My hap ac3 (7.1rc3) receives an IPv6 prefix from the ISP router using DHCPv6 and advertises a /64 prefix to multiple interfaces. IPv6 forwarding is enabled.
I now have the issue that firewalling using connection state is not working, because response traffic from WAN (ISP router) always has state new,invalid instead of established. With firewall log enabled I can see the outgoing traffic and the response traffic with matching interfaces and addresses.
I feel like I'm missing some detail, maybe one of you has an idea what causes this behavoiur.
Re: IPv6 response connection state new,invalid
It's hard to understand what's going on without you providing some more detailed information, such as relevant pieces of configuration (/interface - both configuration and running values - and /ipv6 subtrees) and contents of log (to see what exactly is logged).
Re: IPv6 response connection state new,invalid
Here is a modified excempt from the configuration:
The prefix is received from the wan VLAN and distributed to the lab and office VLAN.
Here is a firewall log output generated by calling curl -6 http://google.com on a host in lab:
Code: Select all
/interface bridge
add ingress-filtering=no name=bridgeLocal vlan-filtering=yes
/interface bridge port
add bridge=bridgeLocal interface=ether3
add bridge=bridgeLocal interface=ether4
add bridge=bridgeLocal interface=ether5
add bridge=bridgeLocal interface=ether2
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=1000
/interface bridge vlan
add bridge=bridgeLocal comment="VLAN Lab" tagged=ether2,ether3,ether4,ether5,bridgeLocal vlan-ids=10
add bridge=bridgeLocal comment="VLAN Office" tagged=ether2,ether3,ether4,ether5,bridgeLocal vlan-ids=20
add bridge=bridgeLocal comment="VLAN Internet" tagged=bridgeLocal untagged=ether1 vlan-ids=1000
/interface vlan
add interface=bridgeLocal name=office vlan-id=20
add interface=bridgeLocal name=lab vlan-id=10
add interface=bridgeLocal name=wan vlan-id=1000
/interface list
add comment="Interfaces with Internet Access, also includes VPNs" name=wan-access
add name=discovery
add comment="Placeholder for main internet connection" name=wan-main
add name=hotspot
add comment="Prohibit all IPv6 via Firewall" include=hotspot name=prohibit-ipv6
/interface list member
add interface=wan list=wan-access
add interface=bridgeLocal list=discovery
add interface=wan list=wan-main
/ipv6 address
add eui-64=yes from-pool=ipv6-prefix interface=lab
add eui-64=yes from-pool=ipv6-prefix interface=office
/ipv6 dhcp-client
add add-default-route=yes interface=wan pool-name=ipv6-prefix prefix-hint=::/60 request=address,prefix use-peer-dns=no
/ipv6 firewall filter
add action=drop chain=input comment="Input Drop all IPv6 traffic from prohibited interfaces" in-interface-list=prohibit-ipv6 log-prefix=prohibit_ipv6
add action=drop chain=forward comment="Forward Drop all IPv6 traffic from prohibited interfaces" in-interface-list=prohibit-ipv6 log-prefix=prohibit_ipv6
add action=drop chain=output comment="Output Drop all IPv6 traffic to prohibited interfaces" log=yes log-prefix=prohibit_ipv6 out-interface-list=prohibit-ipv6
add action=accept chain=output comment="Output Accept All" log-prefix=ipv6
add action=accept chain=input comment="Input Accept established and related" connection-state=established,related
add action=accept chain=input comment="Input Accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Input Accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="Input Accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/16
add action=drop chain=input comment="Input: Drop all other traffic" log=yes log-prefix=ipv6
add action=accept chain=forward comment="Forward Accept requested traffic from WAN" connection-state=established,related in-interface-list=wan-main
add action=accept chain=forward comment="Forward: Accept ICMPv6 except WAN" in-interface-list=!wan-access protocol=icmpv6
add action=accept chain=forward comment="Forward Accept All Local Traffic To WAN" in-interface-list=!wan-access log=yes log-prefix=ipv6 out-interface-list=wan-main
add action=drop chain=forward comment="Forward Drop Invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="Forward Drop all other traffic" log=yes log-prefix=ipv6
/ipv6 firewall mangle
add action=mark-connection chain=postrouting comment="Mark new outgoing connections as wan-connection" connection-state=new new-connection-mark=wan-connection out-interface-list=wan-main passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new incoming connection as wan-connection" connection-state=new in-interface-list=wan-main new-connection-mark=wan-connection passthrough=yes
add action=mark-packet chain=postrouting comment="Mark outgoing packets as wan-upload" connection-mark=wan-connection new-packet-mark=wan-upload out-interface-list=wan-main passthrough=yes
add action=mark-packet chain=prerouting comment="Mark incoming packets as wan-download" connection-mark=wan-connection in-interface-list=wan-main new-packet-mark=wan-download passthrough=yes
/ipv6 settings
set accept-redirects=no
Here is a firewall log output generated by calling curl -6 http://google.com on a host in lab:
Code: Select all
ipv6 forward: in:lab out:wan, src-mac 04:xx:xx:xx:xx:xx, proto TCP (SYN), [2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:46468->[2a00:xxxx:xxxx:xxxx::xxxx]:80, len 40
ipv6,invalid forward: in:wan out:lab, src-mac 5c:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), [2a00:xxxx:xxxx:xxxx::xxxx]:80->[2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:46468, len 40Re: IPv6 response connection state new,invalid
Your IPv6 firewall config is IMO a mess. Not sure what you want to do with all of those mangle rules. But they might interfere with connection tracking machinery state ... if you can, disable all of them to check if your (simplified) setup still doesn't work right.
