IPv6 - Verizon Fios - problem

pawlisko · Sat Jul 30, 2022 4:24 am

Hi all,

So Verizon Fios just turned on IPv6 in my location, and is not working. Before that, I used HE.net 6-in-4 tunnel, and it worked without any issues.

Verizon Fios config:

/ipv6 settings set max-neighbor-entries=8192
/ipv6 dhcp-client add add-default-route=no disabled=no interface=WAN pool-name=Home-Main-DHCP-Pool-IPV6 request=prefix pool-prefix-length=56 prefix-hint=::/56 use-peer-dns=no
/ipv6 address add address=::1 from-pool=Home-Main-DHCP-Pool-IPV6 interface=LAN advertise=yes
/ipv6 firewall address-list add address=[SOMETHING] list="IPv6 Block"
/ipv6 firewall filter add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
[Multiple MACs of network devices at time to be blocked from using IPv6]
/ipv6 firewall filter add action=drop chain=forward comment="Drop AppleTV" src-mac-address=[Private]
/ipv6 firewall filter add action=drop chain=forward comment="IPv6 block" dst-address-list="IPv6 Block" out-interface=WAN
/ipv6 firewall filter add action=accept chain=input comment="Allow UDP" protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="Allow TCP" protocol=tcp
/ipv6 firewall filter add action=accept chain=input comment="WireGuard on MikroTik Home Network" dst-address=::1/128 dst-port=52850 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="WireGuard on MikroTik Guest Network" dst-address=::1/128 dst-port=52860 protocol=udp
/ipv6 firewall filter add chain=input action=drop connection-state=invalid comment="Drop (invalid)"
/ipv6 firewall filter add chain=input action=accept connection-state=established,related comment="Accept (established, related)"
/ipv6 firewall filter add chain=input action=accept connection-state=new in-interface=!WAN comment="Accept new"
/ipv6 firewall filter add chain=input action=accept in-interface=WAN protocol=udp src-port=547 limit=10,20:packet comment="Accept DHCP (10/sec) - server"
/ipv6 firewall filter add chain=input action=drop in-interface=WAN protocol=udp src-port=547 comment="Drop DHCP (>10/sec) - server"
/ipv6 firewall filter add chain=input action=accept in-interface=WAN protocol=udp src-port=546 limit=10,20:packet comment="Accept DHCP (10/sec) - client"
/ipv6 firewall filter add chain=input action=drop in-interface=WAN protocol=udp src-port=546 comment="Drop DHCP (>10/sec) - client"
/ipv6 firewall filter add chain=input action=accept in-interface=WAN protocol=icmpv6 limit=10,20:packet comment="Accept external ICMP (10/sec)"
/ipv6 firewall filter add chain=input action=drop in-interface=WAN protocol=icmpv6 comment="Drop external ICMP (>10/sec)"
/ipv6 firewall filter add chain=input action=accept in-interface=!WAN protocol=icmpv6 comment="Accept internal ICMP"
/ipv6 firewall filter add chain=input action=drop in-interface=WAN comment="Drop external"
/ipv6 firewall filter add chain=input action=reject comment="Reject everything else"
/ipv6 firewall filter add chain=output action=accept comment="Accept all"
/ipv6 firewall filter add chain=forward action=drop connection-state=invalid comment="Drop (invalid)"
/ipv6 firewall filter add chain=forward action=accept connection-state=established,related comment="Accept (established, related)"
/ipv6 firewall filter add chain=forward action=accept connection-state=new in-interface=!WAN comment="Accept new"
/ipv6 firewall filter add chain=forward action=accept in-interface=WAN protocol=icmpv6 limit=20,50:packet comment="Accept external ICMP (20/sec)"
/ipv6 firewall filter add chain=forward action=drop in-interface=ether1 protocol=icmpv6 comment="Drop external ICMP (>20/sec)"
/ipv6 firewall filter add chain=forward action=accept in-interface=!WAN comment="Accept internal"
/ipv6 firewall filter add chain=forward action=accept out-interface=WAN comment="Accept outgoing"
/ipv6 firewall filter add chain=forward action=drop in-interface=WAN comment="Drop external"
/ipv6 firewall filter add chain=forward action=reject comment="Reject everything else"
/ipv6 nd set [ find default=yes ] interface=LAN managed-address-configuration=yes

