Community discussions

MikroTik App
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Pihole and IPv6 - getting it to work

Fri May 03, 2024 7:14 pm

I have a working pihole container that is flawless on IPv4 traffic. I'm trying to set it up to work with IPv6 DNS traffic as well. I have copied the IPv4 rules and settings (VETH, filter, NAT) to the IPv6 equivalents but it doesn't work. I suspect my newbie understanding of IPv6 is probably to blame - I am unclear how subnets work and whether IP addresses should be static or dynamic, advertised or not (seems to be a different philosophy to IPv4) - so it is quite possibly incorrect IPv6 plumbing that's in the way.

Config attached. Can anyone help with where I've gone wrong?

PS. I set DHCP to advertise the router as the upstream DNS server, then I use a NAT rule to silently redirect the DNS traffic to the pihole proxy. That way I can turn the pihole DNS route on or off by enabling/disabling the NAT rules.
You do not have the required permissions to view the files attached to this post.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Tue May 07, 2024 11:12 pm

Any help for this one?
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Wed May 08, 2024 8:19 am

I think you can do this:

* Go to https://www.unique-local-ipv6.com/ and get a random ULA prefix.
* Create an IPv6 pool with that random prefix.
* Add an IPv6 address entry to the "dockers" bridge interface, using that ULA pool (similar to how you added the address entry to "Local Bridge" using the "IPv6_Pool). This will add the necessary IPv6 routes.
* The IPv6 address of the router on that "dockers" bridge (with the ULA prefix) is now the gateway that you use on veth1, similar to how 172.16.0.1 (which is the IPv4 address of the router on "dockers") is used as IPv4 gateway.
* You assign the IPv6 address to the container (similar to 172.17.0.2) but the address is an ULA address with the first 64bit is the 64bit prefix that you assigned to the "dockers" bridge, the 64bit at the end (the interface ID) you can choose whatever, maybe ::2 to be short, with /64 as prefix length.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Wed May 08, 2024 11:49 pm

* Add an IPv6 address entry to the "dockers" bridge interface, using that ULA pool (similar to how you added the address entry to "Local Bridge" using the "IPv6_Pool). This will add the necessary IPv6 routes.

I can't see anywhere I can add an address entry to the dockers bridge interface, either in Bridges or Interfaces. I think I get the rest of it but not that part.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Thu May 09, 2024 1:01 am

It's normally done under IPv6 -> Addresses. You previously did that already for your "Local Bridge" interface and the pool "IPv6_Pool" from DHCPv6 client. This was the line from your config export above:
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
Now you must add one entry like that but for the "dockers" interface, which is also a bridge. And the pool is the ULA pool that you've manually created. The address you added here is the address of the router on the "dockers" bridge, but normally you only enter the suffix (interface ID) part. If you use the dialog in Winbox, you can enter ::1/64 in the address field of that dialog, for instance. And the IPv6 address of the router "dockers" is fdxx:xxxx:xxxx::1, the prefix is from the pool, and the suffix (the 64bit interface ID) is from the dialog box (::1, which translates to the suffix 0000:0000:0000:0001)
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Thu May 09, 2024 1:53 pm

I think I'm getting there. I followed your instructions but I still have no ping returned from my Windows box to the ULA that I set up. I'm sure it's something simple but I can't figure it out.

Can you see where I've gone wrong?
# 2024-05-09 11:50:37 by RouterOS 7.14.2
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
    max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
    user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
    fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
    transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
    /usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
    "^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
    NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
    yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=Ham1sh01
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
    path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
    6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
    "special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
    tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add from-pool=IPv6_dockers interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
    ::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
/ipv6 firewall nat
add action=dst-nat chain=dstnat comment=Pihole disabled=yes dst-address=\
    fe80::4aa9:8aff:fe57:4601/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
    "Local Bridge" log=yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 \
    to-address=fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
    "Local Bridge" protocol=tcp src-address=!fd6c:b6e2:f488::2/128 \
    to-address=fd6c:b6e2:f488::2/128
/ipv6 nd
add interface="Local Bridge" managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Thu May 09, 2024 10:16 pm

First, to be sure that the addresses are configured correctly, can you open a Terminal in WinBox and run

:ping fd6c:b6e2:f488::2 count=4

Does it work? Run this command to see if there is a correct "DAc" route to dst-address fd6c:b6e2:f488::/64 with "dockers" as gateway and distance 0:

/ipv6 route print

Then to make sure that the addresses and gateway are correct inside the docker container, run this in WinBox's Terminal:

/container print

See what id number does the container, have for instance, if it's 0, run

/container shell number=0

(replace 0 with the appropriate number). You'll be inside the linux shell, run the Linux commands

ip addr

Is the fd6c:b6e2:f488::2/64 listed there? Then run, still in the Linux shell:

ip -f inet6 route

Is there a line for the "default" route via fd6c:b6e2:f488::?

