ipv6 routing now working

vladoboss · Sun Feb 17, 2013 4:06 pm

I have a native ipv6 addresing from my ISP, but I cannot route any traffic from LAN network.
Here is my address setup:

/ipv6 address
add address=2a01:5b9:a1:56::1/56 advertise=no disabled=no eui-64=no interface=ether1
add address=2a01:5b9:a1:56:1::1/64 advertise=yes disabled=no eui-64=no interface=bridge1

My routing table:

pv6 route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2a01:5b8:a1::1                  1
 1 ADC  2a01:5b9:a1::/56         ether1                          0
 2 ADC  2a01:5b9:a1:56::/64      bridge1                         0

I can ping google from my router, but not from LAN network

> ping 2a00:1450:4001:c02::64
HOST                                     SIZE TTL TIME  STATUS                                                       
2a00:1450:4001:c02::64                     56  54 58ms  echo reply                                                   
2a00:1450:4001:c02::64                     56  54 45ms  echo reply                                                   
2a00:1450:4001:c02::64                     56  54 45ms  echo reply                                                   
    sent=3 received=3 packet-loss=0% min-rtt=45ms avg-rtt=49ms max-rtt=58ms

ping 2a00:1450:4001:c02::64 src-address=2a01:5b9:a1:56:1::1
HOST                                     SIZE TTL TIME  STATUS                                                       
2a00:1450:4001:c02::64                                  timeout                                                      
2a00:1450:4001:c02::64                                  timeout                                                      
2a00:1450:4001:c02::64                                  timeout                                                      
2a00:1450:4001:c02::64                                  timeout                                                      
    sent=4 received=0 packet-loss=100%

I'm using RB493 with version 5.22

What am I doing wrong here?

docmarius · Sun Feb 17, 2013 5:02 pm

There is probably nothing wrong...
Try to ping from your LAN using a computer on LAN, and not from the router using the LAN IP/port - that will probably work (if you have no filters preventing it).
Packets are forwarded from LAN to WAN, which is not possible if you send them out on the LAN port, since they are not received on the LAN port to be forwarded.

Although I would expect a "No route to host" response instead of "Timeout"...

vladoboss · Sun Feb 17, 2013 7:10 pm

No, I have tried ping from my laptop first. I'm pinging from LAN ip address for easier test. If it works from my computer, it will ping from LAN ip address to.

vladoboss · Sun Feb 17, 2013 7:15 pm

Here is my autoconfigured ip adresses on my laptop:

wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:1f:3a:14:0c:f3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.101/24 brd 192.168.2.255 scope global wlan0
    inet6 2a01:5b9:a1:56:441:10fe:3e4d:ff54/64 scope global temporary dynamic 
       valid_lft 604799sec preferred_lft 85799sec
    inet6 2a01:5b9:a1:56:21f:3aff:fe14:cf3/64 scope global tentative dynamic 
       valid_lft 2591999sec preferred_lft 604799sec
    inet6 fe80::21f:3aff:fe14:cf3/64 scope link 
       valid_lft forever preferred_lft forever

When I ping google, there is nothing happened, no timeout, no "no route to host".

ping6 google.com
PING google.com(fa-in-x64.1e100.net) 56 data bytes
^C
--- google.com ping statistics ---
29 packets transmitted, 0 received, 100% packet loss, time 27999ms

And traceroute from laptop

traceroute6 google.com
traceroute to google.com (2a00:1450:4001:c02::64) from 2a01:5b8:a1:56:441:10fe:3e4d:ff54, 30 hops max, 16 byte packets
1 2a01:5b9:a1:56:1::1 (2a01:5b8:a1:56:1::1) 74.022 ms 1.17 ms 0.986 ms
2 * * *
3 * * *
^C

docmarius · Sun Feb 17, 2013 9:20 pm

Your provider may use link local addresses for forwarding, so i would set the interface as gateway...
And check that the firewall rules are ok for ipv6.

Here my rules which work... Connection is via PPPoE, network on ether3.

/ipv6 route
add gateway=IF-PPPoE

/ipv6 firewall filter
add chain=input comment=ICMPv6 protocol=icmpv6
add chain=input comment="DHCPv6 client" dst-port=546 in-interface=IF-PPPoE protocol=udp
add action=drop chain=input comment="Drop the rest"
add chain=forward comment="Accept forward" in-interface=ether3
add chain=forward comment="Accept forward" out-interface=ether3
add action=drop chain=forward comment="Drop forward"
add chain=output comment="Accept output"

vladoboss · Sun Feb 17, 2013 9:50 pm

No that way I can't ping anything from router. I suspect that my ISP router doesn't know where is network 2a01:5b9:a1:56:1::1/64 . 2a01:5b9:a1:56::1/56 is directly connected, and that is why it returns the ping. I see the packets from 2a01:5b9:a1:56:1::1/64 exiting the router via ether1 with torch, but I see no reply.

