IPv6 issues: v6 only for a few address blocks, v4 otherwise

evergreen · Wed Nov 29, 2023 7:10 am

Hi, trying to get ipv6 working at home with mixed results.

IPv6 access seems to mess up my web browsing and apps, but I need to connect to prefixes on three ASs that are ipv6.

I’m stumped trying to expose three ipv6 prefixes to a local VLAN. My v6 upstream is HE.net/tunnelbroker.net

- I’m getting a SLAAC address and a default ipv6 route on my laptop
- Wireshark shows router advertisements with my IPv6 prefixes (if I mess with on-link, I even see them in my laptop routing table)
- I can ping my router link-local address from a host on the LAN
- I can ping global ipv6 addresses from my router
- BUT….
I can’t seem to ping an internet host from my LAN devices. I used sniffer/quick to view pings seeming to go out off the VLAN interface, then onto the tunnelbroker.net 6to4 interface and seemingly back, but they never seem to make it back to my laptop

So what's wrong?
- Firewall?
- No route back to LAN machine? Or is that a neighbor thing?
- Bad ND settings?

How can I just let devices on one vlan get to v6 hosts without making every consumer device freak out trying to use ipv6?

# 2023-11-28 20:42:42 by RouterOS 7.11.2
# model = RB5009UG+S+
/ipv6 address
add address=2001:DB8:a:1::2 advertise=no interface=sit1
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
add advertise-dns=no interface=vlan-lan
/ipv6 nd prefix
# changed addresses here to 2001:db8, they do not conflict with fw rule and are global prefixes
add autonomous=no interface=vlan-lan on-link=no prefix=2001:db8:5::/36
# this one is for tunnelbroker
add interface=vlan-lan on-link=no prefix=2001:DB8:a:1::/64
add autonomous=no interface=vlan-lan on-link=no prefix=2001:db8:9::/36
/ipv6 route
add comment="ATT mobility" disabled=no distance=10 dst-address=2600:300::/24 gateway=sit1 routing-table=main scope=30 target-scope=10
add comment=someredactednet disabled=no distance=10 dst-address=2001:db8:9::/36 gateway=sit1
/ipv6 settings
set accept-router-advertisements=no

/ipv6 firewall address-list
add address=::/128 comment="defconf_router: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf_router: RFC6890 lo" list=bad_ipv6
add address=fec0::/10 comment="defconf_router: RFC3879 deprecated site-local addr" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf_router: RFC6890 ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf_router: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf_router: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf_router: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf_router: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf_router: 6bone" list=bad_ipv6
add address=2001::/23 comment="defconf_mt_adv_fw: RFC6890 IETF Protocol Assignments" list=bad_ipv6
add address=100::/64 comment="defconf_mt_adv_fw: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf_mt_adv_fw: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf_mt_adv_fw: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf_mt_adv_fw: RFC6890 Unique-Local" list=not_global_ipv6
add address=fe80::/10 comment="defconf_mt_adv_fw: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf_mt_adv_fw: multicast" list=no_forward_ipv6
add address=::/128 comment="defconf_mt_adv_fw: unspecified address" list=bad_dst_ipv6
add address=::/128 comment="defconf_mt_adv_fw: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf_mt_adv_fw: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf_router: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf_router: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf_router: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf_router: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf_router: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf_router: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf_router: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf_router: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf_router: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf_router: drop everything else not coming from safe-lan-ports" in-interface-list=!safe-lan-ports log-prefix=drop-everything
add action=drop chain=forward comment="defconf_mt_adv_fw: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf_mt_adv_fw: drop bad forward IPs (dst)" dst-address-list=no_forward_ipv6
add action=accept chain=forward comment="defconf_router: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf_router: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf_router: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf_router: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 log-prefix=whats-this
add action=drop chain=forward comment="defconf_router: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf_router: accept ICMPv6" log-prefix=allow-v6-ping protocol=icmpv6
add action=accept chain=forward comment="defconf_router: accept HIP" protocol=139
add action=accept chain=forward comment="defconf_router: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf_router: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf_router: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf_router: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="Drop IOT traffic to WAN interfaces" in-interface=vlan-iot out-interface-list=wan-ports protocol=udp
add action=drop chain=forward comment="Drop IOT traffic to internet addresses" dst-address=2000::/3 in-interface=vlan-iot
add action=drop chain=forward comment="Drop Guest traffic to lan" in-interface=vlan-guest out-interface-list=!wan-ports
add action=drop chain=forward comment="defconf_router: drop everything else not coming from safe-lan-ports" in-interface-list=!safe-lan-ports log-prefix=drop!safelan
/ipv6 firewall mangle
# inactive mangle rule
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf_mt_adv_fw: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf_mt_adv_fw: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop non global from wan-ports" in-interface-list=wan-ports src-address-list=not_global_ipv6
add action=accept chain=prerouting comment="defconf_mt_adv_fw: accept local multicast scope" dst-address=ff02::/16 log-prefix=accept_loc_mcast_scope
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="JE: accept all icmp since I'm not using the icmp chain in the mt_adv_fw" protocol=icmpv6
add action=accept chain=prerouting comment="defconf_mt_adv_fw: accept everything else from wan-ports" in-interface-list=wan-ports
add action=accept chain=prerouting comment="defconf_mt_adv_fw: accept everything else from safe-lan-ports" in-interface-list=safe-lan-ports
add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop the rest" log=yes log-prefix=v6_DROP_THE_REST

netravnen · Tue Dec 05, 2023 6:13 pm

For tunnelbroker, there is an example available on the old mikrotik wiki. I recommend using this as a starting reference point for your configuration.

evergreen · Wed Dec 06, 2023 2:14 am

For tunnelbroker, there is an example available on the old mikrotik wiki. I recommend using this as a starting reference point for your configuration.

