RouterOS v6.48.1 (stable). The config has been factory reset and few things have been changed. Typical home setup with cable modem (Sagem Fast 3890V3) in bridge mode. I have a fixed public IPv4 (no NAT44/CGNAT) but no native IPv6.
I have tested with the default MTU of 1480 set on the Hurricane Electric Avanced Tunnel Options page with the same results but for now it is set to 1280.
$MYLOCALIP4 is my public static IPv4 address (part of AS203953)
$HETRANSPORTNET is my assigned by HE part of the tunnel
The setup is completely standard and a copy paste of the HE example config:
Code: Select all
/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=$MYLOCALIP4 mtu=1280 name=sit1 remote-address=216.66.80.90
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:27:$HETRANSPORTNET::1 scope=30 target-scope=10
/ipv6 address add address=2001:470:27:$HETRANSPORTNET::2/64 advertise=no disabled=no eui-64=no interface=sit1
- On my local router I can ping6 my end of the tunnel (2001:470:27:$HETRANSPORTNET::2)
- From an external site I can ping6 the remote end of the tunnel (2001:470:27:$HETRANSPORTNET::1)
- On my local router I cannot ping6 the remote end of the tunnel (2001:470:27:$HETRANSPORTNET::1)
- From an external site I cannot ping6 my end of the tunnel (2001:470:27:$HETRANSPORTNET::2)
- From an external site I can ping4 $MYLOCALIP4
So the basic test of tunnel connectivity utterly fails.
My first idea was to look at the firewall.
I cleared "/ipv6 firewall address-list" and "/ipv6 firewall filter".
Just to be sure I also tried with:
Code: Select all
/ipv6 firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept log=yes log-prefix=""
1 chain=output action=accept log=yes log-prefix=""
2 chain=forward action=accept log=no log-prefix=""
Code: Select all
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X chain=input action=accept protocol=ipv6-encap log=yes log-prefix=""
2 chain=input action=accept protocol=ipv6-encap src-address=216.66.80.90 log=yes log-prefix=""
3 chain=output action=accept protocol=ipv6-encap log=yes log-prefix=""
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
8 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
When I ping from my end I see traffic on rule 3 but no return traffic on rule 2 (or 1).
When I look at sit1 I see Tx bytes and packets but no Rx. There are no Tx/Rx drops or errors.
My next guess was that NAT was playing games. I just have the default masquerade setup
Code: Select all
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
Code: Select all
/ip firewall mangle
add action=log chain=prerouting in-interface=ether1 log=yes protocol=ipv6-encap
What I see in the log:
Code: Select all
output: in:(unknown 0) out:sit1, proto ICMP (type 128, code 0), 2001:470:27:$HETRANSPORTNET::2->2001:470:27:$HETRANSPORTNET::1, len 10
output: in:(unknown 0) out:ether1, proto 41, $MYLOCALIP4->216.66.80.90, len 70
And the connection status when I ping6 from my end to the far end. The rest of the time I see nothing.
Code: Select all
/ip firewall connection print detail where protocol=ipv6-encap
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 C protocol=ipv6-encap src-address=$MYLOCALIP4 dst-address=216.66.80.90 reply-src-address=216.66.80.90 reply-dst-address=$MYLOCALIP4 timeout=9m59s orig-packets=15 orig-bytes=1 050 orig-fasttrack-packets=0
orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=560bps repl-rate=0bps
The next hypothesis is then that something between me and them does not like to get protocol 41 traffic to me.
I then construct a 6to4 address from my public IPv4 address using:
Code: Select all
ipv4="$MYLOCALIP4"; printf "2002:%02x%02x:%02x%02x::1\n" `echo $ipv4 | tr "." " "
I then try to ping6 this address from an external site to see if I get *any* incoming protocol 41 traffic (enabling rule 1 in the above firewall config). And I see nothing.
All this leads me to the highly unlikely conclusion that my ISP is mangling protocol 41. I do not feel confident enough in my abilities to make such a bold claim.
Occam's razor is usually correct: I am probably doing something stupid.
This should be a rather simple and common setup. What am I doing wrong? Are there other troubleshooting steps I could perform before looking to wireshark?
When I am doing stupid things I can usually find a lot of people with the same problems in the Internet. But in this case I have only been able to find a couple of suggestions related to connection tracking which I do not think is my problem.
6to4 tunnel & source NAT:
viewtopic.php?t=105348
6in4 tunnel with wrong source addres:
viewtopic.php?t=171496
The one I found which looked pretty much like my issue ended up being over LTE which for sure have a lot of "stuff" in the traffic path.
IPV6 Tunnel (6in4) not receiving any data - transmit works
viewtopic.php?t=110868
Any help would be highly appreciated. I have sunk counless hours into this and got none the wiser.