Community discussions

MikroTik App
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

IPv6 Routes No Worky on LAN

Mon May 18, 2015 7:39 pm

I had IPv6 working ok, but noticed that my provider (ATT, U-Verse) changed my IPv6 delegation. This was probably causing weird IPv6 issues I was running into. So I went to go fix that and now I can't seem to get Internet access over IPv6 from the LAN. The router can ping the wide and open IPv6 Internet just fine and can ping the LAN. So something seems to be up right default routes? Here is are my routes:
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                  ADVERTISE
 0 DL fe80::4e5e:cff:fe9e:9912/64                           Port 1 - WAN                               no       
 1  G <redacted>:bcc8:1e0::2/64                               Port 1 - WAN                               yes      
 2  G <redacted>:bcc8:1e1::1/64                               LAN Bridge                                 yes      
 3 DL fe80::4e5e:cff:fe9e:991b/64                           LAN Bridge                                 no    
IPv6 firewall rules are empty for now. I tried setting up various forward rules but no-go. A traceroute from a LAN host reveals that it hits the router but:
$ traceroute6 www.google.com
traceroute6 to www.google.com (2607:f8b0:4002:c03::68) from <redacted>:bcc8:1e1:34ff:6913:427a:8440, 64 hops max, 12 byte packets
 1  <redacted>:bcc8:1e1::1  0.369 ms  0.308 ms  0.363 ms
 2  * * *
I gotta be missing something small but not sure what it is?
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Fri May 22, 2015 2:14 am

Hmm..how about - is anyone using RouterBoard with an AT&T U-Verse connection on their native IPv6 and could share their config (such as how you setup your IP-space based on the delegations provided)? Maybe I'm doing something wrong there.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: IPv6 Routes No Worky on LAN

Fri May 22, 2015 2:38 am

Perhaps the new delegated prefix is a /64 instead of a /60 (or whatever size prefix you previously had)
You could try to set the default gateway statically to AT&T's link-local address, and then put the <redacted> bcc8:1e0::/64 on your LAN. (that works with Comcast whenever you're getting a /64 from them, by the way)

Also make sure you're not blocking ICMPv6 on the wan interface in the input chain - ICMPv6 also includes ND (which is like ARP - and you really can't block ARP in most situations)

It seems like the prefix in use on your LAN is not routed back to you. (or is being blocked by firewall rules, but you said you disabled all firewall rules while testing)

In my case, the default GW is the link-local address of Comcast's router.
(I'm getting the distinct impression that this is the preferable next hop address type in IPv6 routing - OSPF uses it, for instance)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Fri May 22, 2015 4:52 am

Hmm that gave me some things to try, thanks! I tried using the ::1e0:: which is the same range as my "Global IPV6 Address" and ::1e8:: on the LAN side (one of the delegated prefixes). You are right, they used to provide a /60 but now it's a bit difficult to tell what they are providing, such as if it's a range from 1e0-1e8 or distinct. I tried it multiple ways.

The odd part is that it looks like the Routerboard isn't, well, routing. I can ping its LAN interface, but if I try to ping it's WAN from the LAN I get nothing back, though my IPv6 firewall rules are empty. I don't recall having to setup fancy routing stuff like BGP for it, I thought RA generally handled this? (Though, as an aside, I'd rather use DHCPv6 though OS X is making that difficult - never have been able to make that work).
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Fri May 22, 2015 10:04 pm

Whelp got it working. Rediscovered this helpful link which mentioned needing to setup a DHCP Client. The weird part is that my ATT router interface shows the address ranges I put in my previous posts, but my DHCP lease is:

[redacted]:bcc8:1ef::/64

This is the range I was using before but it doesn't make any sense. I haven't been able to figure out how to use the delegated prefixes - my LAN must be set to 1ef::/64 for things to work. It /looks/ like my RouterBoard is trying to route things over to my ATT router when using the delegated networks on my LAN (such as 1e8::/64) but ATT router may be the one dropping the connections.

I dunno if there are RA settings to configure to make that happy or what but at least I have connectivity back. It's annoying though because having multiple IPv6 subnets would be quite useful, though if I can't get OS X to work with DHCPv6 my hands are tied due to RA/SLAAC aligning with EUI64 addresses.

