Page 1 of 1

Strange behavior - Secure connection failed

Posted: Sun Mar 05, 2017 11:48 pm
by k.untner
Hi Folks!

Anyone using IPv6 with Mikrotik?
My provider gave me a /56 Subnet through a 6to4 Tunnel 5 years ago, but now i´ve got the strange thing:
I cannot access and other Sites which are secured by
The Firefox Browser hangs a long time - then telling me "Secure Connection failed".
If i am using a PPTP Tunnel to my Mikrotik RB751G-2HnD (mipsbe) it starts working.
When i disable IPv6 or set the Prefixpolicy on my Windows Client to use IPv4 before IPv6 it´s working too on Windows.
I tried reseting the configuration to a Home-AP already and no IPv6 Firewall Rules and downgrading to RouterOS 5.24 - Nothing helped.
When i bypass the MT using the PC with the official IP behind the Modem and build up a IPv6 Tunnel with "netsh int ipv6 add v6v4tunnel myIPv4SourceAddr ProvidersIPv4GwAddr", add an IP and route for 2000::/3 it´s working too.
IPv4 MTU= 1460
IPv6 MTU= 1420
Any IPv6 & SSL experienced people here, who can help me to find, what i am missing?

Best regards, Klemens ... -zu-hause/

Re: Strange behavior - Secure connection failed

Posted: Wed Mar 15, 2017 9:45 pm
by k.untner
It all looks like a PMTU detection problem between and my providers ipv6 tunnel GW.
Solution: Drop all new IPv6 connections to 2a02:e980::/29 from my networks on the firewall

Server: localhost
Address: ::1

Nicht autorisierende Antwort:
Addresses: 2a02:e980:46::13

ask RIPE for the Adress:
inet6num: 2a02:e980::/29

netname: IL-INCAPSULA-20121126
country: US
org: ORG-II66-RIPE

IPv6 Rule:
add action=reject chain=forward comment="TCPreset new TCP to 2a02:e980::/29 = to force IPv4" connection-state=new \
dst-address=2a02:e980::/29 protocol=tcp reject-with=tcp-reset src-address-list=Internal_IPv6_IPs tcp-flags=""

Now all falls back to IPv4 and we can work - Phew :-)

Have Fun with IPv6, Kletool

Re: Strange behavior - Secure connection failed

Posted: Thu Mar 16, 2017 11:55 pm
by Ape

thank you for letting us know!

Just one objection: Wouldn't it be nicer to use a mangle rule to change outgoing MSS for these connections?


Re: Strange behavior - Secure connection failed

Posted: Sat Mar 18, 2017 4:52 pm
by k.untner
Hello Ape!
Thanks for your suggestion. It is working too on IPv6 with reduced MSS.
Here is the rule:
add action=change-mss chain=forward comment="Change IPv6 MSS to 1360 for Incapsula Protected Sites" connection-state=new dst-address=2a02:e980::/29 \
new-mss=1360 passthrough=yes protocol=tcp src-address-list=Internal_IPv6_IPs tcp-flags=syn tcp-mss=1360-65535
Have a nice weekend, Kletool