I've got issues I'm unable to pinpoint and diagnose with my RB3011 running latest stable (7.6 routerOS), together with tunnelbroker HE tunnel
Machines on my LAN can't ping some IPv6 sites with "no route to host" or dropping connection to them, list of "working ones" is changing pretty randomly, but routerOS itself can ping all of them fine. various ipv6 tests online works or yells about "allowing big packets ICMPv6" ( which is allowed if I'm not mistaking ).
Second weirdness is, my LAN machines recieves IPv6 adresses I wouldn't expect ( mikrotik LAN interface got "2001:470:xxx:yy:/64 for example, and all of my LAN machines recieves 2001:470:xxx:yyy:6ed::/64 ).Danger! IPv6 sorta works - however, large packets appear to fail, giving the appearance of a broken website. If a publisher publishes to IPv6, you will believe their web site to be broken. Ask your ISP about MTU issues; possibly with your tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big).
It's my first week with Mikrotik and one month with IPv6, so I'm still learning, but I think, all my issues are related with ND service. ( but IPv6 tunnel worked well when I was using OPNsense VM, so I guess it's not ISP fault )
I've tried to add ipv6 firewall mangle rule for solving issues with MTU, but didn't helped.
While I'm writing this essay, 2001:7b8:3:32:213:13622 is pingable from routerOS, but my LAN machine gives me no route to host.
If there's someone willing to kick my butt to making me solve it, I'll be very glad.Attaching configs
Here goes my MT /ipv6/ export
Code: Select all
# nov/16/2022 21:25:57 by RouterOS 7.6
# software id = QW##-JT1H
#
# model = RB3011UiAS
# serial number = HD70###GBAQ
/ipv6 address
add address=2001:470:6e:da::2 advertise=no interface=sit1
add address=2001:470:58e4:a:: interface=bridge
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::/128 comment="Wrong IPv6: unspecified address" list="Bad IPv6"
add address=::1/128 comment="Wrong IPv6: lo" list="Bad IPv6"
add address=fec0::/10 comment="Wrong IPv6: site-local" list="Bad IPv6"
add address=::ffff:0.0.0.0/96 comment="Wrong IPv6: ipv4-mapped" list=\
"Bad IPv6"
add address=::/96 comment="Wrong IPv6: ipv4 compat" list="Bad IPv6"
add address=100::/64 comment="Wrong IPv6: discard only " list="Bad IPv6"
add address=2001:db8::/32 comment="Wrong IPv6: documentation" list="Bad IPv6"
add address=2001:10::/28 comment="Wrong IPv6: ORCHID" list="Bad IPv6"
add address=3ffe::/16 comment="Wrong IPv6: 6bone" list="Bad IPv6"
add address=::224.0.0.0/100 comment="Wrong IPv6: other" list="Bad IPv6"
add address=::127.0.0.0/104 comment="Wrong IPv6: other" list="Bad IPv6"
add address=::/104 comment="Wrong IPv6: other" list="Bad IPv6"
add address=::255.0.0.0/104 comment="Wrong IPv6: other" list="Bad IPv6"
/ipv6 firewall filter
add action=accept chain=output comment="Accept all out of MikroTik"
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=drop chain=forward comment="IPv6 block of bad IPs - destination" \
dst-address-list="Bad IPv6" out-interface=sit1
add action=drop chain=forward comment="IPv6 block of bad IPs - source" \
out-interface=sit1 src-address-list="Bad IPv6"
add action=drop chain=forward comment="IPv6 block of streaming sites" \
dst-address-list="IPv6 Block" out-interface=sit1
add action=drop chain=forward comment="RFC4890 drop hop-limit=1" hop-limit=\
equal:1 protocol=icmpv6
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
invalid
add action=accept chain=forward comment=\
"Accept (established, related, untracked)" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Accept new" connection-state=new \
in-interface=!sit1
add action=accept chain=forward comment="Accept internal" in-interface=!sit1
add action=accept chain=forward comment="Accept outgoing" out-interface=sit1
add action=accept chain=forward comment=\
"Accept external ICMP (20/sec) to LAN" in-interface=sit1 limit=\
20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec) to LAN" \
in-interface=sit1 protocol=icmpv6
add action=accept chain=forward comment="Accept HIP" protocol=139
add action=accept chain=forward comment="Accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="Accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="Accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
"Accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"Drop everything else not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="Drop external" in-interface=sit1
add action=reject chain=forward comment="Reject everything else" reject-with=\
icmp-no-route
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept new" connection-state=new \
in-interface=!sit1
add action=accept chain=input comment="Accept internal ICMP" in-interface=\
!sit1 protocol=icmpv6
add action=accept chain=input comment=\
"Accept external ICMP (10/sec) to Mikrotik" in-interface=sit1 limit=\
10,20:packet protocol=icmpv6
add action=drop chain=input comment=\
"Drop external ICMP (>10/sec) to MikroTik" in-interface=sit1 protocol=\
icmpv6
add action=accept chain=input comment="Accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment="Accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="Accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="Accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="Accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"Drop everything else not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="Drop external" in-interface=sit1
add action=reject chain=input comment="Reject everything else" reject-with=\
icmp-no-route
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge mtu=1280 \
other-configuration=yes
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=1h
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:6e:da::1 \
routing-table=main scope=30 target-scope=10
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
Code: Select all
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 04:d3:b0:2e:b3:e1 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.174/23 brd 10.0.1.255 scope global dynamic noprefixroute wlan0
valid_lft 5282sec preferred_lft 5282sec
inet 10.0.0.24/23 metric 1024 brd 10.0.1.255 scope global secondary dynamic wlan0
valid_lft 5283sec preferred_lft 5283sec
inet6 2001:470:58e4:a:d:8828:58f1:3ccf/128 scope global dynamic noprefixroute
valid_lft 5284sec preferred_lft 2584sec
inet6 2001:470:58e4:a:d26a:c503:c0cc:31a1/64 scope global dynamic noprefixroute
valid_lft 7112sec preferred_lft 3512sec
inet6 2001:470:58e4:a:6d3:b0ff:fe2e:b3e1/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 3511sec preferred_lft 3511sec
inet6 fe80::5822:d23b:64f2:c7a6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Code: Select all
::1 dev lo proto kernel metric 256 pref medium
2001:470:58e4:a:d:8828:58f1:3ccf dev wlan0 proto kernel metric 600 pref medium
2001:470:58e4:a::/64 dev wlan0 proto ra metric 600 pref medium
2001:470:58e4:a::/64 dev wlan0 proto ra metric 1024 expires 3452sec pref medium
fe80::/64 dev vmnet1 proto kernel metric 256 pref medium
fe80::/64 dev vmnet8 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 1024 pref medium
default proto ra metric 600 pref medium
nexthop via fe80::70e7:d5ff:fe63:73a6 dev wlan0 weight 1
nexthop via fe80::1afd:74ff:febf:1048 dev wlan0 weight 1
default proto ra metric 1024 expires 1568sec mtu 1500 pref medium
nexthop via fe80::70e7:d5ff:fe63:73a6 dev wlan0 weight 1
nexthop via fe80::1afd:74ff:febf:1048 dev wlan0 weight 1