but after correcting it, still the same,

You can view the default config for the device by executing: /system default-configuration print

The default config shown by that command is updated by upgrading the RouterOS version, so it will be the latest version if your router has the latest version.

Copy and paste the IPv6 firewall section to a text editor, delete all your IPv6 firewall rules and paste in the section from the default-configuration. Then you will have the factory IPv6 firewall rules back, which should work for everything.

jasons6930 · Wed Oct 07, 2020 11:38 pm

Hi, thanks.

Tried that but still not working!

As i said, the weird thing is, it works fine on latest ios.

I have even tried other laptops and they wont allow icmp either.

jasons6930 · Thu Oct 08, 2020 12:22 am

Just to add, i am not getting any ipv6 entries in the DNS cache as well.

Sob · Thu Oct 08, 2020 12:23 am

The rules are same for all devices, so if one works and another doesn't, I'd focus on that device. Packet sniffer is your friend, you can verify what is coming to device, if it responds to it, etc.

DarkNate · Thu Oct 08, 2020 12:27 am

Thanks.

Just checked those and all seems to be set up properly.

I tried another test site and got this, so i have no idea whats going on.

Also, there doesn't seem to be any packets at all recorded across most of the rules...

Some ISPs have broken IPv6 deployment leading to reachability/ICMPv6 problems, same thing with my IPv6 ISP.

jasons6930 · Thu Oct 08, 2020 12:42 am

Cheers Guys

Sob:

It is weird tbh, as looking at the ipv6 connections, there is nothing at all for protocol 58.

However, if i run the test on ios, i get a connection at port 58, but it shows a connection to icmpv6 but with a source port & destination port as 0?

Dark: I am running a leased line and as far as i am aware, IPV6 is running ok with them, but i will check.

jasons6930 · Thu Oct 08, 2020 1:02 am

Ok, i have just run a traceroute to Googles IPV6 DNS and that comes back ok, as well as Cloudfare DNS.

With that, i am assuming the web based version of the test site has problems.

I am also starting to get DNS entries (AAAA) after i moved my ipv6 DNS server to the top.

Sob · Thu Oct 08, 2020 2:18 am

Try ping to your address from outside. If you don't have any device from which you can test it, there are various websites that offer pings from their servers.

DNS doesn't have to do anything with transport protocol used by server. Client device asks for A or AAAA records depending on what protocol it has available and it works even if you don't have any IPv6 DNS server at all, because even IPv4 one can answer AAAA queries.

DarkNate · Thu Oct 08, 2020 2:47 am

Cheers Guys

Sob:

It is weird tbh, as looking at the ipv6 connections, there is nothing at all for protocol 58.

However, if i run the test on ios, i get a connection at port 58, but it shows a connection to icmpv6 but with a source port & destination port as 0?

Dark: I am running a leased line and as far as i am aware, IPV6 is running ok with them, but i will check.

Just run a reachability test to confirm it: https://ipv6.ec2-reachability.amazonaws.com/

If there are reachability problems on some locations, it's your ISP that messed up, if everything is unreachable then it's a problem from your end.

jasons6930 · Thu Oct 08, 2020 8:29 am

Ok, when i click your link, everything comes back with a green tick so it does look like it may be the test site?

The one i seem to be having problems with is..

https://ipv6-test.com/

Also, if i ping6 to google.com i do get a response from a terminal window.

Not sure how to do that in Winbox yet!

--> 2a04:4e42:400::81
16 bytes from 2a04:4e42:400::81, icmp_seq=0 hlim=60 time=6.043 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=1 hlim=60 time=5.972 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=2 hlim=60 time=5.683 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=3 hlim=60 time=5.592 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=4 hlim=60 time=5.487 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=5 hlim=60 time=6.344 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=6 hlim=60 time=5.470 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=7 hlim=60 time=6.125 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=8 hlim=60 time=6.170 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=9 hlim=60 time=6.269 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=10 hlim=60 time=5.943 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=11 hlim=60 time=7.729 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=12 hlim=60 time=7.112 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=13 hlim=60 time=7.027 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=14 hlim=60 time=6.240 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=15 hlim=60 time=6.350 ms
16 bytes from 2a04:4e42:400::81, icmp_seq=16 hlim=60 time=5.927 ms

Looking at my ipv6 firewall i don't have any "input" rule packets recorded at all for ICMPv6, however i have a few for "forward" rule.

Is that correct or should i have packets for both?

Thanks!

Sob · Thu Oct 08, 2020 1:19 pm

Input is traffic to router itself, and all responses to outgoing connections initiated by router are accepted by first rule with connection-state=established,related,untracked (if you fixed it like I wrote). So it's quite normal to not have much traffic for others. Ping router's address and you'll get some.

jasons6930 · Thu Oct 08, 2020 2:44 pm

Ok cheers.

Well, as a test, i tried another router that was in service before and that is giving me the same issue.

So, i am wondering if it is actually an ISP thing, or just an OSX problem, but it does seem strange that it works ok on the iphone but not on the laptop.

I think i know the answer, but do different devices have 'different' connections via the router out to the internet?

As another poster suggested, i deleted all the ipv6 rules and got the default config which is as follows..

/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

jasons6930 · Thu Oct 08, 2020 7:22 pm

Well, as another update, i configured the icmpv6 protocol etc on the W10 machine and still nothing.

I also spoke to my ISP, and they said they supply IPV6 connectivity raw, and do not apply any restrictions on it.

mducharme · Thu Oct 08, 2020 10:55 pm

Well, as another update, i configured the icmpv6 protocol etc on the W10 machine and still nothing.

I also spoke to my ISP, and they said they supply IPV6 connectivity raw, and do not apply any restrictions on it.

What does https://ipv6-test.com/ show? And what makes you think your IPv6 isn't working? I'm not entirely clear on that.

jasons6930 · Fri Oct 09, 2020 1:10 am

That test site shows ICMPv6 as "not tested", but this only seems to be on laptops etc.

https://thumbsnap.com/f/rzBTR5WR

mducharme · Fri Oct 09, 2020 1:23 am

That test site shows ICMPv6 as "not tested", but this only seems to be on laptops etc.

https://thumbsnap.com/f/rzBTR5WR

It is probably the firewall on the device that is blocking pings, not the router itself. Test with an online ping tool that supports IPv6, such as https://www.ultratools.com/tools/ping6

jasons6930 · Fri Oct 09, 2020 1:33 am

Just tested on that site with ipv6.google.com and that seems to work ok?

mducharme · Fri Oct 09, 2020 1:34 am

Just tested on that site with ipv6.google.com and that seems to work ok?

No, I mean use that site to ping your computers on the inside of your network. Check what IPv6 addresses they have, enter them into the ping tool, and see if it can ping them.

jasons6930 · Fri Oct 09, 2020 1:42 am

Ah ok.

Well i tried two of the ipv6 addresses and both timed out.

I also tried pinging the router ipv6 address and that timed out as well?

Sorry scrap that, i was pinging the wrong addresses!

Performing a ping6 to ipv6.google.com from terminal in osx, i get a response no prorlem, and if i ping my device ipv6 i also get a response from that test site, although that response time is very high comparing it to outgoing.

mducharme · Fri Oct 09, 2020 6:30 am

Sorry scrap that, i was pinging the wrong addresses!

Performing a ping6 to ipv6.google.com from terminal in osx, i get a response no prorlem, and if i ping my device ipv6 i also get a response from that test site, although that response time is very high comparing it to outgoing.

It is likely that everything is actually working fine. The response time doesn't really matter, the ping server is probably just far away geographically from where you are.

Does your ISP use regular DHCP or do they do something else like PPPoE or use a VLAN tag?

jasons6930 · Fri Oct 09, 2020 8:31 am

Yes i did wonder, however i did try another router and that gave the same result of 'not tested', which then made me question the ISP, or even OSX for that matter, as it does work ok on ios.

But, given the results i am getting from your test site, it all appears to be working, and so could even be the original ipv6 test site i was using is buggy.

My ISP is a business leased line, and they supply static IP's for v4 and v6.

Do you get a full house if you test on www.ipv6-test.com ?

mkx · Fri Oct 09, 2020 10:59 am

Do you get a full house if you test on www.ipv6-test.com ?