Oh well, it works for now. I may try to post on the ATT forums but I don't expect much help there.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: IPv6 Routes No Worky on LAN

Fri May 22, 2015 11:51 pm

Whelp got it working. Rediscovered this helpful link which mentioned needing to setup a DHCP Client. The weird part is that my ATT router interface shows the address ranges I put in my previous posts, but my DHCP lease is:

[redacted]:bcc8:1ef::/64

This is the range I was using before but it doesn't make any sense. I haven't been able to figure out how to use the delegated prefixes - my LAN must be set to 1ef::/64 for things to work. It /looks/ like my RouterBoard is trying to route things over to my ATT router when using the delegated networks on my LAN (such as 1e8::/64) but ATT router may be the one dropping the connections.
You don't need to put any "public" address on the wan interface. It's just there to forward traffic. If the only global scope address is on the LAN interface, then that's what the Mikrotik will use whenever it tries to ping, ssh, ftp, generate ICMP messages, etc. The default GW and your wan interface will both just be fe80:: addresses.

I got a /60 from Comcast by adding a parameter to dhcpv6-pd client -
prefix-hint=::/60

This option is only available by command line (not winbox or webfig)

Comcast was annoying about it because when I first issued this, they would assign a /64 AND a /60 - but the Mikrotik would only put the /64 into the pool. (it would just sort of ignore the /60) I had to let the /64 age out of the server before Comcast would only send the /60. (basically, I had to disable IPv6 for a week)

But to finish the thought - here's my config:
/ipv6 dhcp-client
add add-default-route=yes interface=ether6 pool-name=Comcast prefix-hint=::/60 \
    use-peer-dns=no
/ipv6 address
add address=::1/64 from-pool=Comcast interface=LAN
add address=::1/64 from-pool=Comcast interface=wlan-V6
/ipv6 firewall address-list
add address=2001:db8::/32 list=Whitelist comment="not really - this is just an example for the forum"
/ipv6 firewall filter
add chain=forward comment="Allow existing connections" connection-state=\
    established,related
add chain=forward protocol=icmpv6
add chain=forward comment="Allow whitelisted hosts and networks" \
    src-address-list=Whitelist
add action=drop chain=forward comment=\
    "Block Internet from new inbound connections." in-interface=ether6
add action=drop chain=forward comment=\
    "Block Internet from new inbound connections." in-interface=6to4-tunnel1
add action=reject chain=forward comment=\
    "Block v6-only wlan from anything but Internet" in-interface=wlan-V6 \
    out-interface=!ether6 reject-with=icmp-admin-prohibited
add chain=input comment="Allow Existing Connections" connection-state=\
    established,related
add chain=input comment="Permit ICMP" protocol=icmpv6
add chain=input comment="Trust Whitelisted Hosts" src-address-list=Whitelist
add chain=input comment=\
    "Allow DHCPv6 replies on WAN from link-local  (2074b/16pkts on 3/23/2015)" \
    dst-address=fe80::/16 dst-port=546 in-interface=ether6 protocol=udp \
    src-address=fe80::/16
add action=drop chain=input comment="Block New Connections from Internet" \
    in-interface=ether6
add action=drop chain=input comment="Block New Connections from Internet" \
    in-interface=6to4-tunnel1
add chain=input dst-port=53 in-interface=wlan-V6 protocol=udp
add chain=input in-interface=wlan-V6 src-mac-address=my-pc-mac-address
add action=drop chain=input comment="Block New Connections from v6-only wifi" \
    in-interface=wlan-V6
wlan-V6 is just a little experiment to see if anyone attaches to it and actually uses it. I have a rate limit on it so it can't hog my bandwidth... so far, no takers. :)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Sat May 23, 2015 7:22 pm

Hmm well I gave that a shot but I think the ATT Router (an NVG589) only hands off a single /64 from the /60 range (the last one in my case) to the LAN and refuses to let you route anything else. That's even with the /60 hint, though I was hopeful that might have worked. That's what other folks were running into anyway and mine seems similar. I wonder if the whole 'wait for a week' thing may work though.

I actually had better luck on the ATT forums than I thought - I found this post which explains how to setup a 6in4 using ATTs 6rd tunnel directly rather than depending on the ATT router to do it. So far, I haven't had luck with that either though, but it shows promise.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: IPv6 Routes No Worky on LAN

Tue May 26, 2015 6:22 pm

It's a shame they don't just bridge the connection back to a CO somewhere and avoid the need for this tunnel crap.

This is just another example of why I haven't ever gone to AT&T U-Verse.
They just can't match my hated cable company's price/performance point, and I would NEVER have sat still for the installation they foisted upon my parents. EVER. (But hey, they're more interested in the video services than the data services, so it's okay for them, but if they came in and told me I had to put a USB wifi dongle on my desktop PC to get Internet, I'd tell them to get the hell out of my house)

As for the /60 issue - I used the sniffer on my Mikrotik to capture the DHCPv6-PD packets and opened the file in Wireshark. I easily spotted that I was getting a /64 AND a /60, but the Mikrotik was just slapping the /64 into the pool and ignoring the /60. If you can use even one of the /60 prefixes, you should be able to use them all. (I was able to statically assign them to my LAN interface and they would work, but I had to have a packet capture to know WHAT it was!)

