/ipv6 address
add address=2001:470:1f07:a84::1 interface=bridge-local
add address=2001:470:1f06:a84::2 advertise=no interface=sit1

/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=192.168.100.2 mtu=1280 name=sit1 \
    remote-address=209.51.161.14

/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:1f06:a84::1

IPv6 Tunnel Endpoints
Server IPv4 Address:A.B.C.D
Server IPv6 Address:2001:xxx:1f06:xxx::1/64
Client IPv4 Address:1.2.3.4
Client IPv6 Address:2001:xxx:1f06:xxx::2/64
Routed IPv6 Prefixes
Routed /64: 2001:xxx:1f07:xxx::/64

*Two important notes:

• Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
• If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.

What is IP Protocol 41?

• IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.

Per the Hurricane Electric FAQ page:

*Two important notes:

• Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
• If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.

What is IP Protocol 41?

• IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.

So make sure your ISP's router answers pings on its public IP.

I'd recommend having them put it in bridge mode and letting you run dhcp-client / pppoe-client on your router directly.
(EDIT - whoops, I just remembered that you already said they won't do that - that sucks. Do they offer native IPv6, though?)

/ip firewall filter
add chain=input comment=HE protocol=ipv6 src-address=A.B.C.D
add chain=output protocol=ipv6

I have 2 rules on my firewal allowing the 41 protocol as below. The problem with my ISP is that they've changed the modus operandi in the last year, providing the new clients access to the internet through CGNAT (but with native IPv6). So I'm afraid of requesting IPv6 and end with CGNAT.

I have 2 rules on my firewal allowing the 41 protocol as below. The problem with my ISP is that they've changed the modus operandi in the last year, providing the new clients access to the internet through CGNAT (but with native IPv6). So I'm afraid of requesting IPv6 and end with CGNAT.

Well, that makes sense about the CGNat - sort of - because in a sense, you're already in that boat. You have to put a private IP on your Mikrotik right now - so what's the difference if the box-you-cannot-control happens to be a SOHO router in your own home or else a big-iron router in a data center somewhere?

I've never been behind a CGNat so I'm not sure what the reality of that life is like - I can see the public IP changing randomly all the time on a per-connection basis, and that would be daunting to deal with if you wanted to have NAT pinholes for things....

I have 2 rules on my firewal allowing the 41 protocol as below.

Code: Select all

/ip firewall filter
add chain=input comment=HE protocol=ipv6 src-address=A.B.C.D
add chain=output protocol=ipv6

I have 2 rules on my firewal allowing the 41 protocol as below.

Code: Select all

/ip firewall filter
add chain=input comment=HE protocol=ipv6 src-address=A.B.C.D
add chain=output protocol=ipv6

It just dawned on me that I forgot to address this in your earlier reply.

First of all, the notes on HE's page specify that you have to be pingable, too. (there's no allow icmp in your sample code)

However - the "allow ping" and "allow protocol 41" criteria apply to the ISP router with the public IP address on it - not your Mikrotik.
You could allow anything you want in the Mikrotik, but if the router in front of it drops the packets, then you're never going to get the chance to allow them, yaknow?

Can you ping your public IP from somewhere out in the world? Does your ISP modem allow IP protocol 41? I was dealing with an Adtran router one time where I was frustrated to find that it would simply not forward a packet whose protocol number it didn't understand, even if I went into the policy-map and specified the protocol as allowed, even if I specified the protocol number.....

I have 2 rules on my firewal allowing the 41 protocol as below.

Code: Select all

/ip firewall filter
add chain=input comment=HE protocol=ipv6 src-address=A.B.C.D
add chain=output protocol=ipv6

It just dawned on me that I forgot to address this in your earlier reply.

First of all, the notes on HE's page specify that you have to be pingable, too. (there's no allow icmp in your sample code)

However - the "allow ping" and "allow protocol 41" criteria apply to the ISP router with the public IP address on it - not your Mikrotik.
You could allow anything you want in the Mikrotik, but if the router in front of it drops the packets, then you're never going to get the chance to allow them, yaknow?

Can you ping your public IP from somewhere out in the world? Does your ISP modem allow IP protocol 41? I was dealing with an Adtran router one time where I was frustrated to find that it would simply not forward a packet whose protocol number it didn't understand, even if I went into the policy-map and specified the protocol as allowed, even if I specified the protocol number.....

I configured my ISP modem with DMZ option, so it is forwarding anything that comes from internet to my Mikrotik. And yes, I am pingable from internet and my NAT's are working pretty well.

Even though, I'll take a look about the 41 protocol on my modem, and see if that can be some incompatible problem.

Behind NAT
If you're behind a NAT, the configuration needs to be tweaked a bit. First, you'll want to setup a static IP address behind your router. If you're router supports configuration of forwarding more than just TCP/UDP, you'll want to forward protocol 41 (aka IPv6) (NOT PORT 41), which is responsible for IPv6 tunneling over IPv4, to your static address. If you've got a consumer grade router that doesn't support this, you'll just have to put your machine in the DMZ, thus putting your computer "in front" of your router's firewall. Please make sure you are running a local software firewall if you chose this option.

