/interface 6to4
add clamp-tcp-mss=no comment="Hurricane Electric IPv6-tunnel" !keepalive \
local-address=w.x.y.z mtu=1480 name=heipv6 remote-address=\
a.b.c.d
/ip neighbor discovery
set heipv6 comment="Hurricane Electric IPv6-tunnel" discover=no
/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
ether1-gateway protocol=ipv6 src-address=a.b.c.d
/ipv6 address
add address=2001:p:q:r::2 advertise=no interface=heipv6
add address=2001:k:l:m::1 interface=bridge-local
/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
ether1-gateway protocol=ipv6 src-address=a.b.c.d
In the webinterface you just enter the number 41, that's correct.Thanks - that is almost done, but I don't have in protocol - ipv6.
When I tried to put ipv6 is in red, when 41 is accepted,
I don't understand what you mean.but dont see any ipv6 comment.
/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
ether1-gateway protocol=ipv6 src-address=a.b.c.d
You don't have to. Hurricane delivers traffic to your /64 at your tunnel endpoint (i.e. 2001:p:q:r::2) and the MikroTik routes it to your LAN. Don't forget: with IPv6 there is no NAT anymore. All your addresses are public.I just wondering how to connect my ipv6 internal address to my external ipv6 address 64-bit class ?
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=2001:p:q:r::1
By adding additional rules. Your basic forward chain could look like this:After running firewall for ipv6 how to open selected devices from internal ipv6 to external ipv6 address?
/ipv6 firewall filter
add action=accept chain=forward comment="icmpv6" protocol=icmpv6
add action=accept chain=forward comment="allow access to this single host on the LAN"\
dst-address=2001:k:l:m:aa:bb:cc:dd/128 in-interface=heipv6
add action=accept chain=forward comment=established connection-state=established
add action=accept chain=forward comment=related connection-state=related
add action=drop chain=forward comment=invalid connection-state=invalid
add action=reject chain=forward comment="reject other incoming traffic to LAN"\
in-interface=heipv6 reject-with=icmp-admin-prohibited
# ADDRESS DUID SERVER STATUS
0 2001:XXX:XX:XXX::/64 0xffffff server_dhcpipv6 waiting
# NAME INTERFACE ADDRESS-POOL PREFERENCE LEASE-TIME
0 server_dhcpipv6 ether3 pool_ipv6 255 3d
/ipv6 address
add address=2001:x:x:x::1 interface=<lan>
/ipv6 nd prefix default
set autonomous=yes
/ipv6 nd
set [ find default=yes ] managed-address-configuration=no other-configuration=no
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:XX:XXX::1/64 bridge-local yes
1 G 2001:XXX:XX:XXX::2/64 heipv6 no
2 DL fe80::4e5e:cff:fe43:8996/64 bridge-local no
3 DL fe80::4e5e:cff:fe43:8995/64 ether1-gateway no
4 DL fe80::fefd:0/64 heipv6 no
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : XXXX Realtek PXXXXXXXXXXXXXXXX
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:XXX:XX:XXX:dda3:261a:aaac:4ab4(Preferred)
Temporary IPv6 Address. . . . . . : 2001:XXX:XX:XXX:11c:4ff9:9c4:49e9(Preferred)
Link-local IPv6 Address . . . . . : fe80::dda3:261a:aaac:4ab4%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.XX.XXX(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::4e5e:cff:fe43:8996%18
192.168.XX.XXX
DHCP Server . . . . . . . . . . . : 192.168.XX.XXX
DHCPv6 IAID . . . . . . . . . . . : 5XX2XXX5
DHCPv6 Client DUID. . . . . . . . : 00-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-14
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:XX:XXX::1/64 bridge-local yes
1 G 2001:XXX:XX:XXX::2/64 heipv6 no
/ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 2001:XXX:XX:XXX::1 1
1 ADC 2001:XXX:XX:XXX::/64 heipv6 0
bridge-local
This XXX:XX:XXX in "XXX:XX:XXX" in 2001:XXX:XX:XXX::1 is exactly the same as "XXX:XX:XXX" in 2001:XXX:XX:XXX::2The "XXX:XX:XXX" in 2001:XXX:XX:XXX::1 is not exactly the same as "XXX:XX:XXX" in 2001:XXX:XX:XXX::2, right?
/ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:XX:XXX::1/64 bridge-local yes
1 G 2001:XXX:XX:XXX::2/64 heipv6 no
2 DL fe80::4e5e:cff:fe43:8996/64 bridge-local no
3 DL fe80::4e5e:cff:fe43:8995/64 ether1-gateway no
4 DL fe80::fefd:0/64 heipv6 no
Note that this is one of those mysterious fe80:: addresses that keep "just appearing" on your router even after rebooting.Default Gateway . . . . . . . . . : fe80::4e5e:cff:fe43:8996%18
IPv6 Tunnel Endpoints
Server IPv6 Address:2001:XXX:X0:XXX::1/64
Client IPv6 Address:2001:XXX:X0:XXX::2/64
Routed IPv6 Prefixes
Routed /64:2001:XXX:X1:XXX::/64
/ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:X1:XXX::1/64 bridge-l... yes
1 G 2001:XXX:X0:XXX::2/64 heipv6 no
2 DL fe80::4e5e:cff:fe43:8996/64 bridge-l... no
3 DL fe80::4e5e:cff:fe43:8995/64 ether1-g... no
4 DL fe80::fefd:0/64 heipv6 no
/interface 6to4
add comment="IPv6 WAN" !keepalive local-address=A.B.C.D mtu=1280 name=sit1 remote-address=W.X.Y.Z
/ipv6 address
add address=2001:XXXX:XXXX:XXXX::2 advertise=no interface=sit1
add address=2001:XXXX:XXXY:XXXY:: interface=bridge-****
/ipv6 firewall address-list
add address=2001:XXXX:XXXY:XXXY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward
/ipv6 nd prefix default
set preferred-lifetime=2m valid-lifetime=5m
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:XXXX:XXXX:XXXX::1
It should support stateless mode specifically for DNS, it just doesn't work. It was completely broken in 6.34rc39 and probably long time before that (DHCPv6 server refused info request packets). Then I wrote to support and now the packet is accepted and reply sent... but it does not contain DNS. I have yet to hear from support if it's another bug, or if there's perhaps something wrong with my config (I don't see what it might be, unless there's some hidden option for manual DNS address for DHCPv6 configuration):Okay - now out of these 3, Mikrotik's DHCP server currently only supports prefix delegation mode.
/ip dns
set allow-remote-requests=yes servers=2001:db8::2
/ipv6 nd
set [ find default=yes ] other-configuration=yes
/ipv6 address
add address=2001:db8::1 interface=ether3
/ipv6 dhcp-server
add interface=ether3 name=server1
I'm suprised that this is not supported by Windows 10.automatic DNS - for Windows - you can't with only a Mikrotik router.
Mikrotik's only way to assign DNS information is in the RA packets - so Mikrotik expects the SLAAC clients to use this information to configure their dns automatically as well. If you have an Apple device, you'll notice that these work. Windows doesn't use the dns information in SLAAC, which is why you're having to assign it manually.
Windows requires a DHCPv6 server in order to learn its dns information automatically.
DHCP servers come in 3 flavors for IPv6:
Prefex Delegation - assigns blocks of networks to clients so that the clients can then assign multiple lan segments inside their network
Stateless - This is what SLAAC clients want to look for after making their address/default GW settings. This is like a bulletin board in the break room at the office. It has all of the informational options, such as ntp server, tftp server, etc... and of course DNS server. This server doesn't assign leases, hence the term 'stateless.'
Stateful - This is what most people think of when they think of DHCP server - it works pretty much like the IPv4 DHCP service - it has a pool of addresses that it uses to assign leases to clients.