It is possible to get full house, I get it on one of my hosts ... but that's linux server with statically assigned IPv6 address and properly configured DNS records.
For LAN host which gets IPv6 address via SLAAC, I only get 17/20. It says "SLAAC No" even though the LAN host does get address via SLAAC, so this is a miss-information (but doesn't change a thing). But the reasons for not getting 20/20 are two: 1. pings are not getting through (PC's firewall takes care of that actually, IPv6 firewall rules are same for whole LAN in this respect), I guess this one subtracts two points from score as it's red ... and 2. reverse DNS record is obviously missing.

jasons6930 · Fri Oct 09, 2020 2:20 pm

Do you get a full house if you test on www.ipv6-test.com ?
It is possible to get full house, I get it on one of my hosts ... but that's linux server with statically assigned IPv6 address and properly configured DNS records.
For LAN host which gets IPv6 address via SLAAC, I only get 17/20. It says "SLAAC No" even though the LAN host does get address via SLAAC, so this is a miss-information (but doesn't change a thing). But the reasons for not getting 20/20 are two: 1. pings are not getting through (PC's firewall takes care of that actually, IPv6 firewall rules are same for whole LAN in this respect), I guess this one subtracts two points from score as it's red ... and 2. reverse DNS record is obviously missing.

On the PC i have configured the firewall to accept icmpv6, and on OSX, the firewall is actually turned off completely, and i get the same issue using an Edgerouter i have which i tried yesterday.

I was then wondering if i have mis-configured my router somewhere, but as i said, using it on ios, and that works fine with a 19/20.

It's doing my head in! LOL

DarkNate · Fri Oct 09, 2020 2:55 pm

Do you get a full house if you test on www.ipv6-test.com ?
It is possible to get full house, I get it on one of my hosts ... but that's linux server with statically assigned IPv6 address and properly configured DNS records.
For LAN host which gets IPv6 address via SLAAC, I only get 17/20. It says "SLAAC No" even though the LAN host does get address via SLAAC, so this is a miss-information (but doesn't change a thing). But the reasons for not getting 20/20 are two: 1. pings are not getting through (PC's firewall takes care of that actually, IPv6 firewall rules are same for whole LAN in this respect), I guess this one subtracts two points from score as it's red ... and 2. reverse DNS record is obviously missing.
On the PC i have configured the firewall to accept icmpv6, and on OSX, the firewall is actually turned off completely, and i get the same issue using an Edgerouter i have which i tried yesterday.

I was then wondering if i have mis-configured my router somewhere, but as i said, using it on ios, and that works fine with a 19/20.

It's doing my head in! LOL

Trust me on this one, it's likely your ISP, not your local setup. As long as your IPv6 firewall follows the standards that are publicly documented, you're good to go. Along with proper SLAAC/RADVD config on your end.

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skill set required to fix the problem. Heck maybe you're in the same country I am with the same ISP (BSNL) hahaha...

jasons6930 · Fri Oct 09, 2020 3:10 pm

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skillset required to fix the problem. Heck maybe your're in the same country I am with the same ISP (BSNL) hahaha...

Interesting.

Would that affect what devices where being used if there were probs with the ISP?

I always assumed everything forwarded from the router was 'unknown'.

DarkNate · Fri Oct 09, 2020 3:12 pm

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skillset required to fix the problem. Heck maybe your're in the same country I am with the same ISP (BSNL) hahaha...
Interesting.

Would that affect what devices where being used if there were probs with the ISP?

I always assumed everything forwarded from the router was 'unknown'.

What do you mean "affect what devices"? Affect what, how? Apart from broken IPv6, all major platforms would automatically fall back to IPv4 if they detect IPv6 is broken/slower than a few milliseconds.

jasons6930 · Fri Oct 09, 2020 3:22 pm

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skillset required to fix the problem. Heck maybe your're in the same country I am with the same ISP (BSNL) hahaha...
Interesting.

Would that affect what devices where being used if there were probs with the ISP?

I always assumed everything forwarded from the router was 'unknown'.
What do you mean "affect what devices"? Affect what, how? Apart from broken IPv6, all major platforms would automatically fall back to IPv4 if they detect IPv6 is broken/slower than a few milliseconds.

