Community discussions

MikroTik App
 
phobeus
just joined
Topic Author
Posts: 3
Joined: Mon Nov 14, 2022 11:35 pm

[SOLVED] Mikrotik + IPv6 tunnel weird behaviour

Wed Nov 16, 2022 11:46 pm

Greetings everyone.

I've got issues I'm unable to pinpoint and diagnose with my RB3011 running latest stable (7.6 routerOS), together with tunnelbroker HE tunnel

Machines on my LAN can't ping some IPv6 sites with "no route to host" or dropping connection to them, list of "working ones" is changing pretty randomly, but routerOS itself can ping all of them fine. various ipv6 tests online works or yells about "allowing big packets ICMPv6" ( which is allowed if I'm not mistaking ).
Danger! IPv6 sorta works - however, large packets appear to fail, giving the appearance of a broken website. If a publisher publishes to IPv6, you will believe their web site to be broken. Ask your ISP about MTU issues; possibly with your tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big).
Second weirdness is, my LAN machines recieves IPv6 adresses I wouldn't expect ( mikrotik LAN interface got "2001:470:xxx:yy:a::/64 for example, and all of my LAN machines recieves 2001:470:xxx:yyy:6e:a:d::/64 ).

It's my first week with Mikrotik and one month with IPv6, so I'm still learning, but I think, all my issues are related with ND service. ( but IPv6 tunnel worked well when I was using OPNsense VM, so I guess it's not ISP fault )

I've tried to add ipv6 firewall mangle rule for solving issues with MTU, but didn't helped.

While I'm writing this essay, 2001:7b8:3:32:213:136:1280:22 is pingable from routerOS, but my LAN machine gives me no route to host.

If there's someone willing to kick my butt to making me solve it, I'll be very glad.Attaching configs

Here goes my MT /ipv6/ export
# nov/16/2022 21:25:57 by RouterOS 7.6
# software id = QW##-JT1H
#
# model = RB3011UiAS
# serial number = HD70###GBAQ
/ipv6 address
add address=2001:470:6e:da::2 advertise=no interface=sit1
add address=2001:470:58e4:a:: interface=bridge
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::/128 comment="Wrong IPv6: unspecified address" list="Bad IPv6"
add address=::1/128 comment="Wrong IPv6: lo" list="Bad IPv6"
add address=fec0::/10 comment="Wrong IPv6: site-local" list="Bad IPv6"
add address=::ffff:0.0.0.0/96 comment="Wrong IPv6: ipv4-mapped" list=\
    "Bad IPv6"
add address=::/96 comment="Wrong IPv6: ipv4 compat" list="Bad IPv6"
add address=100::/64 comment="Wrong IPv6: discard only " list="Bad IPv6"
add address=2001:db8::/32 comment="Wrong IPv6: documentation" list="Bad IPv6"
add address=2001:10::/28 comment="Wrong IPv6: ORCHID" list="Bad IPv6"
add address=3ffe::/16 comment="Wrong IPv6: 6bone" list="Bad IPv6"
add address=::224.0.0.0/100 comment="Wrong IPv6: other" list="Bad IPv6"
add address=::127.0.0.0/104 comment="Wrong IPv6: other" list="Bad IPv6"
add address=::/104 comment="Wrong IPv6: other" list="Bad IPv6"
add address=::255.0.0.0/104 comment="Wrong IPv6: other" list="Bad IPv6"
/ipv6 firewall filter
add action=accept chain=output comment="Accept all out of MikroTik"
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=drop chain=forward comment="IPv6 block of bad IPs - destination" \
    dst-address-list="Bad IPv6" out-interface=sit1
add action=drop chain=forward comment="IPv6 block of bad IPs - source" \
    out-interface=sit1 src-address-list="Bad IPv6"
add action=drop chain=forward comment="IPv6 block of streaming sites" \
    dst-address-list="IPv6 Block" out-interface=sit1
add action=drop chain=forward comment="RFC4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
    invalid
add action=accept chain=forward comment=\
    "Accept (established, related, untracked)" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Accept new" connection-state=new \
    in-interface=!sit1
add action=accept chain=forward comment="Accept internal" in-interface=!sit1
add action=accept chain=forward comment="Accept outgoing" out-interface=sit1
add action=accept chain=forward comment=\
    "Accept external ICMP (20/sec) to LAN" in-interface=sit1 limit=\
    20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec) to LAN" \
    in-interface=sit1 protocol=icmpv6
add action=accept chain=forward comment="Accept HIP" protocol=139
add action=accept chain=forward comment="Accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="Accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="Accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
    "Accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "Drop everything else not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="Drop external" in-interface=sit1
add action=reject chain=forward comment="Reject everything else" reject-with=\
    icmp-no-route
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept new" connection-state=new \
    in-interface=!sit1
add action=accept chain=input comment="Accept internal ICMP" in-interface=\
    !sit1 protocol=icmpv6
add action=accept chain=input comment=\
    "Accept external ICMP (10/sec) to Mikrotik" in-interface=sit1 limit=\
    10,20:packet protocol=icmpv6
add action=drop chain=input comment=\
    "Drop external ICMP (>10/sec) to MikroTik" in-interface=sit1 protocol=\
    icmpv6
add action=accept chain=input comment="Accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment="Accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="Accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="Accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="Accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "Drop everything else not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="Drop external" in-interface=sit1
add action=reject chain=input comment="Reject everything else" reject-with=\
    icmp-no-route
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge mtu=1280 \
    other-configuration=yes
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=1h
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:6e:da::1 \
    routing-table=main scope=30 target-scope=10
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
ip a l output:
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:d3:b0:2e:b3:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.174/23 brd 10.0.1.255 scope global dynamic noprefixroute wlan0
       valid_lft 5282sec preferred_lft 5282sec
    inet 10.0.0.24/23 metric 1024 brd 10.0.1.255 scope global secondary dynamic wlan0
       valid_lft 5283sec preferred_lft 5283sec
    inet6 2001:470:58e4:a:d:8828:58f1:3ccf/128 scope global dynamic noprefixroute 
       valid_lft 5284sec preferred_lft 2584sec
    inet6 2001:470:58e4:a:d26a:c503:c0cc:31a1/64 scope global dynamic noprefixroute 
       valid_lft 7112sec preferred_lft 3512sec
    inet6 2001:470:58e4:a:6d3:b0ff:fe2e:b3e1/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 3511sec preferred_lft 3511sec
    inet6 fe80::5822:d23b:64f2:c7a6/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
ip -6 route output:
::1 dev lo proto kernel metric 256 pref medium
2001:470:58e4:a:d:8828:58f1:3ccf dev wlan0 proto kernel metric 600 pref medium
2001:470:58e4:a::/64 dev wlan0 proto ra metric 600 pref medium
2001:470:58e4:a::/64 dev wlan0 proto ra metric 1024 expires 3452sec pref medium
fe80::/64 dev vmnet1 proto kernel metric 256 pref medium
fe80::/64 dev vmnet8 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 1024 pref medium
default proto ra metric 600 pref medium
        nexthop via fe80::70e7:d5ff:fe63:73a6 dev wlan0 weight 1 
        nexthop via fe80::1afd:74ff:febf:1048 dev wlan0 weight 1 
default proto ra metric 1024 expires 1568sec mtu 1500 pref medium
        nexthop via fe80::70e7:d5ff:fe63:73a6 dev wlan0 weight 1 
        nexthop via fe80::1afd:74ff:febf:1048 dev wlan0 weight 1
 