BTW, does your ISP require your WAN interface to have routable IPv6 address? Often that's not the case, link-local address is enough. The prefix-hint property is for expressing your wish, doesn't make ISP's DHCPv6 server to obey it. So you it's possible you can remove it as well (and you'll get the same prefix length regardless). Which means you could change DHCPv6 client setup to
BTW, does your ISP require your WAN interface to have routable IPv6 address? Often that's not the case, link-local address is enough. The prefix-hint property is for expressing your wish, doesn't make ISP's DHCPv6 server to obey it. So you it's possible you can remove it as well (and you'll get the same prefix length regardless). Which means you could change DHCPv6 client setup to
Code: Select all
add add-default-route=yes interface=wan pool-name=ipv6-prefix request=prefix use-peer-dns=no
Re: IPv6 response connection state new,invalid
Thank you for you answer.
The ISP router gets a /56 prefix from the ISP and gladly obeys the prefix wish as long as it's possible.
The mangle rules are for queue tree. I really haven't found a better way to mark the packets for queuing.
But you are right, disabling the mangle rules fixes the issue. As does disabling the queue tree, with the mangle rules still active. Now I'm even more confused.
My queue config looks like this:
The ISP router gets a /56 prefix from the ISP and gladly obeys the prefix wish as long as it's possible.
The mangle rules are for queue tree. I really haven't found a better way to mark the packets for queuing.
But you are right, disabling the mangle rules fixes the issue. As does disabling the queue tree, with the mangle rules still active. Now I'm even more confused.
My queue config looks like this:
Code: Select all
/queue type
add cake-bandwidth=10.0Mbps kind=cake name=cake-upload
add cake-bandwidth=70.0Mbps kind=cake name=cake-download
add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=8KiB pcq-rate=70M pcq-total-limit=320KiB
/queue tree
add name=upload packet-mark=wan-upload parent=global queue=cake-upload
add name=download packet-mark=wan-download parent=global queue=cake-downloadRe: IPv6 response connection state new,invalid
I've no idea about queues, so perhaps somebody else will chime in.
Re: IPv6 response connection state new,invalid
This issue also arises when I disable the mangle rules and the queue tree and use simple queue instead, which leads me to believe that this might be a bug.
Can anyone else confirm this?
Can anyone else confirm this?
Re: IPv6 response connection state new,invalid
Ive reported IPV6 connection tracking being broken with queues for a long time now.
They repeatedly told me they can't recreate the issue, buy a TP-Link instead.
They repeatedly told me they can't recreate the issue, buy a TP-Link instead.
Re: IPv6 response connection state new,invalid
I'm also having a similar issue. Maybe I'm doing something wrong, I'm a noob when it comes to ipv6.
I have a hap ac3, running 7.1.1, connection to ISP via PPPoE, running a DHCPv6 client on the pppoe interface assigns a /56 prefix. I've got multiple vlans in my LAN which work properly with ipv4. I assigned an IPv6 address from the address pool received from the ISP to the `vlan-wifi-ap` interface and configured DHCPv6 server for my wireless clients. They get an ipv6 address and all is ok. Until I add a forwarding rule in the firewall which is supposed to drop invalid packets (connection-state=invalid), but it seems it thinks a lot of traffic is invalid!
Working IPv6 config, ping from my wifi station to google works:
The firewall was more complex, but i've trimmed most rules to reproduce the issue.
And with the rule enabled:
In this case, this happens:
Is this a bug or am I doing something wrong?