If some of those are not OK, try first to stop and restart the container. If all of these work, something in your IPv6 firewall might not allows forwarding traffic to - from that container. Maybe at first you can temporary add the "dockers" interface to the interface list "listBridge"?

Also, please note that with an ULA address the container cannot go directly to the internet (WAN) with IPv6. Like with IPv4 private address range, you'll need a srcnat masquerade rule (out-interface-list=WAN src-address=fd6c:b6e2:f488::/64) if you want to give the container access to the internet. But this is unrelated to the current ping issue.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Thu May 09, 2024 11:15 pm

Pinging that address doesn't work in Terminal. However, pinging the address fd6c:b6e2:f488:0:24ba:81ff:fe62:3179, discovered in a later step, works - it seems I can actually ping the container.

DAc route is correctly there

The container has the address is fd6c:b6e2:f488:0:24ba:81ff:fe62:3179 (not the fd6c:b6e2:f488::2 I thought I'd given it) - this pings, as already mentioned

fd6c:b6e2:f488::2/64 is not listed in the shell.

Restarting the container and it now has the address fd6c:b6e2:f488::2, (no longer the .....3179 address, although there is now an fe80::24ba:81ff:fe62:3179/64 scope link address also defined. If I try to ping this as per the first line of this reply it again says the destination host is unreachable. Same with fe80::24ba:81ff:fe62:3179

This feels quite odd!

I can :ping fd6c:b6e2:f488::2 from Winbox and that works. :ping fd6c:b6e2:f488::1 fails 3 out of 4 times in a regular cycle as it repeatedly pings it.

Does that help narrow it down?
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Thu May 09, 2024 11:42 pm

The addresses with ff:fe in the middle of the interface ID are dynamic addresses the container picked with SLAAC. The bridge "dockers" does router advertisement with the "Advertise" checkbox checked in the address entry that you previously added under IPv6 -> Addresses. This is normal. If you look at the output of the "ip addr" command in the Linux shell of the container, you'll see these addresses listed as "dynamic". Those SLAAC addresses changes with restarts like you saw.

That's why we needed to explicitly add the fd6c:b6e2:f488::2 address to veth1, that address is fixed and will be used to access the container. You said that the address is now there after you restart the container. So that is OK. And it looks like you can now ping fd6c:b6e2:f488::2 from WinBox, so that is also good.

Also, all the addresses beginning with fe80 are link-local addresses, they are accessible to the hosts on the same "dockers" bridge only, so you don't have to worry about them. Only the fd6c:b6e2:f488::2 is important.

And according to your previous export, you have no host configured at fd6c:b6e2:f488::1, so it's normal that you can't ping it (the router is at fd6c:b6e2:f488:: and the container is at fd6c:b6e2:f488::2).

Can your PC ping fd6c:b6e2:f488::2 now? If not, we have to look at the IPv6 firewall configuration. Try to add "dockers" to the interface list "listBridge" to see if your PC can ping fd6c:b6e2:f488::2?
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Fri May 10, 2024 1:10 am

Thanks for your answer.

I added dockers to listBridge, but it didn't alter the behaviour - host still unreachable.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Fri May 10, 2024 7:51 am

Looking at your IPv6 firewall filter rules, I can't see anything that would cause that behavior :(. On your PC, can you try to do a trace route (tracert, tracepath, traceroute command, depending on the OS) to fd6c:b6e2:f488::2? Normally, if things work, there should be two hops, the first one is the IPv6 address of the router on "Local Bridge", and the 2nd hop is fd6c:b6e2:f488::2, the destination.

I just set up an AdGuard Home container from scratch, with exactly the same steps as above to confirm and it worked as intended. My IPv6 firewall is mostly the defconf rules like yours.

agh-docker-ipv6.png
You do not have the required permissions to view the files attached to this post.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Fri May 10, 2024 3:59 pm

Fails immediately. Tried a few other addresses. The last one is weird because the system obviously knows that it is a pi hole container from the IPv6 address but it won't reach it.

Tracing route to fd6c:b6e2:f488::1 over a maximum of 30 hops

1 Destination host unreachable.

Trace complete.

Couple of other attempts:

Tracing route to 2a0a:ef40:47e:aa00:: over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 2a0a:ef40:47e:aa00::

Trace complete.

