IPV6 internal configuration

MikroTikFan · Sat Feb 13, 2016 2:15 pm

I have HE 6to4 tunnel. My whole LAN is connected to Mikrotik through TP-Link managed switch.
My switch supports IPV6 and I have link-local address config fe80::fa1a:67ff:fe48:61ab.
From tunnel broker I have different address 64 class : 2001.**********
How to setup my whole network to assign for some devices internally external IPV6 address.

Trema · Sat Feb 13, 2016 6:04 pm

First create an interface for the 6to4-tunnel:

/interface 6to4
add clamp-tcp-mss=no comment="Hurricane Electric IPv6-tunnel" !keepalive \
    local-address=w.x.y.z mtu=1480 name=heipv6 remote-address=\
    a.b.c.d
/ip neighbor discovery
set heipv6 comment="Hurricane Electric IPv6-tunnel" discover=no

Where w.x.y.z is your public IP-address and a.b.c.d is the IP-address of the HE-tunnel endpoint.

Don't forget to accept protocol-41 traffic in your IPv4 firewall. The actual filtering of IPv6 traffic happens in your IPv6 firewall.

/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
    ether1-gateway protocol=ipv6 src-address=a.b.c.d

Now set the addresses of your side of the tunnel and the inside of your network.

/ipv6 address
add address=2001:p:q:r::2 advertise=no interface=heipv6
add address=2001:k:l:m::1 interface=bridge-local

That's it. But without firewall, your router and LAN are open to the world, so you'll want to do some firewalling as well.

MikroTikFan · Sat Feb 13, 2016 9:19 pm

Thanks - that is almost done, but I don't have in protocol - ipv6.
When I tried to put ipv6 is in red, when 41 is accepted, but dont see any ipv6 comment.

/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
    ether1-gateway protocol=ipv6 src-address=a.b.c.d

I just wondering how to connect my ipv6 internal address to my external ipv6 address 64-bit class ?

After running firewall for ipv6 how to open selected devices from internal ipv6 to external ipv6 address?

Trema · Mon Feb 15, 2016 1:06 pm

Thanks - that is almost done, but I don't have in protocol - ipv6.
When I tried to put ipv6 is in red, when 41 is accepted,

In the webinterface you just enter the number 41, that's correct.

but dont see any ipv6 comment.

I don't understand what you mean.

/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
    ether1-gateway protocol=ipv6 src-address=a.b.c.d

I just wondering how to connect my ipv6 internal address to my external ipv6 address 64-bit class ?

You don't have to. Hurricane delivers traffic to your /64 at your tunnel endpoint (i.e. 2001:p:q:r::2) and the MikroTik routes it to your LAN. Don't forget: with IPv6 there is no NAT anymore. All your addresses are public.

By the way, in my first reply I forgot to mention that you probably have to add a default route to the endpoint of the tunnel at Hurricane:

/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=2001:p:q:r::1

After running firewall for ipv6 how to open selected devices from internal ipv6 to external ipv6 address?

By adding additional rules. Your basic forward chain could look like this:

/ipv6 firewall filter
add action=accept chain=forward comment="icmpv6" protocol=icmpv6
add action=accept chain=forward comment="allow access to this single host on the LAN"\
    dst-address=2001:k:l:m:aa:bb:cc:dd/128 in-interface=heipv6
add action=accept chain=forward comment=established connection-state=established
add action=accept chain=forward comment=related connection-state=related
add action=drop chain=forward comment=invalid connection-state=invalid
add action=reject chain=forward comment="reject other incoming traffic to LAN"\
    in-interface=heipv6 reject-with=icmp-admin-prohibited

MikroTikFan · Mon Feb 15, 2016 9:27 pm

I followed your instruction.
I think that my problem is that despite the enabled DHCP6 server my computer doesn't get ipv6 address.

Binding

 #   ADDRESS                                                      DUID                  SERVER                  STATUS 
 0   2001:XXX:XX:XXX::/64                                         0xffffff              server_dhcpipv6         waiting

DHCP

 #    NAME                       INTERFACE                      ADDRESS-POOL                      PREFERENCE LEASE-TIME
 0    server_dhcpipv6            ether3                         pool_ipv6                                255 3d

I have only :
Link-local IPV6 Address : fe80::dda3:261a:aaac:4ab4
and
IPV4: address,mask and gateway

I don't know why ... ?

Sob · Mon Feb 15, 2016 9:48 pm

Because so far RouterOS DHCPv6 server does not support handing out addresses, only prefixes. You need to use standard autoconfiguration (you'll find most of it under /ipv6 nd).

MikroTikFan · Wed Feb 17, 2016 8:39 pm

How to configure correctly DHCP6 in my case for IPV6 from HE 6to4 tunnel ?
Right now I think that something is wrong with my Mikrotik DHCP6 server configuration.

Sob · Wed Feb 17, 2016 9:48 pm

If you want to give addresses to computers in LAN, forget DHCPv6 for now. DHCPv6 server in RouterOS does not support it yet. Use autoconfiguration instead. If you did not change defaults in /ipv6 nd, you need just:

/ipv6 address
add address=2001:x:x:x::1 interface=<lan>

Where 2001

x

: is your routed prefix from HE. If you did something with defaults, reset them back:

/ipv6 nd prefix default
set autonomous=yes
/ipv6 nd
set [ find default=yes ] managed-address-configuration=no other-configuration=no

Now computers in LAN should get addresses from 2001

x

:/64.

MikroTikFan · Wed Feb 17, 2016 10:51 pm

IPV6 address received

6to4 tunnel enabled and running.

...but only one problem is that I don't have connection to IPV6 sites

Strange is that in my IPV6 address list I added only two lines (0,1), but after reboot I have got additional (3,4,5)

Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE   ADVERTISE
 0  G 2001:XXX:XX:XXX::1/64                                 bridge-local yes      
 1  G 2001:XXX:XX:XXX::2/64                                 heipv6      no       
 2 DL fe80::4e5e:cff:fe43:8996/64                           bridge-local no       
 3 DL fe80::4e5e:cff:fe43:8995/64                           ether1-gateway no       
 4 DL fe80::fefd:0/64                                       heipv6      no

When I delete lines 2,3,4 and make reboot, again got same list 0-4 ;-(

My PC received from DHCP

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : XXXX Realtek PXXXXXXXXXXXXXXXX
   Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:XXX:XX:XXX:dda3:261a:aaac:4ab4(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:XXX:XX:XXX:11c:4ff9:9c4:49e9(Preferred)
   Link-local IPv6 Address . . . . . : fe80::dda3:261a:aaac:4ab4%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.XX.XXX(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::4e5e:cff:fe43:8996%18
                                       192.168.XX.XXX
   DHCP Server . . . . . . . . . . . : 192.168.XX.XXX
   DHCPv6 IAID . . . . . . . . . . . : 5XX2XXX5
   DHCPv6 Client DUID. . . . . . . . : 00-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-14
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Sob · Wed Feb 17, 2016 11:48 pm

Once again, forget DHCPv6, it's no use for you now. If you have only /64 routed to you, DHCPv6 server in current RouterOS can't do anything useful for you.

fe80::* are link-local addresses, they should be there, don't mind them.

Why you can't connect anywhere, well, that's a question. You'll have to do some troubleshooting. Try traceroute to some external address and see what happens. First try it from router itself, to see if your tunnel works at all. Then try it from LAN. Start with empty IPv6 firewall at first, to be sure that you don't accidentally block yourself. You get the idea...

Edit: One more thing, just to be sure, if you have your addresses:

 #    ADDRESS                                     FROM-POOL INTERFACE   ADVERTISE
 0  G 2001:XXX:XX:XXX::1/64                                 bridge-local yes
 1  G 2001:XXX:XX:XXX::2/64                                 heipv6      no

The "XXX:XX:XXX" in 2001:XXX:XX:XXX::1 is not exactly the same as "XXX:XX:XXX" in 2001:XXX:XX:XXX::2, right?

MikroTikFan · Thu Feb 18, 2016 12:03 am

(...)

MikroTikFan · Thu Feb 18, 2016 12:03 am

Traceroute checked.

All firewall lines disabled.

I see only one hoop to my link-local gateway : fe80::4e5e:cff:fe43:8996%18

/ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2001:XXX:XX:XXX::1              1
 1 ADC  2001:XXX:XX:XXX::/64     heipv6                          0
                                 bridge-local

MikroTikFan · Thu Feb 18, 2016 12:07 am

The "XXX:XX:XXX" in 2001:XXX:XX:XXX::1 is not exactly the same as "XXX:XX:XXX" in 2001:XXX:XX:XXX::2, right?

This XXX:XX:XXX in "XXX:XX:XXX" in 2001:XXX:XX:XXX::1 is exactly the same as "XXX:XX:XXX" in 2001:XXX:XX:XXX::2

 /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                                           ADVERTISE
 0  G 2001:XXX:XX:XXX::1/64                                 bridge-local                                                        yes      
 1  G 2001:XXX:XX:XXX::2/64                                 heipv6                                                              no       
 2 DL fe80::4e5e:cff:fe43:8996/64                           bridge-local                                                        no       
 3 DL fe80::4e5e:cff:fe43:8995/64                           ether1-gateway                                                      no       
 4 DL fe80::fefd:0/64                                       heipv6                                                              no

Lines 2,3,4 added automaticly after router restart.

Sob · Thu Feb 18, 2016 3:09 am

If you have same /64 on both interfaces, then it can't work. I don't use HE tunnel myself, but I assume you must have more than just one /64. There should be something for tunnel itself (probably also /64) and then another /64 routed to you for use on LAN.

aboiles · Thu Feb 18, 2016 3:19 am

They should not be the same network-

This XXX:XX:XXX in "XXX:XX:XXX" in 2001:XXX:XX:XXX::1 should be "XXX:XY:XXX" in 2001:XXX:XY:XXX::1

see the manual- http://wiki.mikrotik.com/wiki/Manual:My ... v6_Network

Thu Feb 18, 2016 4:50 am

he gives you two /64 networks by default - one for the tunnel itself, and one "routed lan" address.
Look at your tunnel settings on the tunnelbroker website - they tell you which /64 is routed to you.

Suppose it is 2001:db8:10

:/64

Then your IPv6 address for bridge-local should be:
2001:db8:10

:1/64

The tunnel address will be a different prefix like:
2001:db8:10

:/64 (and your address is 2001:db8:10

:2/64 on this link)

The fe80:: addresses are something new in IPv6 - in IPv4, each interface usually has just one IP address, but IPv6 naturally has several.
fe80:: is an address range that is required to exist on every interface, and it is used to talk to other IPv6 speaking hosts that are connected to the same link layer - namely the same LAN - the same ethernet switch - etc...
Notice that your computer's default gateway route (::/0) has the destination of fe80::

Default Gateway . . . . . . . . . : fe80::4e5e:cff:fe43:8996%18

Note that this is one of those mysterious fe80:: addresses that keep "just appearing" on your router even after rebooting.
This is just how IPv6 works. You get used to it eventually.

(the %18 specifies which interface's fe80:: in particular - because EVERY interface has an fe80:: address now)

MikroTikFan · Thu Feb 18, 2016 8:45 am

Right! my HE IPV6 data:

IPv6 Tunnel Endpoints

Server IPv6 Address:2001:XXX:X0:XXX::1/64
Client IPv6 Address:2001:XXX:X0:XXX::2/64

Routed IPv6 Prefixes

Routed /64:2001:XXX:X1:XXX::/64

I changed my addresses in IPV6

/ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE   ADVERTISE
 0  G 2001:XXX:X1:XXX::1/64                                 bridge-l... yes      
 1  G 2001:XXX:X0:XXX::2/64                                 heipv6      no       
 2 DL fe80::4e5e:cff:fe43:8996/64                           bridge-l... no       
 3 DL fe80::4e5e:cff:fe43:8995/64                           ether1-g... no       
 4 DL fe80::fefd:0/64                                       heipv6      no

Chcecking on my Mikrotik router Trace route works fine
I can ping from my PC connected to LAN google dns 2001:4860:4860::8888

..but I can't still ping external IPV6 domain name from PC connected to my LAN

After adding to my ipv6 network details ipv6 DNS everything works fine.
Without manual DNS6 I cant resolve my domains .6.

How can I add directly to mikrotik DNS server from tunnelbroker.net - 2001:470:20::2 ???

Fri Feb 19, 2016 3:38 pm

automatic DNS - for Windows - you can't with only a Mikrotik router.

Mikrotik's only way to assign DNS information is in the RA packets - so Mikrotik expects the SLAAC clients to use this information to configure their dns automatically as well. If you have an Apple device, you'll notice that these work. Windows doesn't use the dns information in SLAAC, which is why you're having to assign it manually.

Windows requires a DHCPv6 server in order to learn its dns information automatically.

DHCP servers come in 3 flavors for IPv6:
Prefex Delegation - assigns blocks of networks to clients so that the clients can then assign multiple lan segments inside their network
Stateless - This is what SLAAC clients want to look for after making their address/default GW settings. This is like a bulletin board in the break room at the office. It has all of the informational options, such as ntp server, tftp server, etc... and of course DNS server. This server doesn't assign leases, hence the term 'stateless.'
Stateful - This is what most people think of when they think of DHCP server - it works pretty much like the IPv4 DHCP service - it has a pool of addresses that it uses to assign leases to clients.

Okay - now out of these 3, Mikrotik's DHCP server currently only supports prefix delegation mode.

In other words, you'll either need another device / server to do stateless dhcpv6 to announce to windows clients what DNS server addresses they should use, or else you have to manualy configure this in Windows clients.

rohaantje · Fri Feb 19, 2016 3:52 pm

I've also tried to make a ipv6 network.
I've got a lot working but not everything.

All my hosts can get a ipv6 addres form my router.
My router has a 6to4 config from where i can ping 'external' adresses.
But it goes wrong on the route from my 'local' network to the 'external' network.
When i ping from the bridge interface to the ipv6 gateway(at tunnelbroker) it says no route to host.

this is my config:

/interface 6to4
add comment="IPv6 WAN" !keepalive local-address=A.B.C.D mtu=1280 name=sit1 remote-address=W.X.Y.Z
/ipv6 address
add address=2001:XXXX:XXXX:XXXX::2 advertise=no interface=sit1
add address=2001:XXXX:XXXY:XXXY:: interface=bridge-****
/ipv6 firewall address-list
add address=2001:XXXX:XXXY:XXXY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward
/ipv6 nd prefix default
set preferred-lifetime=2m valid-lifetime=5m
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:XXXX:XXXX:XXXX::1

Can you guys maybe help me?

Sob · Fri Feb 19, 2016 8:30 pm

If client says there's no route, it probably does not have it. Check the routing table ("netsh interface ipv6 show route" for Windows, "ip -6 route" for Linux). And you also have to enable some forwarding in router's firewall. Now you accept established and related connections, but there won't be any, because you block all new ones in any direction. So you probably want to enable everything from LAN. And also ICMPv6, because IPv6 depends on it a lot.

Sob · Fri Feb 19, 2016 8:32 pm

Okay - now out of these 3, Mikrotik's DHCP server currently only supports prefix delegation mode.

It should support stateless mode specifically for DNS, it just doesn't work. It was completely broken in 6.34rc39 and probably long time before that (DHCPv6 server refused info request packets). Then I wrote to support and now the packet is accepted and reply sent... but it does not contain DNS. I have yet to hear from support if it's another bug, or if there's perhaps something wrong with my config (I don't see what it might be, unless there's some hidden option for manual DNS address for DHCPv6 configuration):

/ip dns
set allow-remote-requests=yes servers=2001:db8::2
/ipv6 nd
set [ find default=yes ] other-configuration=yes
/ipv6 address
add address=2001:db8::1 interface=ether3
/ipv6 dhcp-server
add interface=ether3 name=server1

MikroTikFan · Fri Feb 19, 2016 10:51 pm

automatic DNS - for Windows - you can't with only a Mikrotik router.

Mikrotik's only way to assign DNS information is in the RA packets - so Mikrotik expects the SLAAC clients to use this information to configure their dns automatically as well. If you have an Apple device, you'll notice that these work. Windows doesn't use the dns information in SLAAC, which is why you're having to assign it manually.

Windows requires a DHCPv6 server in order to learn its dns information automatically.

DHCP servers come in 3 flavors for IPv6:
Prefex Delegation - assigns blocks of networks to clients so that the clients can then assign multiple lan segments inside their network
Stateless - This is what SLAAC clients want to look for after making their address/default GW settings. This is like a bulletin board in the break room at the office. It has all of the informational options, such as ntp server, tftp server, etc... and of course DNS server. This server doesn't assign leases, hence the term 'stateless.'
Stateful - This is what most people think of when they think of DHCP server - it works pretty much like the IPv4 DHCP service - it has a pool of addresses that it uses to assign leases to clients.

Okay - now out of these 3, Mikrotik's DHCP server currently only supports prefix delegation mode.

In other words, you'll either need another device / server to do stateless dhcpv6 to announce to windows clients what DNS server addresses they should use, or else you have to manualy configure this in Windows clients.

I'm suprised that this is not supported by Windows 10.
Looks very strange

Same problem I'm having with Android Phone. I'm getting IPV6 address but not DNS and IPV6 did'nt work ??
Only Apple devices are supported by IPV6 by Mikrotik ?
You suggest that iPhone and iPad should work with IPV6 by Mikrotik ?

Sob · Fri Feb 19, 2016 11:13 pm

Windows since Vista work fine with DHCPv6. It's just DNS in RA that Microsoft decided to boycott.

But unless you're building pure IPv6-only network, it should not be a problem, because even DNS server with IPv4 address can answer queries about IPv6 records.

Trema · Fri Feb 19, 2016 11:21 pm

/ipv6 nd prefix default
set preferred-lifetime=2m valid-lifetime=5m

Setting preferred and valid lifetime to only minutes can be a very interesting exercise. Not all OS'ses like it. Especially when the difference between preferred and valid is higher.

Consider setting the preferred lifetime to at least an hour.

MikroTikFan · Sat Feb 20, 2016 1:53 am

Windows since Vista work fine with DHCPv6. It's just DNS in RA that Microsoft decided to boycott.

But unless you're building pure IPv6-only network, it should not be a problem, because even DNS server with IPv4 address can answer queries about IPv6 records.

In my case unfortunately without setting fix value to my PC network ipv6 dns address ipv6 sites didn't work at all.
I have to put fix ipv6 dns.6 address to start browsing ipv6 web sites.

Sat Feb 20, 2016 3:49 am

In my case unfortunately without setting fix value to my PC network ipv6 dns address ipv6 sites didn't work at all.
I have to put fix ipv6 dns.6 address to start browsing ipv6 web sites.

That's strange. I was (am) able so surf IPv6 sites just fine with an IPv4 dns server address on my Windows7 laptop.

It's only on my test wlan that only has v6 that I must assign the DNS server manually, and of course THAT has to be a DNS.v6 address for obvious reasons.

MikroTikFan · Sat Feb 20, 2016 3:04 pm

After that all hints, changing configuration somehow I just lost my ipv6 address in my LAN clients

Now I have only ipv4 and local-link without ipv6

I have checked all and really I don't know what to change again.

I'm trying to find what can cause stopping to share from Mikrotik ipv6 address?
My ipv6.dhcp is running

/ipv6 dhcp-server print
Flags: D - dynamic, X - disabled, I - invalid 
 #    NAME           INTERFACE         ADDRESS-POOL         PREFERENCE LEASE-TIME
 0    DHCP_ipv6_s... bridge-local      my_ipv6_Pool                255 3d   

 /ipv6 pool print       
Flags: D - dynamic 
  #   NAME    PREFIX                                      PRE EXPIRES-AFTER       
 0   my_i... 2001:XXX:X1:XXX::/64                         64

Can anybody help me with that ?

Sob · Sun Feb 21, 2016 1:34 am

One more time, your LAN clients (those that need to get just address, like Windows) are not using DHCPv6 server on your MikroTik router. You can remove DHCPv6 server, because currently it does not do anything for you.
The thing that's used is called SLAAC (autoconfiguration). Router periodically sends Router Advertisements packets that basically say "hello, I'm router in control of xxxx/64 subnet and you're free to choose an address from it and join the IPv6 fun". And this depends on settings I described in this older post.

MikroTikFan · Sun Feb 21, 2016 12:02 pm

Thanks for clarifying me how it works. Before I will remove dhcp.v6 server please confirm that rest of my devices like android phones, iPads either will not use this ?

As I understand my dhcp.v6 server is not a reason why I'm not getting ipv6 addresses but I'm not sure if this concerns all types of my devices.

According your hint - "/ipv6 nd" I found problem, additional line inipv6 nd prefix ;-(

kiaunel · Sun Feb 21, 2016 2:23 pm

None of your devices will use dhcp server so you can remove it.

Sent from my Lenovo K50-t5 using Tapatalk

Sob · Sun Feb 21, 2016 8:25 pm

To use DHCPv6 to get addresses, devices need to be told about it first by managed-address-configuration=yes. But do not do that, because currently DHCPv6 server in RouterOS can not provide addresses, this functionality is not implemented yet. Autoconfiguration is all you have available.

According your hint - "/ipv6 nd" I found problem, additional line inipv6 nd prefix ;-(

There should be one dynamic entry for bridge-local, it's created from your internal address with advertise=yes.

If you can't find it, you should probably post your whole IPv6 config. Just please, be carefull with address masking, different parts must be recognizable.

rohaantje · Mon Feb 22, 2016 1:29 pm

If client says there's no route, it probably does not have it. Check the routing table ("netsh interface ipv6 show route" for Windows, "ip -6 route" for Linux). And you also have to enable some forwarding in router's firewall. Now you accept established and related connections, but there won't be any, because you block all new ones in any direction. So you probably want to enable everything from LAN. And also ICMPv6, because IPv6 depends on it a lot.

It's not the client, but the router himself. I've a local-bridge for my LAN and WLAN. I gave the local-bridge the right ipv6 range. But if i ping from the local bridge interface to A ipv6 address, I get no route to host.

Mon Feb 22, 2016 5:17 pm

MAke sure this is in IPv6 > routes
dst=::/0 gateway=2001:db8

5678::1
(put the HE.net end of the WAN /64 instead of my example IP)

rohaantje · Mon Feb 22, 2016 9:51 pm

MAke sure this is in IPv6 > routes
dst=::/0 gateway=2001:db85678::1
(put the HE.net end of the WAN /64 instead of my example IP)

It is. That's why i'm confused. Everything is like the way is should.
I've read 10 or 20 guides and they all say the same. But i won't work for me.

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2001:470:YYYY:YYYY::1            1
 1 ADC  2001:470:YYYY:YYYY::/64   6to4_1                          0
 2 ADC  2001:470:XXXX:1::/64     bridge-A				0
 3 ADC  2001:470:XXXX:2::/64     bridge-B				0
 4 ADC  2001:470:XXXX:3::/64     bridge-C				0

Mon Feb 22, 2016 11:49 pm

Are you blocking icmpv6 in your input chain of your ipv6 firewall rules?

Allow icmpv6 on the 6to4_1 interface. Probably it's the neighbor discovery that's broken.
icmpv6 does the same thing for v6 that ARP did for IPv4 - and you know you can't filter ARP and expect to be on the Internet......

MikroTikFan · Thu Apr 28, 2016 11:30 am

Please help me to find the reason why I'm not getting ipv6 address from Windows 10 system.
I have IPV6 from HE and everything looks fine but I still do not receive ipv6

My ND configuration:

XX@CoreRouter] /ipv6 nd print
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified 
      retransmit-interval=unspecified ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=yes managed-address-configuration=yes other-configuration=yes

XX@CoreRouter] /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2001:4XX:X0:XXX::1              1
 1 ADC  2001:XXX:X0:XXX::/64     ether1-gateway                  0
                                 he

XX@CoreRouter] /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                         ADVERTISE
 0  G 2001:XXX:X0:XXX::2/64                                 he                                                no       
 1  G 2001:XXX:X0:XXX::1/64                                 ether1-gateway                                    yes      
 2 DL fe80::AAAA:cff:fe43:8996/64                           bridge-local                                      no       
 3 DL fe80::BBBB:0/64                                       he                                                no       
 4 DL fe80::AAAA:cff:fe43:8995/64                           ether1-gateway                                    no       
[kp@CoreRouter] /ipv6 address>

Thu Apr 28, 2016 3:25 pm

You haven't assigned any IPv6 address to your LAN interface. Your obscuring the IPv6 addresses hides whether the ::1 on ether1-gateway is from the same prefix as the ::2 on the "he" interface. I'm assuming they're from different /64 prefixes. Move the one that's on ether1-gateway onto the LAN bridge.

MikroTikFan · Thu Apr 28, 2016 3:52 pm

I have assigned ether1-gateway to ipv6-2001:XXX:X0:XXX::1/64.

 1  G 2001:XXX:X0:XXX::1/64                                 ether1-gateway                                    yes

You suggest to change it to bridge ?

Can you be so kind and put to update mikrotik code what to update ?

Thanks in advance !

Sob · Thu Apr 28, 2016 5:00 pm

Just move 2001:XXX:X0:XXX::1/64 from ether1-gateway to bridge-local.

managed-address-configuration=yes other-configuration=yes

Also don't forget that with this config, clients will only try to get IPv6 addresses from DHCPv6 server. And you can't use the one in RouterOS, because so far it can't provide addresses. So you probably want to use "no" for both options.

MikroTikFan · Thu Apr 28, 2016 5:38 pm

I have changed that

XX@CoreRouter] /ipv6 nd print                                                     
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified 
      retransmit-interval=unspecified ra-lifetime=10m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=yes managed-address-configuration=no other-configuration=no

XX@CoreRouter] /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                         ADVERTISE
 0  G 2001:XXX:X0:XXX::2/64                                 he                                                no       
 1  G 2001:XXX:X0:XXX::1/64                                 bridge-local                                      no       
 2 DL fe80::AAAA:cff:fe43:8996//64                           bridge-local                                      no       
 3 DL fe80::fefd:0/64                                       he                                                no       
 4 DL fe80::AAAA:cff:fe43:8995/64                           ether1-gateway                                    no

Still waiting for ipv6 address ...

Sob · Thu Apr 28, 2016 5:40 pm

The address on bridge-local should have advertise=yes.

MikroTikFan · Thu Apr 28, 2016 7:03 pm

That is fine

I have received IPV6 address

Now there is next problem - I don't see IPV6 external network thru 6to4 HE tunnel.

I'm trying to ping 2620:0:1cfe:face:b00c::3 but without connection

I just wondering if my routing for this IPV6 HE connection is correct ? ...

XX@CoreRouter] /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  2000::/3                 ether1-gateway                  1
 1 ADC  2001:XXX:X0:XXX::/64     he                              0
                                 bridge-local

Thu Apr 28, 2016 7:23 pm

Your 'default route' should use interface = he, not interface = ether1 gateway.

That's the static route:
2000::/3

Me, I just use ::/0 because I want to beat the rush for when all of 2000:: - 3fff:ffff:ffff:ffff:: are used up.

Sob · Thu Apr 28, 2016 7:48 pm

Also, looking at your routes, is "XXX:X0:XXX" in 2001:XXX:X0:XXX::2 (interface he) exactly the same as "XXX:X0:XXX" in 2001:XXX:X0:XXX::1 (interface bridge-local)? It looks like it is. And that would be wrong. AFAIK you should have two different subnets from HE, one for tunnel and one for your LAN.

I wish people used address masking carefully (all, not just you). Like we all don't know that the first XXX is 470, for example. If you don't want to share your address with everyone, fine. But even if you mask a single digit, it creates 16 different combinations. Why would anyone bother trying all of them, if they can't expect anything interesting to find there? But if it still feels too dangerous, mask two digits and it makes 256 different combinations to test. Or if you really have to, mask everything, but make distinction between different numbers. Don't change 2001:123::1 and 2001:987::1 to same 2001:xxx::1, make it e.g. 2001

:1 and 2001:y::1. It's not hard!

Thu Apr 28, 2016 8:05 pm

I wish people used address masking carefully (all, not just you).

You and me, both. Improper obfuscation can really make it hard to know how to interpret inconsistencies... (switching to IPv4 just 'cause it's shorter)
If someone says x.x.x.21 and then says x.x.x.214 - are they really in the same class C? I've seen many posts where they weren't, but they just put x.x.x over the first three octets. Sometimes it's important to know that the second address is in the same general block as the first - e.g. x.x.y.21 tells me that the first two octets of the second address are the same as the first address - but often even THAT isn't consistent....

Honestly, I follow along with the obfuscated public IP culture here, but I kind of roll my eyes. Having a public IP posted here isn't going to suddenly cause a flood of hits on your device - the worms are scanning your router 24x7 anyway, so unless you did something silly like post a password or private key or something, it shouldn't make any difference to post real addresses here. (many other forums of other OSes/routers don't have a hide-public-IP culture)

I've noticed my public IP leaked in a few things from time to time, but the only thing that bothers me about that is some pedantic self-assumed god of networking out there shaking their head in gleeful scorn at my "foolishness"

I'd say that in general, redacting the third block of nibbles should be sufficient - leaving the 4th block visible for people who know what they're looking at to easily spot things like "you're putting the same prefix on multiple interfaces - whoops" without directly identifying yourself. The first 32 bits are pretty much just going to reveal what ISP you're on... so what?

e.g. my iPhone's IPv6 address at home is currently 2601:4c4:xxxx:6420::EUI-64
(good luck finding it, Internet!)

MikroTikFan · Thu Apr 28, 2016 10:02 pm

Your 'default route' should use interface = he, not interface = ether1 gateway.

That's the static route:
2000::/3

Thanks for this advise, I have change it

XX@CoreRouter] /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     ether1-gateway                  1
 1 ADC  2001:470:XX:XXX::/64     he                              0
                                 bridge-local

but I don't know how to change this default route ?

when I change
0 A S ::/0 ether1-gateway 1
to
0 A S ::/0 he 1
I'm losing IPV6 in my Windows 10.

When the line is
0 A S ::/0 ether1-gateway 1

>ping 2620:0:1cfe:face:b00c::3
Pinging 2620:0:1cfe:face:b00c::3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

General failure.

Can you give me more how to fix this route?

Sob · Thu Apr 28, 2016 11:00 pm

To quote myself:

AFAIK you should have two different subnets from HE, one for tunnel and one for your LAN.

Your config does not appear to be that way.

MikroTikFan · Fri Apr 29, 2016 8:25 am

I have changed this two interfaces

0 G 2001:470:X0:YYY::2/64
1 G 2001:470:X1:YYY::1/64

XX@CoreRouter] /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                         ADVERTISE
 0  G 2001:470:X0:YYY::2/64                                 he                                                no       
 1  G 2001:470:X1:YYY::1/64                                 bridge-local                                      yes       
 2 DL fe80::AAAA:cff:fe43:8996//64                           bridge-local                                      no       
 3 DL fe80::fefd:0/64                                       he                                                no       
 4 DL fe80::AAAA:cff:fe43:8995/64                           ether1-gateway                                    no

add then I will get in routing

XX@CoreRouter] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     ether1-gateway                  1
 1 ADC  2001:470:X0:YYY::/64     he                              0
 2 ADC  2001:470:X1:YYY::/64     bridge-local                    0
[kp@CoreRouter] /ipv6 route>

after this change I still not have connection to ipv6 network (ie. ipv6 facebook ip)

>ping 2620:0:1cfe:face:b00c::3

Pinging 2620:0:1cfe:face:b00c::3 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

Ping statistics for 2620:0:1cfe:face:b00c::3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

My HE endpoints

IPv6 Tunnel Endpoints
Server IPv4 Address:A.B.C.D
Server IPv6 Address:2001:470:X0:YYY::1/64
Client IPv4 Address:.E.F.G.H
Client IPv6 Address:2001:470:X0:YYY::2/64

After pinging HE DNS

Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2

I don't have any connection to this.

I see also that with this config (2001:470:X1:YYY::1/64 to bridge-local) I lost IPV6
When I go back to 2001:470:X0:YYY::1/64 I'm getting again IPV6 address.

Sob · Fri Apr 29, 2016 2:09 pm

For default route, did you set gateway to be interface ether1-gateway? Set it to address 2001:470:X0:YYY::1 instead.

MikroTikFan · Fri Apr 29, 2016 2:18 pm

did you set gateway to be interface ether1-gateway?

Yes and now changed to 2001:470:X0:YYY::1

XX@CoreRouter] > ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2001:470:X0:YYY::1              1
 1 ADC  2001:470:X0:YYY::/64     he                              0
 2 ADC  2001:470:X1:YYY::/64     bridge-local                    0

Next milestone achieved - from my WinBox I can ping

HE DNS 2001:470:20::2 - echo reply
Google DNS 2001:4860:4860::8888 - echo reply
Goolge 2607:f8b0:4003:c00::6a - admin prohibited

Still can't connect to ipv6 network from my PC ;-(

Just wondering if this ipv6_firewall can cause this problem

/ipv6 firewall address-list
add address=2001:470:X0:YYY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward

Update:
IPV6 is working on my PC but strange thing is that mikrotik.com IPV6 site is only one not working.
Even more interesting is that mikrotik site is pinging

>ping forum.mikrotik.com

Pinging forum.mikrotik.com [2a02:610:7501:1000::201] with 32 bytes of data:
Reply from 2a02:610:7501:1000::201: time=21ms
Reply from 2a02:610:7501:1000::201: time=21ms

Sob · Fri Apr 29, 2016 3:05 pm

Good, it looks like at least from your router, everything is working (don't worry about that admin prohibited thing, the same address gives the same result to me too, so it's not because of your config).

