Community discussions

MikroTik App
 
fernandomm
just joined
Topic Author
Posts: 11
Joined: Thu Nov 05, 2015 1:11 pm

IPV6: can't ping external hosts from internal network

Sun May 01, 2016 5:44 am

I'm trying to get IPV6 working and I think I'm almost there. The only think that doesn't work is that I can't ping or access external hosts from internal network.

- Pinging ipv6 addresses works in RouterOS but not in internal hosts
- All internal hosts are able to get an IPV6 address, ping each other and ping the router

Here is my configuration so far ( ethernet1 is connected to my ISPs modem and ethernet2 is connected to my internal network ):
[admin@MikroTik] /ipv6> pool print
Flags: D - dynamic
 #   NAME                 PREFIX                                      PREFIX-LENGTH EXPIRES-AFTER
 0 D copel                2001:1284:f005:cc2f::/64                               64 23h26m22s
[admin@MikroTik] /ipv6> address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
 #    ADDRESS                                     FROM-POOL INTERFACE                          ADVERTISE
 0  G 2001:1284:f005:cc2f::/64                    copel     ether2-master-local                yes
 1 DL fe80::e68d:8cff:fedc:e25f/64                          ether1-gateway                     no
 2 DG 2001:1284:f005:cc2f::1/64                             ether1-gateway                     no
 3 DL fe80::e68d:8cff:fedc:e260/64                          ether2-master-local                no
[admin@MikroTik] /ipv6> dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid
 #    INTERFACE STATUS        REQUEST   PREFIX
 0    ether1... bound         address   2001:1284:f005:cc2f::/64, 23h26m2s
                              prefix
[admin@MikroTik] /ipv6> pool print
Flags: D - dynamic
 #   NAME                 PREFIX                                      PREFIX-LENGTH EXPIRES-AFTER
 0 D copel                2001:1284:f005:cc2f::/64                               64 23h25m55s
[admin@MikroTik] /ipv6> route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp,
U - unreachable
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 ADS  ::/0                     fe80::e297:96ff:fe6a:...        1
 1 ADC  2001:1284:f005:cc2f::/64 ether2-master-local             0
                                 ether1-gateway
 2  DSU 2001:1284:f005:cc2f::/64                                 1
 
[admin@MikroTik] > ping 2800:3f0:4001:810::200e
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 2800:3f0:4001:810::200e                    56  58 24ms  echo reply
    1 2800:3f0:4001:810::200e                    56  58 15ms  echo reply
    2 2800:3f0:4001:810::200e                    56  58 15ms  echo reply
    sent=3 received=3 packet-loss=0% min-rtt=15ms avg-rtt=18ms max-rtt=24ms
Here is what I get in an OSx machine:
# /usr/sbin/netstat -f inet6 -rn
Routing tables

Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::e68d:8cff:fedc:e260%en0   UGc             en0
... Lots of other things

# ping6 fe80::e68d:8cff:fedc:e260%en0
PING6(56=40+8+8 bytes) fe80::3285:a9ff:fe3e:394d%en0 --> fe80::e68d:8cff:fedc:e260%en0
16 bytes from fe80::e68d:8cff:fedc:e260%en0, icmp_seq=0 hlim=64 time=0.361 ms
16 bytes from fe80::e68d:8cff:fedc:e260%en0, icmp_seq=1 hlim=64 time=0.371 ms
^C
--- fe80::e68d:8cff:fedc:e260%en0 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.361/0.366/0.371/0.005 ms

> ping6 2800:3f0:4001:810::200e
PING6(56=40+8+8 bytes) 2001:1284:f005:cc2f:345d:f4ed:d2f4:bdef --> 2800:3f0:4001:810::200e
^C
--- 2800:3f0:4001:810::200e ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Any ideas about what is wrong in my setup?
 
nxs02
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Nov 07, 2015 1:25 pm
Location: Planet Earth

Re: IPV6: can't ping external hosts from internal network

Sun May 01, 2016 8:06 am

check ur forward chain in firewall rules?
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPV6: can't ping external hosts from internal network

Sun May 01, 2016 2:11 pm

You have same /64 subnet on both ether1-gateway and ether2-master-local, that's not right. Try either setting prefix hint for DHCPv6 client to e.g. ::/60 to get more subnets, or uncheck the option to get address (which seems that you have enabled).
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
fernandomm
just joined
Topic Author
Posts: 11
Joined: Thu Nov 05, 2015 1:11 pm

Re: IPV6: can't ping external hosts from internal network

Sun May 01, 2016 3:12 pm

check ur forward chain in firewall rules?