docmarius · Sun Feb 17, 2013 10:02 pm

But this makes no sense... 2a01:5b9:a1:56:1::1/64 is part of the 2a01:5b9:a1:56::1/56 allocation.
Unless the ISP actually allocated a /64.
Could you try to set your external interface to e.g. to 2a01:5b9:a1:56:2::1/56 and see if ping still works?
At least confirm that you got the whole /56 address space...
In worst case, set the external IP to 2a01:5b9:a1:56:1::1 or drop the external IP (which is not really needed) and just forward 2a01:5b9:a1:56::1/64 to/from your LAN.

vladoboss · Sun Feb 17, 2013 11:43 pm

I change the address to 2a01:5b9:a1:56:2::1/56 and it still ping. In the mean time I change the external address to 2a01:5b9:a1:85::/56 and internal to 2a01:5b9:a1:85::1/64 and for a short period of time I was able to ping and traceroute from 2a01:5b9:a1:85::1. Then I noticed that I cannot ping from my laptop (auto-configured address), and I turn off the advertising, and setup manually address on laptop 2a01:5b9:a1:85::2/64. And what a surprise, I cant ping now even 2a01:5b9:a1:85::1. I reboot the router, and now I cant ping google from 2a01:5b9:a1:85::1/64 but I can ping 2a01:5b9:a1:85::1 from 2a01:5b9:a1:85::2

What a nightmare! I suspect this can be some bug in RouterOS.
Can you send me your addressing on the router and on local computer (change some numbers/letters for security)? Maybe I can figure out what I'm doing wrong.

vladoboss · Fri Feb 22, 2013 8:59 pm

I managed to solve the problem. I made a bridge between WAN and LAN interface and now I have ipv6 internet from my laptop. I'm network engineer, and this make no sense to me why I must create a brigde to get ipv6 routing. Nevertheless hope this will help some other martyr in ipv6 world

This is definitely a bug in RouterOS, and if anyone from Mikrotik development team read this, hope it will be solved. docmarius thanks form your help

docmarius · Fri Feb 22, 2013 11:37 pm

Vlado, let's try to solve this... It is probably not a bug, but you need to change the way you look at routing because there is no NAT on IPv6.

First, I understand that your WAN interface is ether1, and you need to get 2a01:5b9:a1::/56 from your provider, with GW being 2a01:5b8:a1::1.
Second, you want to assign 2a01:5b9:a1:56::/64 to bridge1 and also use ND/RA to autoconfigure that subnet.

Please confirm this to do a first step.
And also please state how you get the IP assignment from your ISP: DHCPv6, static?

vladoboss · Sat Feb 23, 2013 1:54 am

I'm clearly aware that there is no NAT in IPv6.
And yes, everything is correct what you said about my needs for ipv6 network.
I have a static ip assignment.

docmarius · Sat Feb 23, 2013 2:21 am

Ok.
First, do NOT assign any IP/mask to ether1 since this would make the router understand that the machines with that prefix are on that interface. All will be done on bridge1.

First, create an IPv6 pool that will hold your addresses to be assigned by RA (this is probably optional):

/ipv6 pool add name=pool1 prefix=2a01:5b9:a1:56::/64 prefix-length=64

Next assign the INTERNAL IPv6 address to the router (if you don't used the pool, use address 2a01:5b9:a1:56::1/64 and omit the from-pool part):

/ipv6 add address=::1/64 advertise=yes interface=bridge1  from-pool=pool1

and add the default route:

/ipv6 route add  dst-address=::/0 gateway=fe80::1%ether1

and the neighbor discovery part:

/ipv6 nd add advertise-dns=yes hop-limit=64 interface=ether3 ra-interval=20s-1m

Now add the proper forward rules to the firewall:

/ipv6 firewall filter add chain=forward in-interface=bridge1
/ipv6 firewall filter add chain=forward out-interface=bridge1

Now, if you have no other firewall restriction and your dns server resolves AAAA addresses, your machines on the LAN should acquire their address automatically and be able to connect to the internet via IPv6.

vladoboss · Sat Feb 23, 2013 1:37 pm

No it does not work this way. I cant even ping the pravious default gw ping6 2a01:5b9:a1::1 from router
I didn't use ::1/64 as internal ip address beacuse it didn't advertise anything to LAN devices. Here is my settings

/ipv6 address
add address=2a01:5b9:a1:85::1/64 advertise=yes disabled=no eui-64=no interface=bridge1