Well, I went reading a little more on the subject and found this blog entry:

Behind NAT
If you're behind a NAT, the configuration needs to be tweaked a bit. First, you'll want to setup a static IP address behind your router. If you're router supports configuration of forwarding more than just TCP/UDP, you'll want to forward protocol 41 (aka IPv6) (NOT PORT 41), which is responsible for IPv6 tunneling over IPv4, to your static address. If you've got a consumer grade router that doesn't support this, you'll just have to put your machine in the DMZ, thus putting your computer "in front" of your router's firewall. Please make sure you are running a local software firewall if you chose this option.

This all makes sense, and I'm sure you know the difference between port 41 and protocol 41... but I'm wondering if the nat router isn't being dumb. It might be only forwarding */tcp, */udp, and */icmp to the "dmz host" - this is not quite the same thing as forwarding IP->dmz-host which is what would be necessary.

If you have another site where you can set up a Mikrotik, try setting up a sit0 interface that points to your public IP and then do a sniff on your home router to see if you see any packets coming in or not. If no packets, then chances are good that the router is only doing PAT and not NAT - i.e. layer4 protocols but not 1:1 at the IP layer.

Well, I went reading a little more on the subject and found this blog entry:

Behind NAT
If you're behind a NAT, the configuration needs to be tweaked a bit. First, you'll want to setup a static IP address behind your router. If you're router supports configuration of forwarding more than just TCP/UDP, you'll want to forward protocol 41 (aka IPv6) (NOT PORT 41), which is responsible for IPv6 tunneling over IPv4, to your static address. If you've got a consumer grade router that doesn't support this, you'll just have to put your machine in the DMZ, thus putting your computer "in front" of your router's firewall. Please make sure you are running a local software firewall if you chose this option.

This all makes sense, and I'm sure you know the difference between port 41 and protocol 41... but I'm wondering if the nat router isn't being dumb. It might be only forwarding */tcp, */udp, and */icmp to the "dmz host" - this is not quite the same thing as forwarding IP->dmz-host which is what would be necessary.

If you have another site where you can set up a Mikrotik, try setting up a sit0 interface that points to your public IP and then do a sniff on your home router to see if you see any packets coming in or not. If no packets, then chances are good that the router is only doing PAT and not NAT - i.e. layer4 protocols but not 1:1 at the IP layer.

I can do that, but only in no-producting time. I'll let you know the results.

Well, the only thing left to do is sniff the packets from Tunnelbroker, capture them to a file on the Mikrotik, and open the capture file in Wireshark.

Perhaps you can poke around in that.

As far as I can tell, you should put 192.168.100.2 as the local IP of your tunnel, and it should work.
If you want, you can build the other end of my test tunnel on your router and we can see if it comes live or not.
I'm not routing any prefixes over it or anything, and I have firewall rules in place so you can't go into my LAN through the tunnel or anything, but at least you should be able to ping the link-local address of my end of the tunnel. (check IPv6 neighbors to see it)

Well, the only thing left to do is sniff the packets from Tunnelbroker, capture them to a file on the Mikrotik, and open the capture file in Wireshark.

Perhaps you can poke around in that.

As far as I can tell, you should put 192.168.100.2 as the local IP of your tunnel, and it should work.
If you want, you can build the other end of my test tunnel on your router and we can see if it comes live or not.
I'm not routing any prefixes over it or anything, and I have firewall rules in place so you can't go into my LAN through the tunnel or anything, but at least you should be able to ping the link-local address of my end of the tunnel. (check IPv6 neighbors to see it)

Edit
My local address if configured as 192.168.100.2 since the beggining. Actually, only doint this the interface gets the status running. Perhaps it is a validation of Mikrotik to check if the configured local-address field contains any local interface address. It makes some sense, but is a personal though. When I had a pppoe connection, I could put the valid IP address and it worked pretty well.

I've tested as your suggestion and it didn't get your link-local address on my neighbors. Maybe some ND configuration missing in my router?

Also torched the interface looking for HE address and didn't get any packet comming from them. BTW I don't know the keepalive configured on their side, but I think it would be minor than a minute, which is the time I've spend looking for it.

/ip firewall filter
add chain=input comment=HE protocol=ipv6
add chain=output protocol=ipv6

Your keepalive setting shouldn't break the tunnel even if it doesn't match the value (if any) set on HE's end, because it's like a ping. Your side pings their side, and if you get replies then it stays up, as far as your router is concerned. PPP is this way - one side can do "no keepalive" and the other side can do "keepalive 15 seconds" and this will work. It's not like OSPF where both sides have to agree on the hello interval and so forth.