I don't have any rules in firewall since I was planning to setup them later. Shouldn't it be working?
You have same /64 subnet on both ether1-gateway and ether2-master-local, that's not right. Try either setting prefix hint for DHCPv6 client to e.g. ::/60 to get more subnets, or uncheck the option to get address (which seems that you have enabled).
Yes, my ISP only provides a dynamic /64 subnet. I have unchecked the option to get address but even after a reboot, it doesn't seem to make any difference. I still can't ping or access anything from my internal network.
> /ipv6 dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid
 #    INTERFACE  STATUS        REQUEST   PREFIX
 0    ether1-... bound         prefix    2001:1284:f004:aee1::/64, 23h51m2s
 
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: IPV6: can't ping external hosts from internal network

Sun May 01, 2016 6:15 pm

You don't need a public routable address on your WAN interface.

Here's my home configuration with Comcast:
/ipv6 address
add from-pool=Comcast interface=LAN
/ipv6 dhcp-client
add add-default-route=yes interface=ether6 pool-name=Comcast prefix-hint=::/60 request=prefix use-peer-dns=no
(ether6 is my WAN interface)

All the rest of my v6 configuration is pretty much just firewall rules.
The above works with a standard /64 prefix as well. The WAN interface just uses link-local addressing to reach the Internet, and if the router itself needs to go out on the Internet (say, for a DNS lookup) then it will just use it's LAN address to generate the packet.

For some reason, the export doesn't indicate it, but in the GUI, I configured the address to be ::1/64 - the from-pool=Comcast part fills in the routable /64 prefix.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
fernandomm
just joined
Topic Author
Posts: 11
Joined: Thu Nov 05, 2015 1:11 pm

Re: IPV6: can't ping external hosts from internal network

Mon May 02, 2016 3:00 am

You don't need a public routable address on your WAN interface.

Here's my home configuration with Comcast:
/ipv6 address
add from-pool=Comcast interface=LAN
/ipv6 dhcp-client
add add-default-route=yes interface=ether6 pool-name=Comcast prefix-hint=::/60 request=prefix use-peer-dns=no
(ether6 is my WAN interface)

All the rest of my v6 configuration is pretty much just firewall rules.
The above works with a standard /64 prefix as well. The WAN interface just uses link-local addressing to reach the Internet, and if the router itself needs to go out on the Internet (say, for a DNS lookup) then it will just use it's LAN address to generate the packet.

For some reason, the export doesn't indicate it, but in the GUI, I configured the address to be ::1/64 - the from-pool=Comcast part fills in the routable /64 prefix.
Are there any firewall rules that are required to make the ipv6 work? Or does your configuration works even with no firewall rules?

Also, do you mind sharing your "/ipv6 routes" configuration? Or is it empty?

Thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPV6: can't ping external hosts from internal network

Mon May 02, 2016 4:41 pm

No firewall rules = everything is allowed.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: IPV6: can't ping external hosts from internal network

Tue May 03, 2016 4:56 pm

Also, do you mind sharing your "/ipv6 routes" configuration? Or is it empty?
The default GW is set by the "use default gateway" checkbox on the dhcpv6-client configuration. I do have a couple of static routes, but they are related to something extra that I'm doing. A basic functional IPv6 configuration doesn't need any static routes.