phobeus
just joined
Topic Author
Posts: 3
Joined: Mon Nov 14, 2022 11:35 pm

Re: [SOLVED] Mikrotik + IPv6 tunnel weird behaviour

Thu Nov 17, 2022 12:23 am

I'd like to announce, it's solved and it was all my fault. There was running autostarted OPNsense on one of my VM host, having conflicting IP addresses, but it haven't got attached WAN to it.
Steps which helped me diagnose it:
linux@box$ rdisc6 wlan0
showed me two RA services on my network, and with help of MAC address of troublemaker and Winbox I was able to pinpoint it.
 
accarda
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: [SOLVED] Mikrotik + IPv6 tunnel weird behaviour

Thu Nov 17, 2022 1:58 pm

Hi,
I would check the prefix that you have assigned to your LAN though.
From your config there is 2001:470:58e4:a:: but then in your post you mentioned that 2001:7b8:3:32:213:136:1280:22 is pingable but that /64 does not match the address on your bridge.
Actually I'm using HE too, but you have to assign IP to your LAN, I don't see them provided by them and as long as first 64bits are based on your assignment then you should be ok.

Armando
 
phobeus
just joined
Topic Author
Posts: 3
Joined: Mon Nov 14, 2022 11:35 pm

Re: [SOLVED] Mikrotik + IPv6 tunnel weird behaviour

Thu Nov 17, 2022 5:25 pm

Thanks for replying, but it was solved yesterday already, cause of the problems and how did I diagnose it was posted over here, but because I'm new in this forum, it's waiting for mods approval. Root of the cause was running opnsense vm, which I forgot about. It had defined same IPs making conflict in the network. Everything is running buttersmooth right now
[I'd like to announce, it's solved and it was all my fault. There was running autostarted OPNsense on one of my VM host, having conflicting IP addresses, but it haven't got attached WAN to it.
Steps which helped me diagnose it:
linux@box$ rdisc6 wlan0
showed me two RA services on my network, and with help of MAC address of troublemaker and Winbox I was able to pinpoint it.
 
accarda
Member Candidate
Member Candidate
Posts: 208
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: [SOLVED] Mikrotik + IPv6 tunnel weird behaviour

Thu Nov 17, 2022 6:52 pm

OK good to hear that.
Enjoy the IPv6 stuffs, I have also started recently mine.

Who is online

Users browsing this forum: 0xAA55, LAZst, LeoNaXe and 40 guests