Tracing route to fd6c:b6e2:f488:: over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

Tracing route to pi.hole [fd6c:b6e2:f488:0:24ba:81ff:fe62:3179]
over a maximum of 30 hops:

1 Destination host unreachable.

Trace complete.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Fri May 10, 2024 8:07 pm

From your trace routes, it doesn't appear that your PC has the correct gateway configuration. Can you do a trace route to 2001:4860:4860::8888 (that's dns.google)? When you do that, is the 1st hop the address of your router on "Local Bridge" (which is 2a0a:ef40:47e:aa00::, I think)?

If you use Windows can you run the command on your computer:

route print -6

And produce the output here? If you use Linux, it's the previously known command

ip -f inet6 route
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 12:15 pm

A bit weird. Hop 2 timed out after a few seconds, which seems significant. Output below.

tracert 2001:4860:4860::8888

Tracing route to dns.google [2001:4860:4860::8888]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 2a0a:ef40:47e:aa00::
2 * * * Request timed out.
3 9 ms 9 ms 8 ms 2a0a:ef40:ffff:f00::1
4 8 ms 8 ms 9 ms ae15-100-xcr1.slo.cw.net [2001:5000:1300:6::1]
5 11 ms 10 ms 10 ms ae21-xcr1.hex.cw.net [2001:5000:0:b7::1]
6 10 ms 10 ms 10 ms ae9-xcr1.lnt.cw.net [2001:5000:0:242::1]
7 18 ms 30 ms 10 ms 2001:5000:100:9::2
8 11 ms 10 ms 11 ms 2001:4860:0:1::7e39
9 11 ms 11 ms 10 ms 2001:4860:0:1::5379
10 45 ms 48 ms 52 ms dns.google [2001:4860:4860::8888]

route print -6
===========================================================================
Interface List
33...00 15 5d 33 70 01 ......Hyper-V Virtual Ethernet Adapter
3...d8 5e d3 a6 37 14 ......Intel(R) Ethernet Controller (3) I225-V
15...28 d0 ea 3a 0c b9 ......Intel(R) Wi-Fi 6 AX201 160MHz
10...28 d0 ea 3a 0c ba ......Microsoft Wi-Fi Direct Virtual Adapter
18...2a d0 ea 3a 0c b9 ......Microsoft Wi-Fi Direct Virtual Adapter #2
20...28 d0 ea 3a 0c bd ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
3 276 ::/0 fe80::4aa9:8aff:fe57:4601
1 331 ::1/128 On-link
3 276 2a0a:ef40:453:9c00::/64 On-link
3 276 2a0a:ef40:453:9c00:aa2a:dcc5:f711:599c/128
On-link
3 276 2a0a:ef40:47e:aa00::/64 On-link
3 276 2a0a:ef40:47e:aa00:54a5:4b86:2bcd:d5c4/128
On-link
3 276 2a0a:ef40:47e:aa00:e632:e926:2434:b02f/128
On-link
3 276 fd6c:b6e2:f488::/64 On-link
3 276 fd6c:b6e2:f488:0:6c08:18e:56a7:3cc2/128
On-link
3 276 fd79:c73c:79ad:1::/64 fe80::2e71:ffff:fe58:fda9
3 276 fdfe:1e6:13b5:1::/64 fe80::88f:6995:1d4a:7b2a
3 276 fdfe:1e6:13b5:1::/64 fe80::2a6d:97ff:fe7f:7328
3 276 fe80::/64 On-link
33 271 fe80::/64 On-link
33 271 fe80::46d7:2d99:1a1f:d021/128
On-link
3 276 fe80::7544:f62c:dd02:a8ed/128
On-link
1 331 ff00::/8 On-link
3 276 ff00::/8 On-link
33 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 12:56 pm

Yes, here lies the problem:

3 276 fd6c:b6e2:f488::/64 On-link
3 276 fd6c:b6e2:f488:0:6c08:18e:56a7:3cc2/128 On-link

This route should not be in your PC's route table at all. Those two lines say that currently, when your PC tries to reach any addresses in the range fd6c:b6e2:f488::/64 (or that particular address fd6c:b6e2:f488:0:6c08:18e:56a7:3cc2, which is also within that range), your PC won't use any gateway, but will try to connect to them directly on the same ethernet layer instead (On-link). Which means completely bypassing the router.

That route might be there if you accidentally added an address entry from the pool "IPv6_dockers" to the interface "Local Bridge", which is now no longer the case of your current config.