You DO want to put firewall rules, though - if you have none, then all of your devices are directly reachable via IPv6 from the Internet, so you will want at least a basic firewall rule set. Here's a basic one based on mine (with some specific-to-me stuff removed):
/ipv6 firewall filter
add chain=forward comment="Allow existing connections" connection-state=established,related
add chain=forward protocol=icmpv6
add chain=forward comment="Allow whitelisted hosts and networks" src-address-list=Whitelist
add action=drop chain=forward comment="Block Internet from new inbound connections." in-interface=WAN
add chain=input comment="Allow Existing Connections" connection-state=established,related
add chain=input comment="Permit ICMP" protocol=icmpv6
add chain=input comment="Trust Whitelisted Hosts" src-address-list=Whitelist
add chain=input comment=\
    "Allow DHCPv6 replies on WAN from link-local" dst-address=\
    fe80::/16 dst-port=546 in-interface=WAN protocol=udp src-address=fe80::/16
add action=drop chain=input comment="Block New Connections from Internet" in-interface=WAN
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPV6: can't ping external hosts from internal network

Tue May 03, 2016 6:13 pm

I have lets say philosophical objection to this. If you block new connections from WAN to LAN, then it makes it (in a way) worse than with IPv4. At least with IPv4, if users are lucky enough to get public addresses, they can use UPnP and let internal devices open ports for direct communication as needed.
With IPv6, even the fridges will have public addresses, but with dissallowed incoming on router, they will still have hard time participating in FridgeNet dynamic P2P network or something. ;)
There's a Port Control Protocol (RFC6887) which looks like it's able to open ports in firewall, but implementation wise, it's still mostly theoretical.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: IPV6: can't ping external hosts from internal network

Tue May 03, 2016 7:38 pm

I have lets say philosophical objection to this. If you block new connections from WAN to LAN, then it makes it (in a way) worse than with IPv4. At least with IPv4, if users are lucky enough to get public addresses, they can use UPnP and let internal devices open ports for direct communication as needed.
With IPv6, even the fridges will have public addresses, but with dissallowed incoming on router, they will still have hard time participating in FridgeNet dynamic P2P network or something. ;)
There's a Port Control Protocol (RFC6887) which looks like it's able to open ports in firewall, but implementation wise, it's still mostly theoretical.
Well, this is my home network, so I'm not enforcing anything on anyone - and usually, the big problem in IPv4 is when two peers both of which are behind NAT wish to communicate - neither can successfully receive a TCP/SYN handshake from the other side - both hosts' firewalls are waiting for their local client to initiate the connection / don't know which internal machine the SYN handshake is for.

This isn't as big a deal in IPv6 with UDP streams because both sides can start transmitting which will lead to both firewalls getting a stateful entry generated - both hosts can directly address each other. Desirable inbound TCP ports can be allowed as well, because the target of the inbound request is known (has its own unique public routable address). But in general, do you really want to leave every device on your network open to direct packet requests on all ports? That just doesn't seem wise.

UPnP could be made to work on a stateful IPv6 firewall just as easily as an IPv4 - and I wouldn't say it's "worse" because at least the hosts have the real direct addresses of each other, so no clever workarounds are required for cases where both sides have private addresses. No "fibs" need to be made (NAT) - only the policy portion must be addressed. Now, the UPnP can simply say "I'm host XXXXXXX and I want to receive traffic on port X, so the firewall can create a dynamic "permit" rule for this - no pinholes need to get made, and the LAN host doesn't need to figure out what "public IP" the router is using. The host just uses its own address.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
fernandomm
just joined
Topic Author
Posts: 11
Joined: Thu Nov 05, 2015 1:11 pm

Re: IPV6: can't ping external hosts from internal network

Tue May 03, 2016 11:21 pm

Also, do you mind sharing your "/ipv6 routes" configuration? Or is it empty?
The default GW is set by the "use default gateway" checkbox on the dhcpv6-client configuration. I do have a couple of static routes, but they are related to something extra that I'm doing. A basic functional IPv6 configuration doesn't need any static routes.

You DO want to put firewall rules, though - if you have none, then all of your devices are directly reachable via IPv6 from the Internet, so you will want at least a basic firewall rule set. Here's a basic one based on mine (with some specific-to-me stuff removed):
Eventually I will set firewall rules but first I'm trying to get it working. I checked my configuration again following your previous post but I still can't ping or access any external ipv6 addresses from my internal network.

An ipv6 address is assigned correctly and I can ping internal hosts.

Also, I tried to connect a machine directly to my ISP's modem and ipv6 worked correctly. So it must be something wrong in mikrotik configuration.