/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=fe80::1%ether1 scope=30 target-scope=10

ipv6 pool print 
Flags: D - dynamic 
 #   NAME                                                   PREFIX                                      PREFIX-LENGTH
 0   pool1                                                  2a01:5b9:a1:85::/64                                    64

ipv6 nd print 
Flags: X - disabled, I - invalid, * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified 
      retransmit-interval=unspecified ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=no managed-address-configuration=no other-configuration=no 

 1    interface=bridge1 ra-interval=20s-1m ra-delay=3s mtu=unspecified reachable-time=unspecified 
      retransmit-interval=unspecified ra-lifetime=30m hop-limit=64 advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=no other-configuration=no

ipv6 firewall filter export        
# feb/23/2013 12:13:59 by RouterOS 5.22
# software id = 10UK-CTNR
#
/ipv6 firewall filter
add action=accept chain=forward disabled=no out-interface=ether1
add action=accept chain=forward disabled=no in-interface=bridge1

I guest you made a typo error in firewall because both in and out interface is bridge1

So now when I ping previous default GW 2a01:5b9:a1::1

ping 2a01:5b9:a1::1         
HOST                                     SIZE TTL TIME  STATUS                                                       
2a01:5b9:a1::1                                          timeout                                                      
2a01:5b9:a1::1                                          timeout

[admin@boss] > ping 2a01:5b9:a1::1 src-address=2a01:5b9:a1:85::1
HOST                                     SIZE TTL TIME  STATUS                                                       
2a01:5b9:a1::1                                          timeout                                                      
2a01:5b9:a1::1                                          timeout

tool traceroute 2a01:5b9:a1::1
 # ADDRESS                                 RT1   RT2   RT3   STATUS                                                  
 1 ::                                      0ms   0ms   0ms                                                           
 2

Same with google

tool traceroute 2a00:1450:4001:c02::8a                              
 # ADDRESS                                 RT1   RT2   RT3   STATUS                                                  
 1 ::                                      0ms   0ms   0ms                                                           
 2 ::                                      0ms   0ms   0ms                                                           
 3 ::                                      0ms   0ms   0ms                                                           
 4 ::                                      0ms   0ms   0ms

With torch I can't see any ipv6 packet exiting ether1 interface while I'm pinging. So I guest, router doesn't know where to send the packets.

docmarius · Sat Feb 23, 2013 10:50 pm

I guest you made a typo error in firewall because both in and out interface is bridge1

It is not a typo... You must allow packet forwarding FROM your bridge and TO your bridge.

But i think in the default route it should be gateway=2a01:5b8:a1::1%ether1

By the way, is your gw 2a01:5b8:a1::1 as in the first post or is it 2a01:5b9:a1::1 as you try to ping it? One of those addresses is wrong...

If you want to ping from the router, you also have to add a firewall rule on the input chain to allow incoming icmp6.

Sob · Sun Feb 24, 2013 4:56 am

The correct one should be 5b8 (whois says 2a01:5b8::/32 is allocated to ISP, while for 2a01:5b9:anything there's only record for whole 2a00::/12 belonging to RIPE). Is it perhaps an attempt to hide the real addresses? Otherwise I see no way how you could ping Google from 2a01:5b9:a1:56::1.

So the fundamental question is, what exactly you really got from ISP?

Because besides 5b8/5b9 problem, the whole numbering looks somehow strange.

vladoboss · Sun Feb 24, 2013 1:53 pm

You got me, I was hiding the real ip

The pool I got from my ISP is 2a01:5b8:a1:85::/56
In any case, it doesnt work this way. First when I add ::1/64 on bridge interface it didn't advertise anything from pool. Default gw defined as gateway=fe80::1%ether1 is accepted but I can't ping anything outside the router this way. I even put the correct link local address from my ISP discovered with ND. When I try to put 2a01:5b8:a1::1 as gateway on ether1 it give me an error:

ipv6 route add dst-address=::/0 gateway=2a01:5b8:a1::1%ether1 
failure: Invalid route configuration: Invalid gateway configration

So as I said I managed to work it out by adding ether1 to bridge1. It works, but this way I can see on my LAN machines all the ipv4 L2 traffic from my ISP, and I suspect that I'm advertising /64 pool towards my ISP.

CelticComms · Sun Feb 24, 2013 6:41 pm

How is the ISP presenting the allocation 2A01:5B8:A1::/56 to you? If it is simply being sent to your interface then you should be able to allocate an IPv6 address on a /64 to the WAN interface and an IP address on another /64 to the LAN interface and routing should ensue.

I suggest that you go back to the routed method and allocate an IPv6 address on a /64 on a LAN interface and check if that address can be pinged from the outside.

Note that an address such as 2A01:5B8:A1:85::1/56 is interpreted as 2A01:5B8:A1::/56 so some of the routing entries above look wrong.

