Community discussions

MikroTik App
 
zandor
just joined
Topic Author
Posts: 11
Joined: Sat Feb 05, 2022 8:37 am

ipv6 only works when pinging from the router

Thu May 12, 2022 9:26 am

At some point in the last few weeks ipv6 quit working properly. I have an RB5009UG+S+IN running 7.2.3, though I tried downgrading to 7.1.3 since the last time I'm sure it was working was before upgrading. I'm back on 7.2.3 now. I have Comcast residential cable Internet service (in Chicago) and a pretty simple setup. It's basically reset config, quickset as a router, turn ether8 into a management port, then configure ipv6. I plan to add VLANs & multiple subnets, but figure they'll just get in the way while debugging this. On the ipv6 side, the DHCP client successfully gets an address and a prefix, machines on the LAN side get their addresses through SLAAC, etc.

I can't access anything on the WAN side using ipv6 unless I ping the target IP address from the RB5009. If I have a ping going from the RB5009 I can ping from hosts on the WAN and even score 18 out of 20 on ipv6-test.com. ipv6 keeps working for whatever I was pining for a short time after stopping the ping, maybe 20s or so.

When the ping isn't running on the router I get Address Unreachable errors from the router. I checked with the packet sniffer and nothing goes out on the WAN side. The only icmpv6 traffic is link local stuff, mostly multicast. I've also noticed that I never see any "reachable" routers in the neighbor list. I could swear there use to be one back when ipv6 was working.

Anyone have a guess as to what could cause this?
# may/11/2022 21:47:56 by RouterOS 7.2.3
# software id = ZQ4G-PCTF
#
# model = RB5009UG+S+
# serial number = ************
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:9A auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=computers ranges=192.168.101.10-192.168.101.254
/ip dhcp-server
add address-pool=computers interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether8 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.101.1/24 comment=defconf interface=bridge network=\
    192.168.101.0
add address=192.168.88.1/24 interface=ether8 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.101.0/24 comment=defconf dns-server=192.168.101.1 \
    gateway=192.168.101.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.101.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 route
add disabled=no dst-address=::/0 gateway=ether1
/ipv6 address
add address=::xxxx:xxxx:xxxx:9a eui-64=yes from-pool=ipv6pool interface=\
    bridge
/ipv6 dhcp-client
add interface=ether1 pool-name=ipv6pool prefix-hint=::/61 request=\
    address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] ra-interval=5s-30s
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
zandor
just joined
Topic Author
Posts: 11
Joined: Sat Feb 05, 2022 8:37 am

Re: ipv6 only works when pinging from the router

Sat May 14, 2022 5:21 am

I set up the RouterOS packet sniffer to stream to Wireshark running on a Windows machine. It looks like traffic originating from the RB5009 to an Internet address is sent to a router but any traffic from one of the machines on my network results in the RB5009 sending a neighbor solicitation. It doesn't seem to matter what address I ping. It acts like everything is local unless the router is sending the ping. Comcast DNS server (2001:558:feed::1), MikroTik.com (2a02:610:7501:1000::2), ipv6.google.com (2607:f8b0:4009:805::200e), whatever. My RB5009 sends a neighbor solicitation.

Idle:
8 routers with fe80::dead:beef:X:1 link local addresses send router advertisements. Occasionally the Comcast routers will send out a neighbor solicitation. Once in a while I also see the RB5009 sending out a neighbor solicitation to some other address. Reverse DNS says the ones I checked were Google addresses, so perhaps my Android phone is trying to talk to Google.

Pinging an Internet host from a Linux or Windows host on my network:
My RB5009 starts sending neighbor solicitations looking for the DNS server every time the host sends a ping. It gets no replies. The neighbor solicitations are sent to ff02::1:ff00:1, a solicited multicast address.

Pinging an Internet host from the RB5009:
Ping works. My RB5009 sends an ICMPv6 echo request to the MAC address of one of the fe80::dead:beef routers bound for 2001:558:feed::1 and gets a reply from the DNS server through a different MAC address, which Wireshark thinks is some sort of Juniper device.