Try to run these commands on your PC in a command line windows with administrative right (right click on the start button and choose "Terminal (Admin)") to remove those wrong routes:

route delete fd6c:b6e2:f488::/64
route delete fd6c:b6e2:f488:0:6c08:18e:56a7:3cc2/128

Your PC's IPv6 table still has too many entries that might be from deprecated assigned addresses. Normally for you wired interface (the Intel(R) Ethernet Controller (3) I225-V interface), which has the number "3" on the "If" column (Interface) in the route table, there should

* One default route destination ::/0, gateway is the link local address fe80:xxxx of the router on it's "Local Bridge" interface. This line is there, and is the default route. It tells your PC to use the router's link local address as gateway for any address ranges not in the route table.

* One entry for each host on the same ethernet link. In this case they all should have addresses beginning with 2xxx:xxxx, because that's the subnet configured for "Local Bridge" on the router. with global address (starting with 2). You might see addresses with the current prefix currently assigned on "Local Bridge", but also OLD addresses and prefixes, those are for addresses still marked as deprecated, previously used on the ethernet link, but now not anymore. You can see those deprecated addresses when running ipconfig /all. In this case it looks like the "2a0a:ef40:453:9c00::/64" prefix is the deprecated one, and "2a0a:ef40:47e:aa00::/64" is the current active valid prefix.

* fe80:xxx link local route, all On-Link.

Those 2 entries with fdxx: for interface #3 marked as "on-link" should not be there. Unless you also assigned that fdxx prefix to your "Local Bridge"!

The other fdxx: entries for interface #3 but NOT "on-link" might be ok, because they specify an address as gateway, not On-Link.

It might be advisable to reboot both the router and the PC, to clear the deprecated routes, if you previously added from the pool "IPv6_dockers" to the interface "Local Bridge" (which is wrong),
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 1:34 pm

Rebooted PC and router. The address entries you suggested to remove are no longer listed, so I didn't attempt the forced delete from the table. Still not working though...

tracert 2001:4860:4860::8888

Tracing route to dns.google [2001:4860:4860::8888]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 2a0a:ef40:471:9500::
2 * * * Request timed out.
3 9 ms 9 ms 8 ms 2a0a:ef40:ffff:f00::1
4 8 ms 9 ms 9 ms ae15-100-xcr1.slo.cw.net [2001:5000:1300:6::1]
5 10 ms 10 ms 10 ms ae21-xcr1.hex.cw.net [2001:5000:0:b7::1]
6 10 ms 22 ms 31 ms ae9-xcr1.lnt.cw.net [2001:5000:0:242::1]
7 11 ms 11 ms 10 ms 2001:5000:100:9::2
8 10 ms 9 ms 9 ms 2001:4860:0:1::7e01
9 * * * Request timed out.
10 9 ms 9 ms 9 ms dns.google [2001:4860:4860::8888]

Trace complete.

>route print -6
===========================================================================
Interface List
3...d8 5e d3 a6 37 14 ......Intel(R) Ethernet Controller (3) I225-V
16...28 d0 ea 3a 0c b9 ......Intel(R) Wi-Fi 6 AX201 160MHz
11...28 d0 ea 3a 0c ba ......Microsoft Wi-Fi Direct Virtual Adapter
18...2a d0 ea 3a 0c b9 ......Microsoft Wi-Fi Direct Virtual Adapter #2
20...28 d0 ea 3a 0c bd ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
33...00 15 5d 33 70 01 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
3 276 ::/0 fe80::4aa9:8aff:fe57:4601
1 331 ::1/128 On-link
3 276 2a0a:ef40:471:9500::/64 On-link
3 276 2a0a:ef40:471:9500:756e:3ab7:7af0:f5f0/128
On-link
3 276 2a0a:ef40:471:9500:c90e:d3b1:b177:a1ab/128
On-link
3 276 fd79:c73c:79ad:1::/64 fe80::2e71:ffff:fe58:fda9
3 276 fdfe:1e6:13b5:1::/64 fe80::88f:6995:1d4a:7b2a
3 276 fdfe:1e6:13b5:1::/64 fe80::2a6d:97ff:fe7f:7328
3 276 fe80::/64 On-link
33 5256 fe80::/64 On-link
3 276 fe80::7544:f62c:dd02:a8ed/128
On-link
33 5256 fe80::ff43:70a9:d4e5:9cb7/128
On-link
1 331 ff00::/8 On-link
3 276 ff00::/8 On-link
33 5256 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 1:45 pm

Do you mean you can still not ping fd6c:b6e2:f488::2?

Does tracert fd6c:b6e2:f488::2 now show that it try to go to the router 2a0a:ef40:471:9500:: first, instead of "Destination host unreachable" like before?

(Also, make sure that the container is running, in case "Start On Boot" was not checked).
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 4:19 pm

Actually, I didn't try that, but it works! Both ping and traceroute behave as expected now. Thank you for sorting that out. Is there anything else I could/should check?

Why did I get request timed out as the second hop to the Google DNS server?

I'm now wondering whether the IPv6 DNS traffic really is going through the pi-hole, or even working at all in my network.

The way I do it is I to advertise the router as the DNS server and then use NAT rules on the IPv4 and IPv4 firewalls to send Port 53 traffic to the pihole.

However, there is no IPv6 DNS server info on my Windows box - only the IPv4 address. Is this normal?

Thanks again for fixing my network so far.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 5:28 pm

That some of the hops on a traceroute to some host on the internet "timed out" is not unusual. Trace route works by sending ping packets to the destination, but first only set the TTL (time to live) field of the packet to 1. At the next hop TTL will be reduced to 0 and normally the router at that hop should send back a Time Exceeded ICMPv6 Message. The trace route tool uses the source of this message as the address of hop 1. Then it increases TTL to 2 and sends the ping packet again, this time the 2nd hop will receive the packet and decrease TTL down to 0, and would send Time Exceeded. This repeats, the trace route tool increases TTL each time and resend the packet, until the destination is reached, or until, for instance, TTL is 30 (maximum 30 hops like the tool wrote).

But not all nodes on the way to the destination react correctly to a TTL dropping to 0, and not all of them send back the Time Exceeded ICMPv6 packet. In those case, nothing is returned, and after the timeout limit has been reached, the trace route tool gives up, increases TTL and tries the next hop.

So, in your case the 2nd hop doesn't send back Time Exceeded messages. That 2nd hop is actually the other end of the pppoe-out1 connection (PPPoE is point-to-point, one point is your router, the other is the access concentrator of your ISP).

As for telling the devices on the IPv6 network to use you pi hole as DNS server, you can edit the Neighbor Discovery (IPv6 -> ND) entry that you created for "Local Bridge", add fd6c:b6e2:f488::2 to the DNS Servers text box, and turn on the "Advertise DNS" checkbox.

On your pi hole you can, maybe, temporarily "block" www.google.com or some other well-known domain, and see if your devices can still resolve that address.

Another way to test whether pi-hole is reachable by IPv6 on your PC is to run the nslookup command with fd6c:b6e2:f488::2 specified as DNS server, like this:
nslookup example.com fd6c:b6e2:f488::2
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 6:50 pm

OK. Thanks so much for helping me sort this out.

If I do nslookup example.com fd6c:b6e2:f488::2 it returns an IP address, so I guess that proves that the pihole DNS works. However, this doesn't work if I try any other IPv6 address as the DNS resolver - this is not the behaviour I was expecting given the IPv6 NAT rules I've set.

In IPv4, I NAT any lookup to port 53 to redirect to the pihole, so it doesn't matter which DNS server you try to use it will replace it with the IP address for the pihole; however DHCP advertises the router's address and Pihole uses the router as its upstream DNS. That way, I can quickly turn on/off the pihole DNS service by disabling the NAT rules for port 53.

If I try to do this with the IPv6 address, using the Local-Bridge IP address as the advertised/NATed DNS service (is this the router's IP address???) and the upstream DNS server from pihole then nslookup using the Local-bridge IPv6 address (i.e., not pihole address) doesn't work. This is the last piece of my puzzle - do you know what's not working? The NAT rules should surely redirect ANY DNS lookup that isn't directly to the pihole.

In the config I posted the rules may have been disabled but they're enabled now.

Still struggling a bit to understand IPv6 - not had that light bulb moment yet.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Sat May 11, 2024 7:45 pm

Rather bizarrely, I now seem to have no IPv6 public address! The DHCP v6 client says it's bound and has acquired and IPv6 address, but any public tests (https://test-ipv6.com/, https://ipv6-test.com/, https://ipv6test.google.com/, etc.) claims I don't have an IPv6 address.

The whole IPv6 stack is perplexing!!
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Sun May 12, 2024 9:08 pm

Is there a way I can find out what's happening with my IPv6 WAN connectivity? I can ping Google's DNS server on 2001:4860:4860::8888. How can the public tests fail, saying I don't have any IPv6 access?
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 9:40 am

OK. Thanks so much for helping me sort this out.

If I do nslookup example.com fd6c:b6e2:f488::2 it returns an IP address, so I guess that proves that the pihole DNS works. However, this doesn't work if I try any other IPv6 address as the DNS resolver - this is not the behaviour I was expecting given the IPv6 NAT rules I've set.

In IPv4, I NAT any lookup to port 53 to redirect to the pihole, so it doesn't matter which DNS server you try to use it will replace it with the IP address for the pihole; however DHCP advertises the router's address and Pihole uses the router as its upstream DNS. That way, I can quickly turn on/off the pihole DNS service by disabling the NAT rules for port 53.

If I try to do this with the IPv6 address, using the Local-Bridge IP address as the advertised/NATed DNS service (is this the router's IP address???) and the upstream DNS server from pihole then nslookup using the Local-bridge IPv6 address (i.e., not pihole address) doesn't work. This is the last piece of my puzzle - do you know what's not working? The NAT rules should surely redirect ANY DNS lookup that isn't directly to the pihole.

In the config I posted the rules may have been disabled but they're enabled now.

Still struggling a bit to understand IPv6 - not had that light bulb moment yet.

About the 3 dst-nat rules at the bottom of your config file above (which were disabled but are now are you said, enabled):

* The first rule won't do what you expect. addresses in the fe80::/10 ranges are link-local addresses, and only valid between devices on the same Layer 2 network and communications between them will not go through the router (unless fe80::4aa9:8aff:fe57:4601/128 is the router).

* The two rules for redirecting all UDP and TCP port 53 traffic: you'll probably run into hairpin NAT issues when the replies are sent back to the sender. I need these 4 rules if I want to "redirect" IPv6 DNS 53 queries (tested on my setup):

/ipv6 firewall nat
add action=masquerade chain=srcnat dst-address=xxxx::yyyy/128 dst-port=53 protocol=tcp
add action=masquerade chain=srcnat dst-address=xxxx::yyyy/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp \
    src-address=!xxxx::yyyy/128 to-address=xxxx::yyyy/128
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp \
    src-address=!xxxx::yyyy/128 to-address=xxxx::yyyy/128

The two masquerade rules are workarounds for the hairpin-NAT issue. My interface list "LAN" is your "listBridge". "xxxx::yyyy" is the DNS server running on a device in my network.

Also, if your client devices have both IPv4 and IPv6 DNS configured, they might still only use the IPv4 server for DNS queries (even for AAAA queries). So you might not see the counter on the dst-nat rule in the firewall table increasing. If the client has an IPv4 DNS server address and an ULA (fd00::/8) IPv6 DNS server address, it will always prefer the IPv4 DNS server. The IPv6 DNS server will only be used when you turn off IPv4 support on the device, or specify the address of the server explicitly.
Last edited by CGGXANNX on Mon May 13, 2024 9:57 am, edited 1 time in total.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 9:55 am

Rather bizarrely, I now seem to have no IPv6 public address! The DHCP v6 client says it's bound and has acquired and IPv6 address, but any public tests (https://test-ipv6.com/, https://ipv6-test.com/, https://ipv6test.google.com/, etc.) claims I don't have an IPv6 address.

The whole IPv6 stack is perplexing!!

Do the problems occur with or without the dst-nat rules enabled? If you can ping Google IPv6 server but the test site fail, it can be either a DNS issue or a firewall issue. The firewall has explicit rules for allowing ICMPv6, so ping would still work even if you accidently had other block rules below that rule.

Does
ping -6 google.com
work?

If possible, can you make another export of your most recent configuration?
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 11:15 am

The ping works fine. It could be my ISP - Vodafone...?

I can see pihole is receiving requests from both IPv4 and IPv6 addresses. It all seems to be working (barring the NAT redirects), but the public-facing tools suggest otherwise. I have previously checked these and they used to work.
# 2024-05-13 09:09:27 by RouterOS 7.14.3
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
    max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
    user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
    fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
    transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
    /usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
    "^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
    NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
    yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=Ham1sh01
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
    path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
    public-key="lkjndfoghwihfojwhofuhwouebgojwrbgw="
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
    6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
    "special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
    tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
    interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
    ::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
/ipv6 firewall nat
add action=dst-nat chain=dstnat comment=Pihole disabled=yes dst-address=\
    fe80::4aa9:8aff:fe57:4601/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
    "Local Bridge" log=yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 \
    to-address=fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
    "Local Bridge" protocol=tcp src-address=!fd6c:b6e2:f488::2/128 \
    to-address=fd6c:b6e2:f488::2/128
/ipv6 nd
add dns=fd6c:b6e2:f488::2 interface="Local Bridge" \
    managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 8:18 pm

I did a Diff between your two configs and the only IPv6-related thing that changed was the DNS in the IPv6 -> ND entry. Is the problem still there if you clear that box (although I don't think that it's the cause).

