Page 1 of 1

CHR RouterOS 7.14.3 IPv6 problems

Posted: Tue May 14, 2024 9:08 pm
by antipope
Having IPv6 problems with a CHR RouterOS, 7.14.3 on a virtual host at Hetzner. IPv6 configs (IPIPv6 on top of wireguard tunnels) that work on several physical routers fail on the CHR.

Even pinging lo fails, which works on all physical routers:
[admin@foo-gw] > /ping ::1 count=2
Columns: SEQ, STATUS
SEQ  STATUS
  0  packet rejected
  1  packet rejected

Settings:
[admin@foo-gw] > /ipv6/settings/print
                  disable-ipv6: no
                       forward: yes
              accept-redirects: yes-if-forwarding-disabled
  accept-router-advertisements: yes
          max-neighbor-entries: 16384

Any ideas what exactly is failing if /ping ::1 does not work?

Re: CHR RouterOS 7.14.3 IPv6 problems

Posted: Wed May 15, 2024 3:44 am
by martinclaro
Check your firewall rules, you may be blocking access to loopback interface (it’s now a separate interface)

Re: CHR RouterOS 7.14.3 IPv6 problems

Posted: Wed May 15, 2024 8:34 am
by antipope
Check your firewall rules, you may be blocking access to loopback interface (it’s now a separate interface)

Firewall entries are ok, ICMPv6 input accept is the first entry in IPv6 firewall filter rules. There is also a logging entry for outbound ICMPv6. Interestingly, the only IPv6 firewall counters that increase are for the packets that are arriving from a Wireguard tunnel smuggled inside IPv4 as protocol 41 packets, since the WG tunnel endpoints are IPv4.

Q: Is there such thing as "interface IPv6 capability" on a virtual machine the CHR becomes aware of and simply refuses to process IPv6 packets?

Re: CHR RouterOS 7.14.3 IPv6 problems

Posted: Wed May 15, 2024 2:33 pm
by martinclaro
Please do the following to make sure:
/ipv6/firewall/filter add action=accept chain=input dst-address=::1 place-before=0
And try again. I had similar issue and that was how I realized it was the firewall.

Re: CHR RouterOS 7.14.3 IPv6 problems

Posted: Wed May 15, 2024 5:08 pm
by antipope
Please do the following to make sure:
/ipv6/firewall/filter add action=accept chain=input dst-address=::1 place-before=0
And try again. I had similar issue and that was how I realized it was the firewall.

Tried, not helping. Tried also removing all entries from firewall. Will spawn up another virtual server to see if the problem can be reproduced.

Re: CHR RouterOS 7.14.3 IPv6 problems  [SOLVED]

Posted: Thu May 16, 2024 11:18 pm
by antipope
Solved. Stupid user error as usual. Some forgotten obscure pre-wireguard era IPSec test years ago, not relevant until now when IPv6 was deployed:
/ip/ipsec/policy/print
...
1 android-ikev2-peer yes ::/0 ::/0 all encrypt unique 0

Lesson learned: always check firewall rules and IPSec policies. Thanks to kind souls trying to help.