Community discussions

MikroTik App
 
antipope
just joined
Topic Author
Posts: 4
Joined: Tue May 14, 2024 8:29 pm

CHR RouterOS 7.14.3 IPv6 problems

Tue May 14, 2024 9:08 pm

Having IPv6 problems with a CHR RouterOS, 7.14.3 on a virtual host at Hetzner. IPv6 configs (IPIPv6 on top of wireguard tunnels) that work on several physical routers fail on the CHR.

Even pinging lo fails, which works on all physical routers:
[admin@foo-gw] > /ping ::1 count=2
Columns: SEQ, STATUS
SEQ  STATUS
  0  packet rejected
  1  packet rejected

Settings:
[admin@foo-gw] > /ipv6/settings/print
                  disable-ipv6: no
                       forward: yes
              accept-redirects: yes-if-forwarding-disabled
  accept-router-advertisements: yes
          max-neighbor-entries: 16384

Any ideas what exactly is failing if /ping ::1 does not work?
 
martinclaro
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: CHR RouterOS 7.14.3 IPv6 problems

Wed May 15, 2024 3:44 am

Check your firewall rules, you may be blocking access to loopback interface (it’s now a separate interface)
 
antipope
just joined
Topic Author
Posts: 4
Joined: Tue May 14, 2024 8:29 pm

Re: CHR RouterOS 7.14.3 IPv6 problems

Wed May 15, 2024 8:34 am

Check your firewall rules, you may be blocking access to loopback interface (it’s now a separate interface)

Firewall entries are ok, ICMPv6 input accept is the first entry in IPv6 firewall filter rules. There is also a logging entry for outbound ICMPv6. Interestingly, the only IPv6 firewall counters that increase are for the packets that are arriving from a Wireguard tunnel smuggled inside IPv4 as protocol 41 packets, since the WG tunnel endpoints are IPv4.

Q: Is there such thing as "interface IPv6 capability" on a virtual machine the CHR becomes aware of and simply refuses to process IPv6 packets?
 
martinclaro
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: CHR RouterOS 7.14.3 IPv6 problems

Wed May 15, 2024 2:33 pm

Please do the following to make sure:
/ipv6/firewall/filter add action=accept chain=input dst-address=::1 place-before=0
And try again. I had similar issue and that was how I realized it was the firewall.
 
antipope
just joined
Topic Author
Posts: 4
Joined: Tue May 14, 2024 8:29 pm

Re: CHR RouterOS 7.14.3 IPv6 problems

Wed May 15, 2024 5:08 pm

Please do the following to make sure:
/ipv6/firewall/filter add action=accept chain=input dst-address=::1 place-before=0
And try again. I had similar issue and that was how I realized it was the firewall.

Tried, not helping. Tried also removing all entries from firewall. Will spawn up another virtual server to see if the problem can be reproduced.
 
antipope
just joined
Topic Author
Posts: 4
Joined: Tue May 14, 2024 8:29 pm

Re: CHR RouterOS 7.14.3 IPv6 problems  [SOLVED]

Thu May 16, 2024 11:18 pm

Solved. Stupid user error as usual. Some forgotten obscure pre-wireguard era IPSec test years ago, not relevant until now when IPv6 was deployed:
/ip/ipsec/policy/print
...
1 android-ikev2-peer yes ::/0 ::/0 all encrypt unique 0

Lesson learned: always check firewall rules and IPSec policies. Thanks to kind souls trying to help.

Who is online

Users browsing this forum: No registered users and 0 guests