Your router can currently be pinged at 2A01:5B8:A1:85::1. Perhaps try adding an address such as 2A01:5B8:A1:99::1/64 on another interface and see if that can also be pinged from the outside and work from there.

Sob · Sun Feb 24, 2013 7:41 pm

Right, "85" at the end is not part of first 56 bits, so it makes me wonder why it's there at all (in perhaps a little more clear expanded form it's 2a01:05b8:00a1:0085::/56 and "85" is at bits 57-64). But if it's right, you should own everything from 2a01:05b8:00a1:0000 to 2a01:05b8:00a1:00ff. And any of those /64s can be used on LAN (except 2a01:5b8:a1:85:: which is already on WAN).

And you don't need to add "%ether1" for default gateway, it should get the interface automatically.

vladoboss · Sun Feb 24, 2013 11:07 pm

OK I contacted my ISP and the situation is folowing. They suggest me to use network 2a01:5b8:a1:8500::/56, but with no success. They told me that GW address is on my local vlan and their network is 2a01:5b8:a1::1/48. I put first 2a01:5b8:a1:8500::11/56 the second one 2a01:5b8:a1:8500::11/64 on WAN interface, and the situation is the same. I can ping from WAN interface but not from LAN (on LAN address is 2a01:5b8:a1:8500::1/64). They send me the tcpdump from their router and ipv6 neigbour and from it I can see that their router cannot establish ND with my LAN netowork. So here is tcpdump while I ping from my LAN address:

21:53:53.741123 2a01:5b8:a1:8500::1 > 2a01:5b8:a1::1: icmp6: echo request seq 7
21:53:53.742793 2a01:5b8:a1::1 > ff02::1:ff00:1: icmp6: neighbor sol: who has 2a01:5b8:a1:8500::1
21:53:53.873433 2a01:5b8:a1:8500:69f4:7902:b39f:e10a.55030 > 2a00:1450:400d:805::1008.80: S 1698073582:1698073582(0) win 8192 <mss 1440,nop,nop,sackOK>
21:53:54.742832 2a01:5b8:a1::1 > ff02::1:ff00:1: icmp6: neighbor sol: who has 2a01:5b8:a1:8500::1
21:53:54.746046 2a01:5b8:a1:8500::1 > 2a01:5b8:a1::1: icmp6: echo request seq 8
21:53:55.592809 fe80::211:95ff:fec9:e704 > ff02::1:ff9f:e10a: icmp6: neighbor sol: who has 2a01:5b8:a1:8500:69f4:7902:b39f:e10a
21:53:55.751168 2a01:5b8:a1:8500::1 > 2a01:5b8:a1::1: icmp6: echo request seq 9

and output from ip -6 ne sh:

ip -6 ne show
2a01:5b8:a1:8500::1 dev eth0.500  FAILED
2a01:5b8:a1:8500::11 dev eth0.500 lladdr 00:0c:42:34:75:ea router REACHABLE

So that is the root of the problem. Their router cannot made neigbor sol. from my LAN. But when I put ether1 in the bridge1 everything is working. I want to mention that I try without ipv6 addr on WAN interace, the sitiation was the same. Also I want to mention that my ISP is in experimental stage so maybe they are doing something wrong with address assignment.

vladoboss · Mon Feb 25, 2013 12:37 am

OK problem solved. I ask my ISP to add static ipv6 route towards my WAN interface "ipv6 route 2a01:5b8:a1:8500::/64 2a01:5b8:a1:8500::11 eth0.500" and now everything is working

The problem was because my LAN wasn't in the same vlan with their ipv6 interface, so neighbor solicit wasn't able to reach my LAN interface.
@docmarius in your case your ISP is allocating ipv6 network via point-to-point link (pppoe I guest), so their router know exactly on which interface is the allocated ipv6 network. Thank you both for your help.

CelticComms · Mon Feb 25, 2013 1:15 am

It looks as if the ISP has used part/all of your /56 as the link network. If they believe that the link network is 2A01:5B8:A1::/56 and that their router address on that is 2A01:5B8:A1::1 then it is not surprising that the subsequent routing to /64s on the routerboard is not working.

Instead, ask them to allocate a separate /64 to the link network between you and them and then route your entire /56 to you via your address on the /64 link net. That would make life far easier all around! They should have no issue allocating a /64 to the link network.

Sob · Mon Feb 25, 2013 2:00 am

About current setup, is there still 2a01:5b8:a1:8500::11/56 on WAN? If so, what is used for default gateway then? Because 2a01:5b8:a1::1 can't be reached from 2a01:5b8:a1:8500::11 with /56 netmask, it's on different subnet.

vladoboss · Mon Feb 25, 2013 9:46 am

For default GW I use: gateway=fe80::1%ether1

ipv6 routing now working

ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working

Re: ipv6 routing now working