RouterOS v6.48.1 (stable). The config has been factory reset and few things have been changed. Typical home setup with cable modem (Sagem Fast 3890V3) in bridge mode. I have a fixed public IPv4 (no NAT44/CGNAT) but no native IPv6.
I have tested with the default MTU of 1480 set on the Hurricane Electric Avanced Tunnel Options page with the same results but for now it is set to 1280.
$MYLOCALIP4 is my public static IPv4 address (part of AS203953)
$HETRANSPORTNET is my assigned by HE part of the tunnel
The setup is completely standard and a copy paste of the HE example config:
/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=$MYLOCALIP4 mtu=1280 name=sit1 remote-address=18.104.22.168 /ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:27:$HETRANSPORTNET::1 scope=30 target-scope=10 /ipv6 address add address=2001:470:27:$HETRANSPORTNET::2/64 advertise=no disabled=no eui-64=no interface=sit1
- On my local router I can ping6 my end of the tunnel (2001:470:27:$HETRANSPORTNET::2)
- From an external site I can ping6 the remote end of the tunnel (2001:470:27:$HETRANSPORTNET::1)
- On my local router I cannot ping6 the remote end of the tunnel (2001:470:27:$HETRANSPORTNET::1)
- From an external site I cannot ping6 my end of the tunnel (2001:470:27:$HETRANSPORTNET::2)
- From an external site I can ping4 $MYLOCALIP4
So the basic test of tunnel connectivity utterly fails.
My first idea was to look at the firewall.
I cleared "/ipv6 firewall address-list" and "/ipv6 firewall filter".
Just to be sure I also tried with:
Obviously I need to take care of the IPv4 firewall as well. I do not feel comfortable to completely wipe the IPv4 filter rules so I have kept the default rules. To allow for tunnel traffic I have added rule 1-3 to handle protocol 41.
/ipv6 firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=accept log=yes log-prefix="" 1 chain=output action=accept log=yes log-prefix="" 2 chain=forward action=accept log=no log-prefix=""
Rule 1 has been for testing and rule 2 & 3 was what I thought should be enough to allow tunnel traffic.
/ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 X chain=input action=accept protocol=ipv6-encap log=yes log-prefix="" 2 chain=input action=accept protocol=ipv6-encap src-address=22.214.171.124 log=yes log-prefix="" 3 chain=output action=accept protocol=ipv6-encap log=yes log-prefix="" 4 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 5 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid log=no log-prefix="" 6 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp log=no log-prefix="" 7 ;;; defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 8 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 9 ;;; defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 10 ;;; defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 11 ;;; defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related 12 ;;; defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked 13 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid log=no log-prefix="" 14 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
When I ping from my end I see traffic on rule 3 but no return traffic on rule 2 (or 1).
When I look at sit1 I see Tx bytes and packets but no Rx. There are no Tx/Rx drops or errors.
My next guess was that NAT was playing games. I just have the default masquerade setup
I tried to setup a rule to monitor this
/ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
I am a bit unsure whether this is correct as I see no traffic (bytes/packets) on this rule.
/ip firewall mangle add action=log chain=prerouting in-interface=ether1 log=yes protocol=ipv6-encap
What I see in the log:
I have tried logging on the drop rules just to be sure but I see nothing dropped on proto 41.
output: in:(unknown 0) out:sit1, proto ICMP (type 128, code 0), 2001:470:27:$HETRANSPORTNET::2->2001:470:27:$HETRANSPORTNET::1, len 10 output: in:(unknown 0) out:ether1, proto 41, $MYLOCALIP4->126.96.36.199, len 70
And the connection status when I ping6 from my end to the far end. The rest of the time I see nothing.
To me it looks like my traffic goes out and looks correct but nothing comes back. Hurricane Electric claims their site is up and from an external location I am able to ping6 to the remote end of the tunnel (2001:470:27:$HETRANSPORTNET::1). The hypothesis is then that the tunnel broker is working.
/ip firewall connection print detail where protocol=ipv6-encap Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 0 C protocol=ipv6-encap src-address=$MYLOCALIP4 dst-address=188.8.131.52 reply-src-address=184.108.40.206 reply-dst-address=$MYLOCALIP4 timeout=9m59s orig-packets=15 orig-bytes=1 050 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=560bps repl-rate=0bps
The next hypothesis is then that something between me and them does not like to get protocol 41 traffic to me.
I then construct a 6to4 address from my public IPv4 address using:
The constructed IPv6 resolves to the same location as my IPv4 on https://www.ip2location.com/demo/
ipv4="$MYLOCALIP4"; printf "2002:%02x%02x:%02x%02x::1\n" `echo $ipv4 | tr "." " "
I then try to ping6 this address from an external site to see if I get *any* incoming protocol 41 traffic (enabling rule 1 in the above firewall config). And I see nothing.
All this leads me to the highly unlikely conclusion that my ISP is mangling protocol 41. I do not feel confident enough in my abilities to make such a bold claim.
Occam's razor is usually correct: I am probably doing something stupid.
This should be a rather simple and common setup. What am I doing wrong? Are there other troubleshooting steps I could perform before looking to wireshark?
When I am doing stupid things I can usually find a lot of people with the same problems in the Internet. But in this case I have only been able to find a couple of suggestions related to connection tracking which I do not think is my problem.
6to4 tunnel & source NAT:
6in4 tunnel with wrong source addres:
The one I found which looked pretty much like my issue ended up being over LTE which for sure have a lot of "stuff" in the traffic path.
IPV6 Tunnel (6in4) not receiving any data - transmit works
Any help would be highly appreciated. I have sunk counless hours into this and got none the wiser.