We know that ping works, but it only assures that ICMPv6 is correctly routed and allowed through. Maybe other protocols and ports were blocked. Can you run these commands in PowerShell to test TCP connections to port 443 of several google.com's IP addresses across the world?

Test-NetConnection -ComputerName 2607:f8b0:4006:809::200e -Port 443
Test-NetConnection -ComputerName 2a00:1450:4009:81f::200e -Port 443
Test-NetConnection -ComputerName 2404:6800:4005:81c::200e -Port 443
Test-NetConnection -ComputerName google.com -Port 443

They should all say "TcpTestSucceeded : True". The last command tests using the domain name, does that command tests with google's IPv6 address? or IPv4?
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 8:49 pm

All of the tests passed successfully. The DNS setting made no difference. There is a chance it could be the ISP. It's odd though...
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 8:53 pm

Hm, then it might be due to something on your PC / your web browser. What was the concrete error listed on https://www.test-ipv6.com/ ?
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 9:13 pm

Err. Whoops. Apologies for the rabbit hole, but I had forgotten I was running a VPN on one of my browsers. The other one worked fine. Sorry for that and thanks for the helpful suggestions.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Mon May 13, 2024 11:53 pm

I have one last question, if it's not too much of an imposition. I'm trying with the NAT rules to force all DNS traffic to go through the pihole. I think that should work with my current IPv6 rules - certainly it has registered a bit of UDP traffic on that NAT rule. However, I don't want to advertise the pihole IPv6 DNS - I want to advertise the router as the DNS - so I can turn the pihole route off easily by disabling the NAT rules if it stops working.

Do I need to set a ULA advertising the DNS, linked to the LocalBridge, to make my router act as an IPv6 DNS server (which I then use from the pihole as the upstream DNS server)? I am confused about how you give anything an IP address in the SLAAC world.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Tue May 14, 2024 3:44 am

In the ND entry, you can advertise the link local address of the router on the "Local Bridge". That's the dynamic address starting with "fe80:" that you see under IPv6 -> Addresses associated with the interface "Local Bridge", with the DL flag (dynamic link-local).

You might need the masquerade rules like I wrote in post #23 above too (those 4 rules worked for redirecting IPv6 DNS53 traffic on my router). And also like I wrote, the dual stack clients might prefer the IPv4 DNS server and not use the DNS server's IPv6 address.

And of course, if the clients (like mobile phones, or modern browsers) have secured DNS configured, they will make DoT or DoH queries to some other remote server and won't use the old protocol using port 53 UDP/TCP. In that case you won't be able to intercept the queries.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Tue May 14, 2024 11:02 am

Thanks. I applied the masquerade rules and changed the advertised DNS server in ND. I think it's working - certainly, an NSlookup still provides a result, but I'm not sure that's a sign of anything in particular with IPv6 DNS... The UDP masq rule has seen some traffic since I added it and if I do nslookup the redirect NAT rule also sees traffic. I think I'm chalking that up as working!

Thanks again for all your work setting me right on this. I learn by doing when it comes to ROS/networking. Some days I marvel at the power of it and some days I wonder whether I should really be so contemptible of plain old consumer-grade routers :-) - they're not flash but they get the job done without all this effort.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Thu May 16, 2024 11:01 pm

I thought I had this, but it seems not.

The DNS lookups work if I specify the pihole's true IPv6 address - fd6c:b6e2:f488::2 - but not if I use the advertised address, the local bridge address fe80::4aa9:8aff:fe57:4601. I think this means the NAT rules are not working. This is maddeningly close to doing what I want!

The test I am using is nslookup google.com [ipv6 dns server address]. Using the fd6c:b6e2:f488::2 address works like a charm. The other address mostly (but not completely) times out.