Thank you! I did go through this, which helped me back out my config, I ended up re-doing it with the HE examples on their site. In the end I had typo/copy-pasted the outside address to hand out internally and it was just borking all the routing. As soon as I changed one character, it all started working as expected. Specifically: `add interface=vlan-lan on-link=no prefix=2001:DB8:a:1::/64` should have been `prefix=2001:DB8:b:1::/64`

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I want to speed up the happy-eyeballs v4 fallback process?

netravnen · Wed Dec 06, 2023 8:28 am

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I want to speed up the happy-eyeballs v4 fallback process?

Look into Manual:IPv6/ND#Stateless_address_autoconfiguration in the old wiki.

For the above question. You might wish to looking into controlling which "on link" prefixes your router announces as part of the SLAAC process (~RA packets). The router sends out on the locally connected "inside" network segments.

evergreen · Wed Dec 06, 2023 7:22 pm

...
For the above question. You might wish to looking into controlling which "on link" prefixes your router announces as part of the SLAAC process (~RA packets). The router sends out on the locally connected "inside" network segments.

Ah yes I'd forgotten about on-link!

Previously, when I set the on-link settings I saw prefixed in the RA packet via Wireshark. I also saw routes for those prefixes appear in the routing table of my laptop. I realized the MT docs require you to understand what on-link applies—I went to Wikipedia and RFC-type docs—but ultimately it seems like since these prefixes aren't on my LAN the packets must be sent to the router anyway. This didn't seem to change the fact that I had a default route for ipv6, so I just remove on-link=yes

That was before I fixed the overall routing, so maybe I should try again. Still, because they're global prefixes on someone else's network, I think it'll be the same.

So maybe I'm misunderstanding on-link?

netravnen · Wed Dec 06, 2023 8:37 pm

Looking into it a layer deeper.

The on-link flag /ipv6 nd prefix does make sense in your scenario UNLESS all subnets are located on the same broadcast domain (which I assume is not the case).

DHCPv4 support defining classless routes as a DHCP option. The draft for DHCPv6 seems to have not made it past draft v5. https://datatracker.ietf.org/doc/html/d ... -option-05

Summary: There is no possibility for communicating classless routes to IPv6 clients. (Apart from the usual default route, of course)

tdw · Wed Dec 06, 2023 9:21 pm

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I want to speed up the happy-eyeballs v4 fallback process?

Attempting to control IPv4 vs. IPv6 precidence by advertising prefixes on the local LAN is not the way to achieve this, off-link prefix information options are not route information options. To advertise some routes with no default the regular RA lifetime would be zero and there would be RIO options for each route per RFC4191, I don't believe Mikrotik have implemented this.

Set up your IPv6 properly to advertise just the local LAN subnet and gateway to clients. Then prevent clients resolving IPv6 addresses so they only use IPv4 (this would require a better DNS proxy than the inbuilt Mikrotik one), or change their prefix policy lists (for Windows netsh interface ipv6, then show/set prefixpolicies). Having an unreachable default route plus the routes to your desired target on the Mikrotik may work, it depends on how the clients network stack handles the ICMP unreachable responses.

tdw · Wed Dec 06, 2023 9:24 pm

There is no possibility for communicating classless routes to IPv6 clients. (Apart from the usual default route, of course)

That may be the case for DHCPv6, but that does not acquire the default route in any case. The default route is acquired from RA messages with non-zero RA lifietimes, other routes can be distributed with additional RA routing information options although this has not been implemented by Mikrotik.

evergreen · Wed Dec 13, 2023 7:33 am

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I want to speed up the happy-eyeballs v4 fallback process?
Attempting to control IPv4 vs. IPv6 precidence by advertising prefixes on the local LAN is not the way to achieve this, off-link prefix information options are not route information options. To advertise some routes with no default the regular RA lifetime would be zero and there would be RIO options for each route per RFC4191, I don't believe Mikrotik have implemented this.

Set up your IPv6 properly to advertise just the local LAN subnet and gateway to clients. Then prevent clients resolving IPv6 addresses so they only use IPv4 (this would require a better DNS proxy than the inbuilt Mikrotik one), or change their prefix policy lists (for Windows netsh interface ipv6, then show/set prefixpolicies). Having an unreachable default route plus the routes to your desired target on the Mikrotik may work, it depends on how the clients network stack handles the ICMP unreachable responses.

Thanks for your reply! This seems like the best approach. I'm going ahead with this.

IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]

IPv6 issues: v6 only for a few address blocks, v4 otherwise

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC

Re: IPv6 issues: v6 only for a few address blocks, v4 otherwise

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC [SOLVED]

Re: IPv6 issues: v6 only for a few address blocks, v4 otherwise

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC