Community discussions

MikroTik App
 
User avatar
k.untner
just joined
Topic Author
Posts: 7
Joined: Sat Feb 18, 2006 9:42 pm
Location: vienna /austria / europe
Contact:

Strange behavior - Secure connection failed

Sun Mar 05, 2017 11:48 pm

Hi Folks!

Anyone using IPv6 with Mikrotik?
My provider gave me a /56 Subnet through a 6to4 Tunnel 5 years ago, but now i´ve got the strange thing:
I cannot access https://my.vmware.com and other Sites which are secured by incapsula.com.
The Firefox Browser hangs a long time - then telling me "Secure Connection failed".
If i am using a PPTP Tunnel to my Mikrotik RB751G-2HnD (mipsbe) it starts working.
When i disable IPv6 or set the Prefixpolicy on my Windows Client to use IPv4 before IPv6 it´s working too on Windows.
I tried reseting the configuration to a Home-AP already and no IPv6 Firewall Rules and downgrading to RouterOS 5.24 - Nothing helped.
When i bypass the MT using the PC with the official IP behind the Modem and build up a IPv6 Tunnel with "netsh int ipv6 add v6v4tunnel myIPv4SourceAddr ProvidersIPv4GwAddr", add an IP and route for 2000::/3 it´s working too.
IPv4 MTU= 1460
IPv6 MTU= 1420
Any IPv6 & SSL experienced people here, who can help me to find, what i am missing?

Best regards, Klemens
https://kletool.wordpress.com/2012/08/0 ... -zu-hause/
 
User avatar
k.untner
just joined
Topic Author
Posts: 7
Joined: Sat Feb 18, 2006 9:42 pm
Location: vienna /austria / europe
Contact:

Re: Strange behavior - Secure connection failed

Wed Mar 15, 2017 9:45 pm

It all looks like a PMTU detection problem between Incapsula.com and my providers ipv6 tunnel GW.
Solution: Drop all new IPv6 connections to 2a02:e980::/29 from my networks on the firewall

C:\Windows\system32>nslookup my.vmware.com
Server: localhost
Address: ::1

Nicht autorisierende Antwort:
Name: 5alxq.x.incapdns.net
Addresses: 2a02:e980:46::13
107.154.119.19
Aliases: my.vmware.com

ask RIPE for the Adress:
inet6num: 2a02:e980::/29

netname: IL-INCAPSULA-20121126
country: US
org: ORG-II66-RIPE

IPv6 Rule:
add action=reject chain=forward comment="TCPreset new TCP to 2a02:e980::/29 = incapdns.net to force IPv4" connection-state=new \
dst-address=2a02:e980::/29 protocol=tcp reject-with=tcp-reset src-address-list=Internal_IPv6_IPs tcp-flags=""


Now all incapdns.net falls back to IPv4 and we can work - Phew :-)

Have Fun with IPv6, Kletool

https://kletool.wordpress.com/
 
Ape
Member Candidate
Member Candidate
Posts: 177
Joined: Sun Oct 06, 2013 3:32 pm
Location: Freiburg, Germany
Contact:

Re: Strange behavior - Secure connection failed

Thu Mar 16, 2017 11:55 pm

Hi,

thank you for letting us know!

Just one objection: Wouldn't it be nicer to use a mangle rule to change outgoing MSS for these connections?

Regards,
Ape
 
User avatar
k.untner
just joined
Topic Author
Posts: 7
Joined: Sat Feb 18, 2006 9:42 pm
Location: vienna /austria / europe
Contact:

Re: Strange behavior - Secure connection failed

Sat Mar 18, 2017 4:52 pm

Hello Ape!
Thanks for your suggestion. It is working too on IPv6 with reduced MSS.
Here is the rule:
add action=change-mss chain=forward comment="Change IPv6 MSS to 1360 for Incapsula Protected Sites" connection-state=new dst-address=2a02:e980::/29 \
new-mss=1360 passthrough=yes protocol=tcp src-address-list=Internal_IPv6_IPs tcp-flags=syn tcp-mss=1360-65535
Have a nice weekend, Kletool

Who is online

Users browsing this forum: Bing [Bot] and 88 guests