I have a hap ac3, running 7.1.1, connection to ISP via PPPoE, running a DHCPv6 client on the pppoe interface assigns a /56 prefix. I've got multiple vlans in my LAN which work properly with ipv4. I assigned an IPv6 address from the address pool received from the ISP to the `vlan-wifi-ap` interface and configured DHCPv6 server for my wireless clients. They get an ipv6 address and all is ok. Until I add a forwarding rule in the firewall which is supposed to drop invalid packets (connection-state=invalid), but it seems it thinks a lot of traffic is invalid!
Working IPv6 config, ping from my wifi station to google works:
Code: Select all
# jan/09/2022 17:27:51 by RouterOS 7.1.1
# software id = TANH-DJAS
#
# model = RBD53iG-5HacD2HnD
# serial number = D96xxxxxxx
/ipv6 dhcp-server
add address-pool=rds-ipv6 interface=vlan-wifi-ap lease-time=1h name=server-wifi
/ipv6 address
add from-pool=rds-ipv6 interface=vlan-wifi-ap
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-rds pool-name=rds-ipv6 rapid-commit=no request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment="Accept related/established/untracked packets" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=invalid log=yes log-prefix="(D/invalid)"
add action=accept chain=input comment="allow DHCPv6 client" dst-port=546,547 protocol=udp
add action=accept chain=input
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid disabled=yes log=yes log-prefix="(D/fw_inval)" <---- THIS CAUSES TROUBLE AND IS DISABLED HERE
add action=accept chain=forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no
add interface=vlan-lan
add interface=vlan-mgmt
add interface=vlan-wifi-ap
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192
And with the rule enabled:
Code: Select all
# jan/09/2022 17:26:29 by RouterOS 7.1.1
# software id = TANH-DJAS
#
# model = RBD53iG-5HacD2HnD
# serial number = D96C0C077B23
/ipv6 dhcp-server
add address-pool=rds-ipv6 interface=vlan-wifi-ap lease-time=1h name=server-wifi
/ipv6 address
add from-pool=rds-ipv6 interface=vlan-wifi-ap
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-rds pool-name=rds-ipv6 rapid-commit=no request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment="Accept related/established/untracked packets" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=invalid log=yes log-prefix="(D/invalid)"
add action=accept chain=input comment="allow DHCPv6 client" dst-port=546,547 protocol=udp
add action=accept chain=input
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="(D/fw_inval)"
add action=accept chain=forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no
add interface=vlan-lan
add interface=vlan-mgmt
add interface=vlan-wifi-ap
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192
Code: Select all
(D/fw_inval) forward: in:pppoe-rds out:vlan-wifi-ap, src-mac 40:a6:b7:xx:xx:xx, proto ICMP (type 129, code 0), 2001:4860:4860::8844->2a02:2f00:3214:f600:xxxx:xxxx:xxxx:xxxx, len 40
Re: IPv6 response connection state new,invalid
I experienced problems with IPv6 and connection tracking when using VLAN sub interfaces. When I removed the subinterface and placed the IPv6 address directly on ether3 connection tracking worked as expected.
Are you using any special interfaces like VLANs or EoIP?
Are you using any special interfaces like VLANs or EoIP?
Re: IPv6 response connection state new,invalid
Yes, I have multiple vlan interfaces defined over a bridge.I experienced problems with IPv6 and connection tracking when using VLAN sub interfaces. When I removed the subinterface and placed the IPv6 address directly on ether3 connection tracking worked as expected.
Are you using any special interfaces like VLANs or EoIP?
Re: IPv6 response connection state new,invalid
I can confirm that IPv6 Connection State tracking stops working as soon as I enable Simple Queues. It does not matter if Mangle rules are enabled or not.
Re: IPv6 response connection state new,invalid
It is a known bug in RouterOS v7. You need to downgrade e.g. to 6.49.2 to solve it for now.
Re: IPv6 response connection state new,invalid
We have reported it several times but the support continues not to take charge of the problem.
I don't know how we should do to get mikrotik support interested in the issue
I don't know how we should do to get mikrotik support interested in the issue
Re: IPv6 response connection state new,invalid
I have submitted another bug report to them. Will see...
Re: IPv6 response connection state new,invalid
"nobody ever asks for IPv6"
Re: IPv6 response connection state new,invalid
Can confirm that enabled queue (fq_codel) on interface with IPv6 address break connection tracker completely.
ROS 7.1.1 (stable), hAP ac^2
ROS 7.1.1 (stable), hAP ac^2
Who is online
Users browsing this forum: No registered users and 8 guests