I'm sure I've just mucked up the NAT and masq config but can't get my head around it.
# 2024-05-16 20:57:10 by RouterOS 7.14.3
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
    max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
    user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
    fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
    transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
    /usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
    "^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
    NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
    yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
    path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
    6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
    "special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
    tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
    interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
    ::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
    src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
    yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
    protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
    disabled=yes out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole disabled=yes dst-address=\
    fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
    managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Sun May 19, 2024 3:47 pm

Sorry for the long delay, I was away from home for the past days. The 4 rules look fine to me (except for maybe the src-address-list="" part on the first rule that can be removed, but that's not important). I've also replicated them on my network and tested them for the past few hours. DNS53 queries to any IPv6 host (including bogus one like 20::1) are correctly intercepted. Please note that if you test using the command line with nslookup and you specify the fe80:xxxx address als custom DNS server, you should include the id of the interface to that address. If you type

ipconfig /all

you'll see for instance that the default gateway is listed as fe80:xxx%id. With id being the number of the adapter interface. When testing with nslookup and fe80::/10 addresses, you should include that %id to the end of the IP address on the command line. This is not needed in the IPv6 -> ND -> DNS text box. And this fe80::/10 address must exist and is the address of the router on "Local Bridge". Any other address schemes (not starting with fe80) don't require the address to be correct and to exist. That means a bogus DNS server address like 2024:05:19:: will be intercepted, but a bogus fe80::abcd not. The fe80::/10 address in your test must be the address of the router on "Local Bridge".

In my tests Android and Linux devices are correctly redirected to the DNS server that I set up on my LAN (you can add bogus domain like bo.gus.do.main with A record 1.2.3.4 to your pi-hole DNS and see if the record is resolved on the clients). But Windows normally prefer the IPv4 DNS server if both are specified, so maybe that's why you don't see the queries in the log. But Windows will use the IPv6 DNS server if you explicitly tell tools like nslookup to do it, or if you temporarily disable IPv4 on the machine.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 156
Joined: Wed Feb 22, 2017 12:01 pm

Re: Pihole and IPv6 - getting it to work

Thu May 23, 2024 11:19 pm

Thanks for those debug tests. It all seems to work, except, if I specify the default gateway from ipconfig, which is fe80::4aa9:8aff:fe57:4601%3, it doesn't work.

I think that's a detail though. Thank you.
 
User avatar
Strykar
just joined
Posts: 13
Joined: Fri Jan 12, 2024 4:27 am

Re: Pihole and IPv6 - getting it to work

Wed May 29, 2024 2:20 am

In my tests Android and Linux devices are correctly redirected to the DNS server that I set up on my LAN (you can add bogus domain like bo.gus.do.main with A record 1.2.3.4 to your pi-hole DNS and see if the record is resolved on the clients). But Windows normally prefer the IPv4 DNS server if both are specified, so maybe that's why you don't see the queries in the log. But Windows will use the IPv6 DNS server if you explicitly tell tools like nslookup to do it, or if you temporarily disable IPv4 on the machine.

I don't mean to hijack this thread but I have the exact same issue except my ISP provides a /64 prefix that I announce to the LAN via bridge0.

How can I assign a GUA IPv6 from this prefix to Pihole running on veth1 attached to the docker bridge? Can this be achieved without ULA?
In my situation, this would make things easy to manage as default routes are already setup and only firewall rules would be needed.
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: Pihole and IPv6 - getting it to work

Wed May 29, 2024 10:27 am

I don't mean to hijack this thread but I have the exact same issue except my ISP provides a /64 prefix that I announce to the LAN via bridge0.

How can I assign a GUA IPv6 from this prefix to Pihole running on veth1 attached to the docker bridge? Can this be achieved without ULA?
In my situation, this would make things easy to manage as default routes are already setup and only firewall rules would be needed.

You can try to put ::/56 into the "Prefix Hint" field of the DHCPv6 Client entry, maybe your ISP does provide something bigger than /64. That would be the ideal case.

If it doesn't work and they only provide you with a /64 then unfortunately you cannot use it with SLAAC on bridge0 while at the same time cherry pick some addresses under that prefix to be used with your containers. If you manually pick some addresses and then manually add some /96 or /128 destination route to your router route table, the devices on bridge0 won't use those routes, because to them, all addresses under the same /64 prefix are "on-link" and they'll do this https://en.wikipedia.org/wiki/Neighbor_ ... ol#Example when trying to connect to those addresses, bypassing the router. If you want to share the same /64 between bridge0 and the docker bridge, you'll have to abandon SLAAC, and assign/configure addresses and routes manually on each device.

With only a single available /64 GUA, the best solution is still to use ULA for your docker bridge. And for the hosts with ULA address to be able to connect to the internet, you'll need a NAT (masquerade) rule, like with IPv4. Something like

/ipv6 firewall nat 
add action=masquerade chain=srcnat out-interface-list=WAN src-address=ula_prefix/64

Of course, on the devices IPv4 will be prefered to the ULA addresses, due to https://datatracker.ietf.org/doc/html/r ... ection-2.1.

Who is online

Users browsing this forum: sindy and 28 guests