Sorry, what i meant was, iOS on my iPhone returns nearly a full house (19/20) on the test site, but OSX and windows10 does'nt (17/20).

Also, after pinging my Macbook ipv6 address from the Ultratools website, I do not get any ICMPv6 input packets recorded in the MT firewall, but do get one forwarded, but it still gives a positive result.

DarkNate · Fri Oct 09, 2020 3:26 pm

My ISP's NOC team has personally spoken to me and told me it's broken on their end at layer 2.5 (They use PPPoE and some useless local tunnelling mixed with native IPv6) and even though they didn't admit it, they simply lack the skillset required to fix the problem. Heck maybe your're in the same country I am with the same ISP (BSNL) hahaha...
Interesting.

Would that affect what devices where being used if there were probs with the ISP?

I always assumed everything forwarded from the router was 'unknown'.
What do you mean "affect what devices"? Affect what, how? Apart from broken IPv6, all major platforms would automatically fall back to IPv4 if they detect IPv6 is broken/slower than a few milliseconds.
Sorry, what i meant was, iOS on my iPhone returns nearly a full house (19/20) on the test site, but OSX and windows10 does'nt (17/20).

Also, after pinging my Macbook ipv6 address from the Ultratools website, I do not get any ICMPv6 input packets recorded in the MT firewall, but do get one forwarded, but it still gives a positive result.

That's what "broken IPv6 deployment" looks like, it works half of the time, the rest of the other half it does not or does so partially. I've only seen broken IPv6 on my primary ISP (BSNL), it works perfectly fine on others including mobile networks.

If it's any help below is my IPv6 firewall which contains the default rules along with some that I've added or modified the existing ones based on research:

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=drop chain=input comment=dropLocalLink_from_public in-interface=\
    pppoe-out1 src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="local clients to public" \
    in-interface=!pppoe-out1 src-address-list=allowed
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

jasons6930 · Fri Oct 09, 2020 3:46 pm

Thanks.

I have given my ISP another nudge to check and told them i am not properly receiving ICMPv6 packets and to make sure everything is ok with the carrier.

Especially as they messed me about, right at the very beginning with giving me incorrect ipv6 address details.

jasons6930 · Fri Oct 09, 2020 4:51 pm

Ok this is the response from the ISP..

"Just to reiterate, the circuit that we provide is a raw circuit and neither us nor the line provider has any equipment onsite that will be blocking any traffic. The NTU onsite is only there to terminate the fibres coming into the building.

Based on your original example, assigning an IPV6 ip on a desktop machine does not get any ICMP ping responses, but assigning an IP on a phone gets an ICMP response.

This points towards the line not being the issue as we would would not be blocking PC's but then allowing phones.

I believe the issue is more than likely going to be down to the firewall on the PC's as i know that by default ICMP is blocked.

You could further prove this by pinging the local devices onsite from the router as this would not be going over the line. "

As i pointed out earlier, I have no ICMPv6 input packets at all but loads forwarded.

I am tempted to downgrade the firmware to see what that does.

DarkNate · Fri Oct 09, 2020 5:20 pm

Ok this is the response from the ISP..

"Just to reiterate, the circuit that we provide is a raw circuit and neither us nor the line provider has any equipment onsite that will be blocking any traffic. The NTU onsite is only there to terminate the fibres coming into the building.

Based on your original example, assigning an IPV6 ip on a desktop machine does not get any ICMP ping responses, but assigning an IP on a phone gets an ICMP response.

This points towards the line not being the issue as we would would not be blocking PC's but then allowing phones.

I believe the issue is more than likely going to be down to the firewall on the PC's as i know that by default ICMP is blocked.

You could further prove this by pinging the local devices onsite from the router as this would not be going over the line. "

As i pointed out earlier, I have no ICMPv6 input packets at all but loads forwarded.

I am tempted to downgrade the firmware to see what that does.

I think your upstream provider is NOT an ISP, it sounds more like what we call in my country a Local Cable Operator where all they handle is last-mile/switching, that's it.

Ask them to push your case to their upstream provider that is delegating/controlling the core network.

jasons6930 · Fri Oct 09, 2020 5:57 pm

Thanks.

They have also just suggested i ping6 my devices in my local network which i have donefrom router to device & device to device using ipv6 addresses and everything checks out ok

Just no input packets!