About your LAN, I don't know, if you have 2001:470:X1:YYY::1/64 on bridge-local with advertise=yes, those settings in /ipv6 nd you posted and you did not change anything else (what do you have in /ipv6 nd prefix default?), you should be getting addresses just fine. I don't see anything obviously wrong.

Fri Apr 29, 2016 4:37 pm

Make sure that your IPv6 firewall is not blocking icmpv6 - in IP6, the ND function (this is "arp" for IP6) is part of icmpv6, so you have to be very careful if you want to filter ICMPv6. Router advertisement is also in icmpv6 if I recall correctly...

MikroTikFan · Thu May 05, 2016 12:19 pm

May I ask for any recomendation why mikrotik.com ipv6 site is not working ?
Same thing is with the ipv6 site netflix.com

Strange thing is that those sites are pinging ipv6 address properly.

/ipv6 firewall address-list
add address=2001:470:X0:YYY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established

Rest of known IPV6 sites which I'm using are working properly

Thu May 05, 2016 5:03 pm

May I ask for any recomendation why mikrotik.com ipv6 site is not working ?
Same thing is with the ipv6 site netflix.com

Strange thing is that those sites are pinging ipv6 address properly.
Code: Select all
/ipv6 firewall address-list
add address=2001:470:X0:YYY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
Rest of known IPV6 sites which I'm using are working properly

You may need to add "related" to the forward chain rule "allow established" (you can check both to YES in the same rule)

Oh, and allow all UDP is probably not the best idea - it's going to allow IPv6-based DNS query access to your router if you've got the DNS proxy enabled. Not that IPv6-based DNS-amp is as common (I guess - I've never had it happen to me anyway) but hey, good practice is good practice, right?

As for Netflix, I hit an interesting thing with them using 6to4 IPv6 in a lab here at my office - even though my IPv4 address is recognized as USA, they didn't properly geo-locate the related 2002:: ipv6 prefix, so they denied access to the content (but the webiste still worked) from that range. I thought of letting them know, but I think 6to4 is probably shrinking in relevance these days....

MikroTikFan · Thu May 05, 2016 9:28 pm

My nd config is below

/ipv6 nd export        
# may/05/2016 20:49:37 by RouterOS 6.35.1
# software id = AEFK-U9CX
#
/ipv6 nd
set [ find default=yes ] advertise-dns=yes other-configuration=yes ra-lifetime=10m
/ipv6 nd prefix
add autonomous=no interface=bridge-local on-link=no preferred-lifetime=5m prefix=::/0 valid-lifetime=infinity
/ipv6 nd prefix default
set preferred-lifetime=2d valid-lifetime=5d

Is that NS correct ? Do you have any suggestions to change that ?

I have changed firewall rules as suggested

add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established,related,new
add chain=forward comment="Allow related connections" connection-state=established,related

...and after disabling ICMP and UDP rules

add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" disabled=yes protocol=udp

mikrotik.com, netflix.com ipv6 site stopped to ping as ipv6 address ;-(
Now I have now only ipv4 pings from this sites ;-((

Thu May 05, 2016 11:55 pm

I allow ICMP on my router's input chain - icmpv6 is much more critical to IPv6 than ICMP is to v4. For instance, the "arp" function (now called ND - neighbor discovery) uses icmpv6 to do its job, so you must at the very least accept ND requests or else nobody's going to be able to transmit data to you over an ethernet network. (I think you're using Tunnelbroker, which I think doesn't really require ND to work, but you should probably allow icmpv6 for now)

On the ND configuration, you probably set other-configuration=no unless you have a dhcpv6 server on your network (not the Mikrotik, which doesn't offer stateless dhcpv6 as far as I am aware). This flag tells clients that they should discover a dhcpv6 server for more information such as DNS server(s), domain suffix, time server, tftp server, etc... anything you'd normally add to a dhcp scope would be the type of thing in a stateless dhcpv6 server - except the address assignment and leasing portion.

Also realize that your PC/tablet/device could be preferring IPv4 over IPv6 - just because netflix and mikrotik.com have IPv6 available doesn't mean your computer is going to connect to them using IPv6. Your computer is going to do a DNS resolution on the host names, and get back some combination of A and AAAA records. If it gets only one, then it must use that protocol to connect. If it gets both, then it may decide on its own whether it would rather use v6 or v4.

Maybe your device is following RFC 6555 - "Happy Eyeballs" - and Netflix/Mikrotik happen to respond faster over IPv4.... I used to use http://myipv6address.com/ and often would get my IPv4 address back even when I knew good and well that my IPv6 was working properly. http://ipquail.com/ shows both addresses at once, and would still show my v6 address right after the first site only showed my v4 address. In that case, my computer was preferring IPv4 over IPv6. I could come back later and it would prefer v6, and I've never quite figured out what the difference was.

Sob · Fri May 06, 2016 4:20 am

(not the Mikrotik, which doesn't offer stateless dhcpv6 as far as I am aware)

It's there, it can provide DNS resolvers, see my posts in this thread for details. It has some problems and it's not very configurable, but it does something.