At this point, I have no clue about what is wrong.
 
fernandomm
just joined
Topic Author
Posts: 11
Joined: Thu Nov 05, 2015 1:11 pm

Re: IPV6: can't ping external hosts from internal network

Wed May 04, 2016 6:59 pm

After some research I found out that I won't be able to get this working with a /64 block. I need at least another /64, but a /60 would be better.

I'm contacting my ISP to check if they can provide a /60, otherwise I don't think there is a viable way of making this work.

Considering that they started to apply CGNat, I guess that at least they could make the IPv6 adoption easier.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: IPV6: can't ping external hosts from internal network

Wed May 04, 2016 7:11 pm

After some research I found out that I won't be able to get this working with a /64 block.
I'm curious to know why that is. The WAN interface of a router can work just fine passing traffic to the default GW using its link-local (fe80::) address.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
apracz
just joined
Posts: 19
Joined: Thu May 05, 2016 12:11 am

Re: IPV6: can't ping external hosts from internal network

Thu May 05, 2016 12:43 am

fernandomm, i have same problem with Copel Telecom.

My mikrotik get ipv6 address but in mikrotik and pc station i dont ping internet address.

Please contact-me to share my and your problem pracz@rpsolution.com.br our skype: fabioapracz
 
User avatar
domodial
newbie
Posts: 29
Joined: Mon Aug 24, 2020 7:27 pm

Re: IPV6: can't ping external hosts from internal network

Fri Apr 23, 2021 9:39 am

Hello,

I've been looking for 8 days and I came across this subject which is identical to my problem.
It is strictly the same in that I can ping from the mikrotik router to the outside, I can ping from one of my machines to another, but I cannot ping from a machine to the internet.

Windows or mac osx says I don't have an internet connection.
My setup looks good because the worst part is that it worked before.

I have a modem which only supports DMZ, with which it is not possible to have a PPPoe connection because the credentials are automatic.
My network is therefore in DMZ ipv4 and DMZ ipv6.
have tried everything and I don't know what to do.

I get a prefix xxx: b301 / 56 and in the DMZ I have xxx: b302 / 64 with the gateway xxx: b301: xxx: xxx: xxx

The only thing i did in mikrotik that worked fine is enter a static ipv6 address like xxx: b302 :: 1/64 on ether2 which is my lan but linked to the mikrotik bridge, and allow advertising.
ether1 is the WAN.

Nothing works anymore, I wonder why it was working well, but I admit that my ISP just deployed IPV6 and that there is something that may have changed in them.
Simply in France the ISPs are not really trained to answer his questions, it is light years away from their skills.

But I would like to know if you have solved the problem to give me a lead and how to investigate.

Clarification to the author of the subject, when I connect directly to the modem, ipv6 works like you! I have the impression that something is not working in DMZ.
 
eduardosilva
just joined
Posts: 17
Joined: Tue Dec 13, 2011 11:33 pm

Re: IPV6: can't ping external hosts from internal network

Tue May 04, 2021 4:41 pm

Hello!!
I just noticed that I have exact the same problem.
Yesterday I made a post about my issue. I will link here just because I already posted my configuration and the full issue there. (I don't want to hijack the thread, I will be monitoring both).
viewtopic.php?f=2&t=174969

Thank you!
 
garis
just joined
Posts: 7
Joined: Sat Apr 10, 2021 3:44 pm

Re: IPV6: can't ping external hosts from internal network

Fri May 07, 2021 10:58 pm

[...]
/ipv6 address
add from-pool=Comcast interface=LAN
/ipv6 dhcp-client
add add-default-route=yes interface=ether6 pool-name=Comcast prefix-hint=::/60 request=prefix use-peer-dns=no
(ether6 is my WAN interface)
[...]
I have the same problem described in this thread (ISP with only a /64, Mikrotik and devices with IPv6, Mikrotik can ping IPv6 internet but internal devices can't).
If I try your setup the dhcp-client in the "request=prefix" doesn't work (stuck in searching), only "request=address" works, so for me it's not clear what you are suggesting since the subnet is only one (the ISP /64).

Am I missing something?
ISP of course is saying that it's my problem, nothing they can do (of course not.....)

Who is online

Users browsing this forum: anav, Bing [Bot], DragonQ and 247 guests