Pinging an Internet host from the RB5009 and a host at the same time:
Both pings work. It looks the same as just pinging from the router, except of course half the pings and replies are from & to the host.
 
tangent
Member
Member
Posts: 465
Joined: Thu Jul 01, 2021 3:15 pm

Re: ipv6 only works when pinging from the router

Sat May 14, 2022 8:31 am

machines on the LAN side get their addresses through SLAAC, etc.

Can I correctly infer that Comcast is giving you a /64 and you're wanting to distribute that internally, so each internal host has a public IPv6 address? I see no IPv6 NAT configured. Is that intended?

When the ping isn't running on the router I get Address Unreachable errors from the router.

Does adding a rule like this up near the matching one on the "input" chain help?

/ipv6 firewall filter
add action=accept chain=forward protocol=icmpv6

Without that, I don't see how ping is supposed to work at all, unless it falls into the "connection-state=untracked" bucket.

And if that's the case, then why is there a "chain=input protocol=icmpv6" defconf rule? Surely that tells us we need one in the forward chain as well.

The only icmpv6 traffic is link local stuff, mostly multicast.

That's expected. Where IPv4 did stuff with broadcast, IPv6 tends to achieve the same function with multicast instead.

…back when ipv6 was working

Do you have a configuration backup from that time? Can you diff it and ensure that nothing relevant has changed? Simply upgrading RouterOS can cause this sort of regression, especially in v7 where things are still stabilizing. Downgrading without restoring from a backup will perpetuate that regression.

If you have no version-tracked backups, may I suggest Yet Another Backup Script?

/interface wireless security-profiles

You might want to nix junk like this, to keep your configuration minimal. An RB5009 has no wireless, so you don't need a supplicant identity. You also don't need the CAPsMAN defconf firewall rule.

Also nix the OpenVPN and IPsec stuff you aren't using. Once you have version-tracked backups working, you can easily put these rules back in if you later become a masochist and decide to use these VPN technologies instead of taking the sane path and setting up WireGuard instead. 😉

prefix-hint=::/61

That seems unlikely. The most common IPv6 prefix for residential customers is /64. Why would they be giving you 8× more than 2⁶⁴ addresses inside a single residence, being stupendously in excess to requirements already?

add address=fec0::/10 list=bad_ipv6

Check your client IPs to make sure you aren't falling into this rule.

And if it were me, I'd rename that address list to something like "unroutable6". Those IPs aren't "bad," just incorrect to route to the Internet. Some are fine on the LAN, and others you just aren't likely to be participating in, such as the obsolete 6bone.

/tool mac-server set allowed-interface-list=LAN

Since you speak of a "management port", shouldn't you restrict that service to that port alone?

Counterargument: You may not be ready for the possibility that you may yourself out of the management interface. Until then, leaving things open adds a measure of comfort, at the expense of safety.

/tool mac-server mac-winbox set allowed-interface-list=LAN

This is partially-redundant with respect to the prior item.

8 routers with fe80::dead:beef:X:1 link local addresses send router advertisements.

First, 8 "routers" in a residence?

Second, without NAT, those won't route out to the Internet. Shouldn't those routers be getting addresses from the public address pool Comcast gave you?
 
zandor
just joined
Topic Author
Posts: 11
Joined: Sat Feb 05, 2022 8:37 am

Re: ipv6 only works when pinging from the router

Sat May 14, 2022 10:30 am

Can I correctly infer that Comcast is giving you a /64 and you're wanting to distribute that internally, so each internal host has a public IPv6 address? I see no IPv6 NAT configured. Is that intended?
I can get a /64. I tried that. It didn't help. Exact same behavior. They'll also give me a /61, /62 or /63 if I hint for it. No change. I might be able to get a /60, but haven't tried. With just one subnet configured while requesting and getting a /61 the RB5009 assigns the single subnet a /64 as you would expect and the other 7 /64s sit unused.
Does adding a rule like this up near the matching one on the "input" chain help?
/ipv6 firewall filter
add action=accept chain=forward protocol=icmpv6
It's already there, included in the default firewall.
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
The only change I've made to the default firewall was to allow DHCPv6 from any address instead of only link local addresses. My Comcast DHCPv6 server sends from 2001:558:4040:4e::10, which isn't even on the same /64 as my router. And yes, there is some stuff I don't need in the default firewall config, mostly related to VPNs.
…back when ipv6 was working
Do you have a configuration backup from that time? Can you diff it and ensure that nothing relevant has changed? Simply upgrading RouterOS can cause this sort of regression, especially in v7 where things are still stabilizing. Downgrading without restoring from a backup will perpetuate that regression.
Yes. I saved a backup from 7.1.3 before upgrading to 7.2.3 and restored it on 7.1.3 when I tried the downgrade. Same behavior.
add address=fec0::/10 list=bad_ipv6
Check your client IPs to make sure you aren't falling into this rule.
Client IPs start with 2601: except for link local addresses of course.
Since you speak of a "management port", shouldn't you restrict that service to that port alone?