I have just responded to them with the results of their request.

Trouble is, i don't really trust them to do right, as when i first had the connection, they kept insisting my static ipv6 address they supplied was correct their end, and must be something wrong with my router.

Turns out, it was their end as they gave me the incorrect address details!

I'll update once i hear back.

Cheers!

Sob · Fri Oct 09, 2020 7:47 pm

If you want to see packets in input, you have to communicate with address on router (ping it, connect to it).

And if you want to see what router does with icmp, then you can use e.g.:

/ipv6 firewall mangle
add chain=prerouting protocol=icmpv6 action=log
add chain=postrouting protocol=icmpv6 action=log
add chain=input protocol=icmpv6 action=log
add chain=output protocol=icmpv6 action=log

You can limit it to show only some icmp types.

jasons6930 · Fri Oct 09, 2020 8:05 pm

Thanks Sob.

Sorry, i didn't get a notification for some reason.

Anyway, i have set that up and it is logging a lot of icmp packets!

Although most of them type 136 for ND?

Also, just pinged google ipv6 again and getting codes 128 and 129 which is echo request and reply, so i assume everything is working ok but just not registering on the FW counter?

Sob · Fri Oct 09, 2020 8:52 pm

If you want more selective logging:

/ipv6 firewall mangle
add action=jump chain=prerouting jump-target=icmp protocol=icmpv6
add action=jump chain=postrouting jump-target=icmp protocol=icmpv6
add action=jump chain=input jump-target=icmp protocol=icmpv6
add action=jump chain=output jump-target=icmp protocol=icmpv6

And then either log only selected types:

/ipv6 firewall mangle
add action=log chain=icmp icmp-options=128:0-255 protocol=icmpv6
add action=log chain=icmp icmp-options=129:0-255 protocol=icmpv6

Or everything except selected types:

/ipv6 firewall mangle
add action=return chain=icmp icmp-options=135:0-255 protocol=icmpv6
add action=return chain=icmp icmp-options=136:0-255 protocol=icmpv6
add action=log chain=icmp

As for counters, they work and they are reliable, but you need to be looking at right ones. If you ping Google or anything else on internet from device in LAN, it's slightly different from when something from internet pings you. In both cases will most packets end up accepted by first rule with connection-state=established. But first packet is important, because generally outgoing traffic from LAN to internet tends to be allowed, but incoming from internet to LAN does not. Default firewall in RouterOS allows icmpv6 in both ways, but same thing applies to other devices. If you ping Google, you'll see icmp packets in both directions and they all will be allowed. But if Google (or anyone else) pings you, that may be blocked and often is. In this case it shouldn't be blocked by ISP or your router, but it can be blocked by device's own firewall.

And just to be sure that you get it, chain=forward is traffic passing through router from one device that's not this router to another device that also isn't this router, chain=input is traffic from some other device to router itself, and finally chain=output is traffic from router to some other device.

jasons6930 · Fri Oct 09, 2020 9:43 pm

Ah ok thanks understood.

I have just downloaded Networking App onto my iphone as it has a ping tool, and i know that doesn't have a firewall (?)

On my MBP, i also have the FW disabled, and rely on the router to care of that.

Interestingly, if i ping the google ipv6 from the App, i still get no update on the ICMPv6 counters, but the input rule number one increases, along with the forward as you said it would. I have also noticed that there is nothing ticked in the connection status boxes for the icmp rules (established, related etc).

Although when the app does the first ping, it does register forward packet, but then stops. I guess this is the packet to initiate the test?

So, just out of interest, what would cause an incoming ICMPv6 packet to be registered on the counter in the FW rather than get accepted by rule one?

At the moment, that still sits at 0.

Also, the last rule (drop everything else not from LAN) has 11 packets logged?

Is that normal?

Sob · Fri Oct 09, 2020 10:09 pm

It's related to stateful firewall. Icmp doesn't have connections as such, but firewall sees it that way. The initial ping packet (icmp echo request) has connection-state=new, so first rule for established & friends doesn't match and it continues futher until it reaches rule allowing icmpv6 and is accepted. If there's response, it gets connection-state=established and so do all other following packets in both directions, and they are all accepted by first rule.