I went ahead and added a /64 address of 2001:db8:1:1::10/64 to my side - feel free to static-assign anything else from that /64 for your end - just in case it wants an address to work (but I don't think this is necessary)

/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=192.168.100.2 mtu=1280 \
name=sit1 remote-address=your.ip.address.here

Is there any setting that you want to see and I didn't post?

Is there any setting that you want to see and I didn't post?

Go ahead and configure IPv6 address 2001:db8:1:1::1/64 on the tunnel interface.

I notice that when my router sends the keepalives, it's from and to :: and the protocol version is set to 0 like you see in the wireshark analysis.

I'm also receiving replies from your public IP:
ICMP Destination Unreachable (Port Unreachable)

I have the 2001:db8:1:1::1/64 now set on my tunnel interface.

I have the 2001:db8:1:1::1/64 now set on my tunnel interface.

Okay - I disabled keepalives on my end, and I now have a ping running to 2001:db8:1:1::1 from 2001:db8:1:1::10

The packets look like this:

Untitledxxx.png

Make this the first rule in the IPv4 filter chain:
/ip firewall filter add chain=input src-addr=x.x.x.95 (my public IP)

Make this the first rule in the IPv6 filter chain:
/ipv6 firewall filter add chain=input in-interface=sit1 (or whatever interface is your tunnel interface)

I assume that you have no output filters - but if you do, whitelist my IP and the sit1 interface there as well.

I've left it running non-stop.

Do you see the replies leaving your router? I'm not getting replies from you.

/ipv6 firewall filter
add chain=input comment=ZeroByte in-interface=sit2
add chain=output out-interface=sit2
add chain=input comment=PingV6 protocol=icmpv6
add chain=input protocol=ipv6
add chain=input comment="Established and Related" connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=input comment=Winbox dst-port=8291 protocol=tcp

[admin@MikroTik] > ip firewall filter export
/ip firewall filter
add chain=input comment=ZeroByte src-address=67.177.68.95
add chain=output dst-address=67.177.68.95
add chain=input comment=HE protocol=ipv6
add chain=output protocol=ipv6
add chain=input comment="Permit ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="Forward FastTrack" connection-state=established,related
add chain=input comment="Accept related input connections" connection-state=established,related
add chain=forward comment="Accept related forward connections" connection-state=established,related
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add chain=input comment=RemoteAdministration dst-address=192.168.0.254 dst-port=80 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway

After looking in the router itself and doing some packet capture on the ether1-gateway interface, I see the protocol 41 packets being sent to the Internet and they look correct (both for ping replies and for keepalive packets)

I'm not seeing these packets arrive at my router, so obviously they're being dropped by something upstream from your Mikrotik.

It looks like either your Huwei router is blocking the outbound packets, or else the ISP is doing that.

It's possible that the outbound packets aren't getting source-nat done on them, so the private IP of your Mikrotik is being exposed and the ISP (or some backbone on the Internet) is dropping the packets because they have a private source IP.

I think the Mikrotik is completely configured correctly.

That is really strange. I can't see why the outbound packets would be ignored by the srcnat.

That is really strange. I can't see why the outbound packets would be ignored by the srcnat.

You can confirm by doing a packet capture upstream from the router - but I'm guessing it's a DSL router, so no dice there...

I think this is the end of the line as far as my ability to assist goes anyway. FWIW your settings look good, so if you do the same thing on the HE tunnel interface, you should be able to test ping them just like this - I'm going to remove my end's settings now, so feel free to rip out our test stuff on your router as well.

Sorry this didn't end up in things working, but it's quite obvious that your Mikrotik is set up properly.

That is really strange. I can't see why the outbound packets would be ignored by the srcnat.

You can confirm by doing a packet capture upstream from the router - but I'm guessing it's a DSL router, so no dice there...

I think this is the end of the line as far as my ability to assist goes anyway. FWIW your settings look good, so if you do the same thing on the HE tunnel interface, you should be able to test ping them just like this - I'm going to remove my end's settings now, so feel free to rip out our test stuff on your router as well.

Sorry this didn't end up in things working, but it's quite obvious that your Mikrotik is set up properly.

I really appreciate your help, and as far as I can see, there is no karma recomendations anymore. If so, I would recommend you.

I will do some tests at night with my company's router, which has a link equal to mine, but still with a bridged modem and a Mikrotik dialing the pppoe. At least I can see if the real problem is the private address or some dropping on ISP backbone.

Thank you!

I think I now may have sure about my ISP blocking the protocol.

I think I now may have sure about my ISP blocking the protocol.

Some people use IPv6 to get around administrative blocks for things. (I used to get several teredo peers on Bittorrent, for instance).
Maybe that's why they're blocking it - or else they have a curmudgeonly old chief engineer who wants to follow the same rules of thumb that were done back in the 90s or something.

For giggles, you could test on "other ISP / NAT router modem" mode - and that would remove all doubt if this also works, and the other ISP's router is the same make/model as yours.

All signs point to your router.
Can you haxx0r into it and set it to bridged mode?