MikroTikFan · Fri May 06, 2016 8:05 pm

I allow ICMP on my router's input chain - icmpv6 is much more critical to IPv6 than ICMP is to v4. For instance, the "arp" function (now called ND - neighbor discovery) uses icmpv6 to do its job, so you must at the very least accept ND requests or else nobody's going to be able to transmit data to you over an ethernet network. (I think you're using Tunnelbroker, which I think doesn't really require ND to work, but you should probably allow icmpv6 for now)

Fine I have enabled icmpv6 to my firewall

add chain=input comment="Allow limited ICMP" protocol=icmpv6

On the ND configuration, you probably set other-configuration=no unless you have a dhcpv6 server on your network (not the Mikrotik, which doesn't offer stateless dhcpv6 as far as I am aware). This flag tells clients that they should discover a dhcpv6 server for more information such as DNS server(s), domain suffix, time server, tftp server, etc... anything you'd normally add to a dhcp scope would be the type of thing in a stateless dhcpv6 server - except the address assignment and leasing portion.

Other configuration is set Yes.

/ipv6 nd> print
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified 
      retransmit-interval=unspecified ra-lifetime=10m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=yes managed-address-configuration=no other-configuration=yes

Also realize that your PC/tablet/device could be preferring IPv4 over IPv6 - just because netflix and mikrotik.com have IPv6 available doesn't mean your computer is going to connect to them using IPv6. Your computer is going to do a DNS resolution on the host names, and get back some combination of A and AAAA records. If it gets only one, then it must use that protocol to connect. If it gets both, then it may decide on its own whether it would rather use v6 or v4.

Because I 'm having problems with IPV6 I have set to my IPV6 connection fixed DNSv6 - 2001:470:20::2 (HE DNS)

Maybe your device is following RFC 6555 - "Happy Eyeballs" - and Netflix/Mikrotik happen to respond faster over IPv4.... I used to use http://myipv6address.com/ and often would get my IPv4 address back even when I knew good and well that my IPv6 was working properly. http://ipquail.com/ shows both addresses at once, and would still show my v6 address right after the first site only showed my v4 address. In that case, my computer was preferring IPv4 over IPv6. I could come back later and it would prefer v6, and I've never quite figured out what the difference was.

I'm passing all ipv6 tests and I'm getting external IPV6 address.

The result is in that configuration mikrotik site is still pinging but not answering via browser, same netflix.com

Pinging netflix.com [2620:108:700f::36d6:494] with 32 bytes of data:
Reply from 2620:108:700f::36d6:494: time=183ms
Reply from 2620:108:700f::36d6:494: time=184ms

Pinging mikrotik.com [2a02:610:7501:1000::2] with 32 bytes of data:
Reply from 2a02:610:7501:1000::2: time=18ms
Reply from 2a02:610:7501:1000::2: time=18ms

Fri May 06, 2016 8:45 pm

If pings work but not HTTP, then you probably have an MTU problem. Try pinging with a full-mtu-sized packet and the DF flag set. If that also fails, then it's MTU.

MikroTikFan · Fri May 06, 2016 8:48 pm

If pings work but not HTTP, then you probably have an MTU problem. Try pinging with a full-mtu-sized packet and the DF flag set. If that also fails, then it's MTU.

My PPPoE MTU is 1500 and HE interface MTU is the same 1500.

How to do this check?

BTW: many other web pages are working correct - like
https://ipv6.google.com

Fri May 06, 2016 8:53 pm

If pings work but not HTTP, then you probably have an MTU problem. Try pinging with a full-mtu-sized packet and the DF flag set. If that also fails, then it's MTU.
My PPPoE MTU is 1500 and HE interface MTU is the same 1500.

How to do this check?

BTW: many other web pages are working correct - like
https://ipv6.google.com

if PMTU discovery is broken somewhere else on the Internet, then there may not be anything you can do.
You could try to do a mangle rule with clamp-mss to something like 1200 just to see if anything changes.

Sob · Fri May 06, 2016 9:19 pm

MTU 1500 for HE interface (which is 6to4) is too much. For normal ethernet it needs to go down to 1480. I don't know about PPPoE. Also I think there should be some option to set right MTU on HE side. I don't use HE myself, but I think I've seen some screenshots somewhere.

Testing with ipv6.google.com means nothing, it uses 1280 and does not even try to go higher.

MikroTikFan · Fri May 06, 2016 10:09 pm

I have changed MTU for PPPoE and HE same value 1480 and the result is the same as before.

Still most web pages are working properly on IPV6 protocol.
I found just by accident that mikrotik.com, forum.mikrotik.com and netflix.com are not working as a web page and are answering for ping as IPV6 address.

You could try to do a mangle rule with clamp-mss to something like 1200 just to see if anything changes.

Can you give me this code to run mangle rule ?

BTW: I have fount in he interface that value of L2 MTU is 65535 and I cant change it. That might be a problem?
L2 MTU value for rest of interfaces is 1480.

Sob · Sat May 07, 2016 12:27 am

I don't know anything about PPPoE, but Google says it has MTU 1492. So minus 20 bytes for tunnel, try 1472 for 6to4 interface. If that does not help, you can go directly to minimum 1280. It might possibly hurt the performance a little, but it should work with anything.

You might also check if http://test-ipv6.com/ says anything useful, it seems to include some MTU testing.

MikroTikFan · Sat May 07, 2016 9:52 pm

All ipv6 test are showing that all is fine

I have changed MTU for he 6to4 tunnel for 1280, L2 MTU for this interface has value 65535 and this valu I can't change.
Source interface PPPoE has, Max MTU - 1480, Max MRU - 1480, MRRU - 1480. I tried other lower values but this looks not so sensitive for ipv6 mikrotik.com.
All rest interfaces has MTU - 1480 and is the same.

Who is online