Okay - now out of these 3, Mikrotik's DHCP server currently only supports prefix delegation mode.
In other words, you'll either need another device / server to do stateless dhcpv6 to announce to windows clients what DNS server addresses they should use, or else you have to manualy configure this in Windows clients.
Setting preferred and valid lifetime to only minutes can be a very interesting exercise. Not all OS'ses like it. Especially when the difference between preferred and valid is higher.Code: Select all/ipv6 nd prefix default set preferred-lifetime=2m valid-lifetime=5m
Windows since Vista work fine with DHCPv6. It's just DNS in RA that Microsoft decided to boycott.
But unless you're building pure IPv6-only network, it should not be a problem, because even DNS server with IPv4 address can answer queries about IPv6 records.
That's strange. I was (am) able so surf IPv6 sites just fine with an IPv4 dns server address on my Windows7 laptop.In my case unfortunately without setting fix value to my PC network ipv6 dns address ipv6 sites didn't work at all.
I have to put fix ipv6 dns.6 address to start browsing ipv6 web sites.
/ipv6 dhcp-server print
Flags: D - dynamic, X - disabled, I - invalid
# NAME INTERFACE ADDRESS-POOL PREFERENCE LEASE-TIME
0 DHCP_ipv6_s... bridge-local my_ipv6_Pool 255 3d
/ipv6 pool print
Flags: D - dynamic
# NAME PREFIX PRE EXPIRES-AFTER
0 my_i... 2001:XXX:X1:XXX::/64 64
There should be one dynamic entry for bridge-local, it's created from your internal address with advertise=yes.According your hint - "/ipv6 nd" I found problem, additional line inipv6 nd prefix ;-(
It's not the client, but the router himself. I've a local-bridge for my LAN and WLAN. I gave the local-bridge the right ipv6 range. But if i ping from the local bridge interface to A ipv6 address, I get no route to host.If client says there's no route, it probably does not have it. Check the routing table ("netsh interface ipv6 show route" for Windows, "ip -6 route" for Linux). And you also have to enable some forwarding in router's firewall. Now you accept established and related connections, but there won't be any, because you block all new ones in any direction. So you probably want to enable everything from LAN. And also ICMPv6, because IPv6 depends on it a lot.
MAke sure this is in IPv6 > routes
dst=::/0 gateway=2001:db85678::1
(put the HE.net end of the WAN /64 instead of my example IP)
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 2001:470:YYYY:YYYY::1 1
1 ADC 2001:470:YYYY:YYYY::/64 6to4_1 0
2 ADC 2001:470:XXXX:1::/64 bridge-A 0
3 ADC 2001:470:XXXX:2::/64 bridge-B 0
4 ADC 2001:470:XXXX:3::/64 bridge-C 0
XX@CoreRouter] /ipv6 nd print
Flags: X - disabled, I - invalid, * - default
0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified
retransmit-interval=unspecified ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes
advertise-dns=yes managed-address-configuration=yes other-configuration=yes
XX@CoreRouter] /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 2001:4XX:X0:XXX::1 1
1 ADC 2001:XXX:X0:XXX::/64 ether1-gateway 0
he
XX@CoreRouter] /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:X0:XXX::2/64 he no
1 G 2001:XXX:X0:XXX::1/64 ether1-gateway yes
2 DL fe80::AAAA:cff:fe43:8996/64 bridge-local no
3 DL fe80::BBBB:0/64 he no
4 DL fe80::AAAA:cff:fe43:8995/64 ether1-gateway no
[kp@CoreRouter] /ipv6 address>
1 G 2001:XXX:X0:XXX::1/64 ether1-gateway yes
Also don't forget that with this config, clients will only try to get IPv6 addresses from DHCPv6 server. And you can't use the one in RouterOS, because so far it can't provide addresses. So you probably want to use "no" for both options.managed-address-configuration=yes other-configuration=yes
XX@CoreRouter] /ipv6 nd print
Flags: X - disabled, I - invalid, * - default
0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified
retransmit-interval=unspecified ra-lifetime=10m hop-limit=unspecified advertise-mac-address=yes
advertise-dns=yes managed-address-configuration=no other-configuration=no
XX@CoreRouter] /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:X0:XXX::2/64 he no
1 G 2001:XXX:X0:XXX::1/64 bridge-local no
2 DL fe80::AAAA:cff:fe43:8996//64 bridge-local no
3 DL fe80::fefd:0/64 he no
4 DL fe80::AAAA:cff:fe43:8995/64 ether1-gateway no
XX@CoreRouter] /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S 2000::/3 ether1-gateway 1
1 ADC 2001:XXX:X0:XXX::/64 he 0
bridge-local
You and me, both. Improper obfuscation can really make it hard to know how to interpret inconsistencies... (switching to IPv4 just 'cause it's shorter)I wish people used address masking carefully (all, not just you).
Thanks for this advise, I have change itYour 'default route' should use interface = he, not interface = ether1 gateway.
That's the static route:
2000::/3
XX@CoreRouter] /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 ether1-gateway 1
1 ADC 2001:470:XX:XXX::/64 he 0
bridge-local
>ping 2620:0:1cfe:face:b00c::3
Pinging 2620:0:1cfe:face:b00c::3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
General failure.
Your config does not appear to be that way.AFAIK you should have two different subnets from HE, one for tunnel and one for your LAN.
XX@CoreRouter] /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:470:X0:YYY::2/64 he no
1 G 2001:470:X1:YYY::1/64 bridge-local yes
2 DL fe80::AAAA:cff:fe43:8996//64 bridge-local no
3 DL fe80::fefd:0/64 he no
4 DL fe80::AAAA:cff:fe43:8995/64 ether1-gateway no
XX@CoreRouter] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 ether1-gateway 1
1 ADC 2001:470:X0:YYY::/64 he 0
2 ADC 2001:470:X1:YYY::/64 bridge-local 0
[kp@CoreRouter] /ipv6 route>
>ping 2620:0:1cfe:face:b00c::3
Pinging 2620:0:1cfe:face:b00c::3 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.
Ping statistics for 2620:0:1cfe:face:b00c::3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Yes and now changed to 2001:470:X0:YYY::1did you set gateway to be interface ether1-gateway?
XX@CoreRouter] > ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 2001:470:X0:YYY::1 1
1 ADC 2001:470:X0:YYY::/64 he 0
2 ADC 2001:470:X1:YYY::/64 bridge-local 0
/ipv6 firewall address-list
add address=2001:470:X0:YYY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward
/ipv6 firewall address-list
add address=2001:470:X0:YYY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
You may need to add "related" to the forward chain rule "allow established" (you can check both to YES in the same rule)May I ask for any recomendation why mikrotik.com ipv6 site is not working ?
Same thing is with the ipv6 site netflix.com
Strange thing is that those sites are pinging ipv6 address properly.
Code: Select all/ipv6 firewall address-list add address=2001:470:X0:YYY::/64 list=home /ipv6 firewall filter add chain=input comment="Allow established connections" connection-state=established add chain=input comment="Allow related connections" connection-state=related add chain=input comment="Allow limited ICMP" protocol=icmpv6 add chain=input comment="Allow UDP" protocol=udp add action=drop chain=input add chain=forward comment="Allow established connections" connection-state=established
Rest of known IPV6 sites which I'm using are working properly
/ipv6 nd export
# may/05/2016 20:49:37 by RouterOS 6.35.1
# software id = AEFK-U9CX
#
/ipv6 nd
set [ find default=yes ] advertise-dns=yes other-configuration=yes ra-lifetime=10m
/ipv6 nd prefix
add autonomous=no interface=bridge-local on-link=no preferred-lifetime=5m prefix=::/0 valid-lifetime=infinity
/ipv6 nd prefix default
set preferred-lifetime=2d valid-lifetime=5d
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established,related,new
add chain=forward comment="Allow related connections" connection-state=established,related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" disabled=yes protocol=udp
It's there, it can provide DNS resolvers, see my posts in this thread for details. It has some problems and it's not very configurable, but it does something.(not the Mikrotik, which doesn't offer stateless dhcpv6 as far as I am aware)
Fine I have enabled icmpv6 to my firewallI allow ICMP on my router's input chain - icmpv6 is much more critical to IPv6 than ICMP is to v4. For instance, the "arp" function (now called ND - neighbor discovery) uses icmpv6 to do its job, so you must at the very least accept ND requests or else nobody's going to be able to transmit data to you over an ethernet network. (I think you're using Tunnelbroker, which I think doesn't really require ND to work, but you should probably allow icmpv6 for now)
add chain=input comment="Allow limited ICMP" protocol=icmpv6
Other configuration is set Yes.On the ND configuration, you probably set other-configuration=no unless you have a dhcpv6 server on your network (not the Mikrotik, which doesn't offer stateless dhcpv6 as far as I am aware). This flag tells clients that they should discover a dhcpv6 server for more information such as DNS server(s), domain suffix, time server, tftp server, etc... anything you'd normally add to a dhcp scope would be the type of thing in a stateless dhcpv6 server - except the address assignment and leasing portion.
/ipv6 nd> print
Flags: X - disabled, I - invalid, * - default
0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified
retransmit-interval=unspecified ra-lifetime=10m hop-limit=unspecified advertise-mac-address=yes
advertise-dns=yes managed-address-configuration=no other-configuration=yes
Because I 'm having problems with IPV6 I have set to my IPV6 connection fixed DNSv6 - 2001:470:20::2 (HE DNS)Also realize that your PC/tablet/device could be preferring IPv4 over IPv6 - just because netflix and mikrotik.com have IPv6 available doesn't mean your computer is going to connect to them using IPv6. Your computer is going to do a DNS resolution on the host names, and get back some combination of A and AAAA records. If it gets only one, then it must use that protocol to connect. If it gets both, then it may decide on its own whether it would rather use v6 or v4.
I'm passing all ipv6 tests and I'm getting external IPV6 address.Maybe your device is following RFC 6555 - "Happy Eyeballs" - and Netflix/Mikrotik happen to respond faster over IPv4.... I used to use http://myipv6address.com/ and often would get my IPv4 address back even when I knew good and well that my IPv6 was working properly. http://ipquail.com/ shows both addresses at once, and would still show my v6 address right after the first site only showed my v4 address. In that case, my computer was preferring IPv4 over IPv6. I could come back later and it would prefer v6, and I've never quite figured out what the difference was.
Pinging netflix.com [2620:108:700f::36d6:494] with 32 bytes of data:
Reply from 2620:108:700f::36d6:494: time=183ms
Reply from 2620:108:700f::36d6:494: time=184ms
Pinging mikrotik.com [2a02:610:7501:1000::2] with 32 bytes of data:
Reply from 2a02:610:7501:1000::2: time=18ms
Reply from 2a02:610:7501:1000::2: time=18ms
My PPPoE MTU is 1500 and HE interface MTU is the same 1500.If pings work but not HTTP, then you probably have an MTU problem. Try pinging with a full-mtu-sized packet and the DF flag set. If that also fails, then it's MTU.
if PMTU discovery is broken somewhere else on the Internet, then there may not be anything you can do.My PPPoE MTU is 1500 and HE interface MTU is the same 1500.If pings work but not HTTP, then you probably have an MTU problem. Try pinging with a full-mtu-sized packet and the DF flag set. If that also fails, then it's MTU.
How to do this check?
BTW: many other web pages are working correct - like
https://ipv6.google.com
Can you give me this code to run mangle rule ?You could try to do a mangle rule with clamp-mss to something like 1200 just to see if anything changes.