Community discussions

MikroTik App
 
rasputin83
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 7:48 pm

Rb4011+IPv6 from ISP - Problem

Mon Feb 15, 2021 11:25 am

Hi
ive got a little/big problem with IPV6. My current ISP offer ipv6 for customers and iam one of them I found a tutorial on how to set dchpv6 on my MikroTik https://www.medo64.com/2018/03/setting- ... ikrotik/.I replaced interfaces names into mine. It seems to be work but not at 100%. I did a few tests at the ipv6 website and some of them showed me that I've got ipv6 such as https://test-ipv6.com/ - ipv6 test passed. But on the website: https://ipv6-test.com/ - ipv6 not supported. Why??? The most important thing is i can't ping my ipv6 router address and any other ipv6 computer address on my LAN network from any external VPS server supporting ipv6 in 100%.
My router is rb4011 firmware 6.48.1 stable. The configuration out of the box. Firewall ipv6 is not set up yet, I can ping the ipv4 address. Any suggestion will be a warm welcome.
 
onnoossendrijver
Member
Member
Posts: 442
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Rb4011+IPv6 from ISP - Problem

Mon Feb 15, 2021 11:52 am

If you turn on logging on the ICMPv6 firewall rules, do you see packets matching the rule when pinging from outside?
It would help us if you place your configuration here, so we can check...
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
rasputin83
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 7:48 pm

Re: Rb4011+IPv6 from ISP - Problem

Mon Feb 15, 2021 1:37 pm

here is ipv6 config
[setka@MikroTik] > /ipv6 pool print    
Flags: D - dynamic 
 #   NAME    PREFIX                                      PRE EXPIRES-AFTER       
 0 D gene... 2a10:f300:1:1::/64                           64 47m27s              

 [setka@MikroTik] > /ipv6 export 
# feb/15/2021 11:30:33 by RouterOS 6.48.1
# software id = 4
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=general-pool6 request=\
    prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=accept chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment=invalid connection-state=invalid
add action=drop chain=forward log-prefix=IPV6
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge ra-interval=20s-1m
ping from outside see screenshot
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 5414
Joined: Thu Mar 03, 2016 10:23 pm

Re: Rb4011+IPv6 from ISP - Problem

Mon Feb 15, 2021 7:12 pm

Csn you ping router itself from internet? E.g. ping 2a10:f300:1:1::1? You're pinging a LAN host which may have its own firewall blocking pings. It may have multiple IPv6 addresses in use and is not replying to pings on most of them ...

You can verify addresses actually in use by router running /ipv6 address print .

For what it's worth, my LAN windows PC often experiences issues with IPv6 (uses SLAAC for inventing IPv6 address) while my Linux server with IPv6 address statically set doesn't have any problems. My WAN technology is PPPoE with DHCPv6 obtaining a prefix.
BR,
Metod
 
rasputin83
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 7:48 pm

Re: Rb4011+IPv6 from ISP - Problem

Mon Feb 15, 2021 7:26 pm

That's the problem is. I can ping my router address 2a10:f300:1:1::1 thru some web pages - works https://www.subnetonline.com/pages/ipv6 ... 6-ping.php see screenshot for the result. But if i try to ping on other websites or thru vps server its failed see the screenshot. Ive checked that on three different vps servers located in different countries with fully ipv6 support. 2a10:f300:1:1::1 that address i can ping thru my terminal on the computer and terminal windows in winbox - works. I just don't have access to the world and from the world via ipv6. as you have seen on some pages works on others not. I have no idea whats is going on.
[setka@MikroTik] >  /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                                                                     ADVERTISE
 0  G 2a10:f300:1:1::1/64                         genera... bridge                                                                                        yes      
 1 DL fe80::764d:28ff:fe8c:b5ac/64                          bridge                                                                                        no       
 2 DL fe80::764d:28ff:fe8c:b5ab/64                          ether1                                                                                        no       
 3 DL fe80::f/64                                            pppoe-out1          
  
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 5414
Joined: Thu Mar 03, 2016 10:23 pm

Re: Rb4011+IPv6 from ISP - Problem

Mon Feb 15, 2021 8:35 pm

If you can access your router via IPv6 from some internet site, then IPv6 is fine between your ISP and your router. If at the same you can't access (ping) LAN devices, then it's most probably due to device's own firewall. If you can access your router from some intetnet sites, but not from the other sites, then something is wrong from your ISP upstream snd the only thing you can do is to report problem to your ISP.
Another problem is that sometimes some pages don't work while ping is fine ... most of times that's problem with broken PMTU discovery (and quite often that's ISP problem) due to excessive blocking ICMPv6.
BR,
Metod
 
rasputin83
just joined
Topic Author
Posts: 10
Joined: Fri Oct 18, 2019 7:48 pm

Re: Rb4011+IPv6 from ISP - Problem

Tue Feb 16, 2021 2:56 pm

Hi tnx for the advice.
I contacted my ISP. You know how it is they tried to help me somehow but as usually from their point of view the problem is probably on my site and at this stage, they can offer me professional support and will charge me for that. In my opinion, if they offer ipv6 in their services its should be supported in 100% for the customer no matter what kind of equipment. using. So i have to find a solution thru other way.

Update 18.02.2021
The problem has been sorted. I had a written conversation with my ISP and provide them all of the proof that ipv6 does not work how it should be. Of course, blamed the wrong config on Mikrotik but finally, get a network engineer and sort the problem out but that mysterious knowledge of what was changed or fixed becomes secret knowledge for a few people only but not for me so I cant provide you more details. Anyway, thank you for your help.

Who is online

Users browsing this forum: Bing [Bot], lolow and 55 guests