Community discussions

MikroTik App
 
pod32
just joined
Topic Author
Posts: 1
Joined: Tue Nov 29, 2022 2:05 pm

IPv6 ok, but no v4 link

Tue Nov 29, 2022 2:10 pm

Hi Forum,

I have managed to get an IPv6 connection with a /56 prefix. Connection is working fine. However, with legacy v4 using srcnat masquerading, I cannot reach v4 only sites on WAN.
I have a Vigor 167 in front of my MT and the Vigor is doing VLAN7 tagging to be able to do pppoe via MT (Deutsche Telekom).
Please find below my current (minimal) config:

[admin@MikroTik] /ip/firewall/filter> /export hide-sensitive 
# nov/29/2022 13:03:06 by RouterOS 7.7beta8
# software id = FTRU-GQLV
#
# model = CRS328-24P-4S+
# serial number = XXXXXXXX
/interface bridge
add admin-mac=18:FD:74:98:E9:2D auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.42.20-192.168.42.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge name=dhcp1
/port
set 0 name=serial0
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 name=pppoe-out1 profile=\
    default-encryption use-peer-dns=yes user=0021772367855511360109900001@t-online.de
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.42.1/24 interface=bridge network=192.168.42.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.42.0/24 gateway=192.168.42.1 netmask=24
/ip firewall filter
add chain=input comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="Accept all connections from local network" in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related \
    in-interface-list=WAN
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=Invalid-
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.42.0/24 out-interface-list=WAN src-address=\
    192.168.42.0/24 to-addresses=0.0.0.0/0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=telekom-pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=telekom-pool pool-prefix-length=56 request=prefix
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set boot-os=router-os
I suspect the firewall filters for v4 being the issue but I am not entirely sure...

Thanks and BR
Patrick
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 ok, but no v4 link

Tue Nov 29, 2022 6:48 pm

Nothing in firewall for chain=forward (which would protect your LAN). Just saying.

As to IPv4 NAT: the correct SRC-NAT configuration would be:
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
Don't overload it with meaningless properties or with properties that are not necessary.

And get rid of that "use-ip-firewall-for-pppoe" setting, pppoe traffic is not passing bridge in your setup. And firewall will do its job because your device is doing routing between pppoe and LAN.

BTW, CRS is a switch that can route. And it can offload some routing to hardware, but AFAIK it can't do pppoe in hardware. So don't expect it to go supersonic, its CPU is relatively slow.

Who is online

Users browsing this forum: No registered users and 34 guests