Counterargument: You may not be ready for the possibility that you may yourself out of the management interface. Until then, leaving things open adds a measure of comfort, at the expense of safety.
The latter is what it's for. It's more of an emergency management port. My intention is to allow management from a VLAN that only a couple desktops and my file server can access (so no access from WiFi, phones, etc.) and leave ether8 as an "oops, I messed up" backup port, but I ripped out the VLANs while debugging.. partly to avoid people on here wasting time looking at, thinking about and commenting on my VLAN & subnet config. Normally nothing will be plugged into ether8.
8 routers with fe80::dead:beef:X:1 link local addresses send router advertisements.
First, 8 "routers" in a residence?
The 8 dead:beef routers belong to Comcast. Sorry if that wasn't clear. I hope you didn't write the rest of your post thinking I had 8 routers running and pointed at one cable modem! I only have one, the aforementioned RB5009.
 
tangent
Member
Member
Posts: 465
Joined: Thu Jul 01, 2021 3:15 pm

Re: ipv6 only works when pinging from the router

Sat May 14, 2022 10:34 am

I thought you might’ve had some kind of home lab thing going on there.

As for the rest, I got nothin.
 
tdw
Forum Guru
Forum Guru
Posts: 1346
Joined: Sat May 05, 2018 11:55 am

Re: ipv6 only works when pinging from the router  [SOLVED]

Sat May 14, 2022 11:37 pm

What are you expecting
/ipv6 route
add disabled=no dst-address=::/0 gateway=ether1
to do? Using gateway=someinterface is only valid for point-to-point media, so not ethernet.

The gateway will be learnt from the upstream RAs due to accept-router-advertisements=yes, although this was broken in 7.1.x, and annoyingly is not displayed anywhere in RouterOS.
 
zandor
just joined
Topic Author
Posts: 11
Joined: Sat Feb 05, 2022 8:37 am

Re: ipv6 only works when pinging from the router

Tue May 17, 2022 3:44 am

Removing the default route did it! IPv6 is working now. Thank you for helping yet another newbie with their first RouterOS device. :)

7.1.x is bugged and doesn't learn the gateway from RAs? Now I'm wondering how on earth I had IPv6 working on 7.1.3, though I do have a theory. I went through a "Comcast adventure" between the last time I know IPv6 was working and reading your post and getting it working again. Service outage, cable modem/router replacement, billing got all messed up and my service plan got reverted to sometime in 2017 when I replaced the old WiFi router with a new modem. I suspect it was changing my old Arris WiFi router for a new Netgear CM2050V modem that did it. Some Googling around did not turn up anything specific to the Arris cable WiFi router that worked in bridge mode with that setup, but you can find plenty of other examples of broken and non-standard behavior from cable modems and routers. The closest one I've seen was a Comcast business user with a Cisco WiFi router that demanded neighbor solicitation replies from any address on the LAN before routing packets downstream. https://forums.businesshelp.comcast.com ... 08cd9aba6d It's not the same thing (kind of the reverse actually), but I'm thinking the reason that setup worked on 7.1.3 is maybe my previous Arris router responded to neighbor solicitations for anything on the Internet and just blindly forwarded the packets. The new Netgear CM2050V modem doesn't. I could plug the Arris back in, downgrade to 7.1.3, and test it, but I'm a little afraid to do so as swapping in my old modem and then swapping back might result in another "Comcast adventure".

As far as what I thought setting the gateway to ::/0 to ether1 would do, I figured maybe it would tell the router to go listen for RAs on ether1 but honestly I was just stabbing around in the dark when I tried that. And then it started working on 7.1.3.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Semrush [Bot] and 11 guests