Community discussions

MikroTik App
 
ccanto
just joined
Topic Author
Posts: 4
Joined: Mon Apr 22, 2019 11:36 am

IPv6 conntrack issue

Thu May 21, 2020 6:27 pm

Hello everybody,

Today I took a closer look into a intermittent problem that I'm experiencing with IPv6 connections.
I'm using v6.46.6 with a CCR1009

Using permanent IPv6 TCP connections (ssh,rdp), sometimes sporadic connection drops kept occurring.
I then tried to discover where the problem was, by sniffing traffic at the LAN interface and at the WAN interface. I then discovered that when the problem happens, packets from the pc (LAN side) where not being routed to the WAN side and as such the client pc kept re-transmitting until it gave up and started a new connection (SYN). From there everything was back working again until the next time. During this, packets from the WAN to LAN where being normally routed from the server to the client PC (also with re-transmissions because the server was not receiving from the pc, but being routed as normal).

That made me look closer to the conntrack. There I saw something strange: the connection timeout stayed most of the time with "23:59:59", but then from one moment to the next, "00:04:59" appeared, and then back to "23:59:59". Same connection, not a new one. Coincidentally or not, in one of those glitches, that problem occurred.

This seems to be an issue with the IPv6 conntrack, or I'm I looking at this wrong?

I also added a forward allow all rule from LAN to WAN, and lan_interface to wan_interface, both to no avail. Packets still did not route from LAN to WAN when the problem occurs.
Can someone take also a look at this?

Thanks and best regards,
Carlos
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPv6 conntrack issue

Thu May 21, 2020 7:32 pm

If you look at the same in IPv4 conntrack, you'll see the same short timeouts appearing now and then, as they appear whenever a packet has not been acknowledged yet:
[me@MyTik] > ip firewall connection tracking print
...
tcp-established-timeout: 1d
...
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ccanto
just joined
Topic Author
Posts: 4
Joined: Mon Apr 22, 2019 11:36 am

Re: IPv6 conntrack issue

Thu May 21, 2020 7:52 pm

If you look at the same in IPv4 conntrack, you'll see the same short timeouts appearing now and then, as they appear whenever a packet has not been acknowledged yet:
[me@MyTik] > ip firewall connection tracking print
...
tcp-established-timeout: 1d
...
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
Hi, I never had those problems with IPv4, so franquely no, I haven't payed that much attention to IPv4 conntrack, but you are right.

So whenever an established tcp connection, for some reason, retransmits, the timeout jumps to 5m, and then if it normalizes, it switches back to 1d, it that it? Note: the "TCP State" for the connection keeps at "established".

In any case, I'm still to figure out why the router sporadically refuses to forward the established/retrans state tcp connection from LAN to WAN... If it isn't the ipv6 conntrack, anyone with a better insight of RouterOS has an idea of what it could be?

Thanks
 
ccanto
just joined
Topic Author
Posts: 4
Joined: Mon Apr 22, 2019 11:36 am

Re: IPv6 conntrack issue  [SOLVED]

Fri May 29, 2020 2:59 pm

Hello,

Just to update my post and say that I have found the issue. And it was no fault of Mikrotik

There was another Mikrotik router in the network that was misconfigured and was sending router advertisements with a default route.
During an established connection, the client received the advertisement icmpv6 packet and started sending the next traffic to this new router which could not forward, beginning a sequence of TCP retransmissions and the inevitable connection RST.
That is why I was seeing traffic arriving at lan bridge (promiscuous sniffing) but not being forwarded to the wan interface of the real router. The mac was different, but very similar (another Mikrotik).

Sorry for the mislead.

On a side note, is there any protection that could be placed, probably at switch/bridge level (filter) that could prevent a rogue router from causing this?

Thanks
 
idlemind
Forum Guru
Forum Guru
Posts: 1147
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPv6 conntrack issue

Sat May 30, 2020 5:07 am

Yes, in Cisco land it's ND inspection, RA guard along with DHCPv6 snooping. It's similar to the purpose and goals of ARP and DHCP snooping in v4.

That said here in Mikrotik land I do not think we have any equivalent yet. You could implement firewall rules that on allow trusted ports to emit RAs. I'd have to look at the addresses and codes again but I know I have an ACL for doing it in Cisco switches that don't support the above mentioned features.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6520
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 conntrack issue

Sat May 30, 2020 12:38 pm

This is the difference between inexpensive equipment like MikroTik and more expensive (or from a manufacturer with longer experience) like Cisco.
Snooping features and other enterprise-level switching features are lacking from MikroTik switches. But of course they are a lot cheaper too.

Who is online

Users browsing this forum: amt, hugoss18 and 179 guests