If you'd want separate counter for all icmp packets, you could move existing rules for allowing icmpv6 to the top, so that they would be even before accepting established connections. But I'd say it's generally useless. If you're interested in specific packets, you can use mangle rules I posted.

E.g. if you want to test incoming pings, then make sure you log types 128 and 129 and ping some of your addresses from online pinger like http://ipv6now.com.au/pingme.php (first result from Google, there are many others). You should see incoming packet in prerouting on WAN interface, then same packet in postrouting on LAN interface. If target device responds, there will be packet in prerouting on LAN and same in postrouting on WAN. If there's no response, it's target device's fault. If you ping router itself, there will be input instead of postrouting for request, and output instead of prerouting for response.

There will always be some incoming connections from internet. You can enable logging for drop rule, if you want to see what exactly it is.

mducharme · Sat Oct 10, 2020 2:11 pm

Sorry, what i meant was, iOS on my iPhone returns nearly a full house (19/20) on the test site, but OSX and windows10 does'nt (17/20).

Also, after pinging my Macbook ipv6 address from the Ultratools website, I do not get any ICMPv6 input packets recorded in the MT firewall, but do get one forwarded, but it still gives a positive result.

You say 17/20 - what fails, specifically?

Just FYI, https://ipv6-test.com/ appears to have a bug it didn't have before. When I load it up, it shows ICMP as not tested and grey and 17/20. If I click the refresh button on the right hand side of the "IPv6 connectivity" header, it changes to "Reachable" and green and 19/20.

jasons6930 · Sat Oct 10, 2020 2:26 pm

Sorry, what i meant was, iOS on my iPhone returns nearly a full house (19/20) on the test site, but OSX and windows10 does'nt (17/20).

Also, after pinging my Macbook ipv6 address from the Ultratools website, I do not get any ICMPv6 input packets recorded in the MT firewall, but do get one forwarded, but it still gives a positive result.
You say 17/20 - what fails, specifically?

Just FYI, https://ipv6-test.com/ appears to have a bug it didn't have before. When I load it up, it shows ICMP as not tested and grey and 17/20. If I click the refresh button on the right hand side of the "IPv6 connectivity" header, it changes to "Reachable" and green and 19/20.

Thanks.

Yes, that is the problem i appear to have!

I did try the refresh as you did but still no result.

:(

Interesting it comes back as 'not tested'.

One would have thought it would say 'unreachable', as the result I get on ios when I try it is 'reachable' for ICMP

(As an FYI, i have swapped to the Edgerouter and it is still giving the same result, so it can't be the MT config).

mducharme · Sun Oct 11, 2020 2:29 am

Thanks.

Yes, that is the problem i appear to have!

I did try the refresh as you did but still no result.

:(

Interesting it comes back as 'not tested'.

One would have thought it would say 'unreachable', as the result I get on ios when I try it is 'reachable' for ICMP

(As an FYI, i have swapped to the Edgerouter and it is still giving the same result, so it can't be the MT config).

I'm still not convinced that you're having a problem here. If there was something wrong with your service or the router config, the iPhone would not be passing the test. I think most likely your IPv6 is actually working completely and you are being thrown by the 17/20 and the grey "not tested" message on that one IPv6 test page.

jasons6930 · Sun Oct 11, 2020 9:01 am

Do you know what, i think you are correct.

It's been quite an interesting challenge though, although my next challenge is trying to get the router from the 6.48beta as it keeps crashing.

Thanks everyone, for the help!

jasons6930 · Sun Oct 11, 2020 2:37 pm

Just jumping back onto this whilst mildly browsing, and i have noticed on the MT App, under action for the firewall, it has a section that shows a lot more info than Winbox.

Iphone App shows this..

And there is a setting "Reject with.." and is set to "No route".

Yet, on Winbox (6.48) under the same tab, there isnt any of the other settings...

Is the above a bug in 6.48, or just an option buried deeper in WB?

xvo · Sun Oct 11, 2020 2:51 pm

In winbox you have to choose needed action first (in this case action=reject) and then options for this action will appear.

jasons6930 · Sun Oct 11, 2020 4:11 pm

Thanks.

:)

Who is online