I wish that Mikrotik would get their IPv6 support up to date - this is a fast-moving area now that the protocol is finally getting some real mainstream adoption.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Tue May 26, 2015 6:38 pm

Yep I think I'm at the point where I need to start looking at packet captures after exhausting all the combinations I can think of to make it work using ATT's tunnel via RouterBoard.

For us, we didn't have much of a choice with our ISP (thanks America) but at least we did get FTTP. The installer knew not to mess with me I think when he saw my existing network/server setup :P So the install was pretty painless. Trying to get IPv6 setup reliably has been a trainwreck. It was all fine until ATT decided to do their own 6rd instead of, as you point out, doing it the proper way. I was quite happy with my Tunnelbroker setup.
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Wed May 27, 2015 9:08 pm

Whelp, I tried to configure a tunnel directly to ATT's 6rd setup, but didn't have any success. I also tried Tunnelbroker again and, yup, ATT is still blocking protocol 41. I think the issue I'm having now is that ATT is using 6rd, whereas RouterBoard only currently supports 6to4. I read that, if it's configured correctly, it should work, but I didn't have any luck.

So I just went back to setting up my router as a DHCPv6 client of the ATT router and back down to one lowly subnet.

However, I did at least configure a local IPv6 network for local traffic which is something I should have done a long time ago. At least I won't disrupt my local network when trying to make futile Internet IPv6 changes.
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN [FIXED]

Wed Jun 10, 2015 9:50 pm

As it turns out, the instructions for configuring a 6to4 tunnel were not correct (see: http://wiki.mikrotik.com/wiki/Setting_u ... l_via_6to4), at least for a 6rd tunnel. Specifically configuring the default route. The wiki doc has this:
ipv6 route add dst-address=2000::/3 gateway=::192.88.99.1%ipng-tunnel
But it should be this:
ipv6 route add dst-address=2000::/3 gateway=ipng-tunnel
This made things fire right up using AT&T's own 6rd solution using one of my static IPv4 addresses as the basis for the 6rd address. More info pertaining more to the AT&T specifics can be found here: https://forums.att.com/t5/Features-and- ... lse#M44040.

Hopefully that gets folks going. Note this was on OS 6 and, thus, to be clear, 6rd most certainly does work using a 6to4 tunnel.
 
mdpeterman
just joined
Posts: 7
Joined: Sat Nov 17, 2012 7:53 pm

Re: IPv6 Routes No Worky on LAN

Mon Jan 16, 2017 2:37 am

m00dawg,
Would you be able to post your config that you are using (masking any details you wish) that you were able to use to get 6rd running on your router board. I am trying to use my static IP addresses as the source for the 6rd tunnel and have had no luck yet. Do you have one of your static IPs on your WAN interface or are you using cascaded router?
 
m00dawg
just joined
Topic Author
Posts: 24
Joined: Wed Dec 03, 2014 3:40 pm

Re: IPv6 Routes No Worky on LAN

Mon Jan 16, 2017 5:09 am

I am using a cascaded router I believe - the static IPv4's are directly assigned on my routerboard. Here's my config:

@host] /interface 6to4> print
Flags: X - disabled, R - running
# MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS
0 R 1280 1280 <one of my statics> 12.83.49.81

12.83.49.81 was a magic IP that is the ATT 6rd gateway thing, at least for my region.

You have to use a converter to figure out how the IPv6 range maps to your static IP. In the case of AT&T, each static IP is a /60 (or was when I set it up) so you can sub-net if you like. On the IPv6 Addresses side, you'd then make a new address using the translated IPv4 to IPv6 6rd address and assign it to the 6rd interface. Then you can attach the 64's to one (or more) of your networks you want to establish IPv6 on:

@host] /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-... INTERFACE ADV
0 G <your-derived-network>::1/60 6rd no
1 G <one-of-your-derviced-networks>::1/64 Inside1 yes

Hope that helps!
 
mdpeterman
just joined
Posts: 7
Joined: Sat Nov 17, 2012 7:53 pm

Re: IPv6 Routes No Worky on LAN

Wed Jan 18, 2017 1:18 am

Thank you for that info. Finally got 6rd working from my RouterBoard!

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], infex987, seriosha and 37 guests