My previous configuration HE.net 6-to-4 was:

/ipv6 settings set max-neighbor-entries=8192
/ipv6 route add disabled=no dst-address=2000::/3 gateway=2001:470:1f06:226::1
/ipv6 address add address=2001:470:1f07:226:: interface=LAN
/ipv6 address add address=2001:470:1f06:226::2 advertise=no interface=sit1
/ipv6 firewall address-list add address=[SOMETHING] list="IPv6 Block"
/ipv6 firewall filter add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
[Multiple MACs of network devices at time to be blocked from using IPv6]
/ipv6 firewall filter add action=drop chain=forward comment="Drop AppleTV" src-mac-address=[Private]
/ipv6 firewall filter add action=drop chain=forward comment="IPv6 block" dst-address-list="IPv6 Block" out-interface=sit1
/ipv6 firewall filter add action=accept chain=input comment="Router Allow IPv6 ICMP" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="Router Allow IPv6 ICMP" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="Allow UDP" protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="Allow TCP" protocol=tcp
/ipv6 firewall filter add action=accept chain=forward comment="Allow any to internet" out-interface=sit1
/ipv6 firewall filter add action=accept chain=input comment="Allow established and related connections" connection-state=established,related
/ipv6 firewall filter add action=accept chain=forward comment="Allow established and related connections" connection-state=established,related
/ipv6 firewall filter add action=accept chain=input comment="WireGuard on MikroTik Home Network" dst-address=2001:470:1f06:226::2/128 dst-port=52850 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="WireGuard on MikroTik Guest Network" dst-address=2001:470:1f06:226::2/128 dst-port=52860 protocol=udp
/ipv6 firewall filter add action=drop chain=input comment="Drop everything else"
/ipv6 firewall filter add action=drop chain=forward comment="Drop everything else"
/ipv6 nd set [ find default=yes ] interface=LAN managed-address-configuration=yes

Any help is appreciated.

DNS works in both cases:

/ip dns set allow-remote-requests=yes cache-max-ttl=5m cache-size=8196KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=500 use-doh-server=https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static add address=1.1.1.2 name=security.cloudflare-dns.com ttl=5m
/ip dns static add address=1.0.0.2 name=security.cloudflare-dns.com ttl=5m
/ip dns static add address=2606:4700:4700::1112 name=security.cloudflare-dns.com ttl=5m type=AAAA
/ip dns static add address=2606:4700:4700::1002 name=security.cloudflare-dns.com ttl=5m type=AAAA

Devices can get IPv6 addresses and can query DNS.

I am not able to get PING nor Tracert. I am suspecting either route issue or firewall. Probably something small.

Sob · Sat Jul 30, 2022 5:36 am

You're missing default route. This should do the trick:

/ipv6 settings set accept-router-advertisements=yes

If you have v7, it probably (I didn't test the latest one) needs restart.

pawlisko · Sat Jul 30, 2022 6:03 pm

You're missing default route. This should do the trick:
Code: Select all
/ipv6 settings set accept-router-advertisements=yes

Didn't change anything, rebooted multiple times.

Even with your settings on I tried two options

This is when there is no default route added

/ipv6 dhcp-client add add-default-route=no disabled=no interface=WAN pool-name=Home-Main-DHCP-Pool-IPV6 request=prefix pool-prefix-length=56 prefix-hint=::/56 use-peer-dns=no

Result is:

 
[admin@MikroTik] /ipv6/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS                     GATEWAY               DISTANCE
DAd  2600:4040:a390:e700::/56                                     1
DAc+ 2600:4040:a390:e700::/64        LAN                          0
DAc+ 2600:4040:a390:e700::/64        LAN                          0
DAc  fe80::%WAN/64                   WAN                          0
DAc  fe80::%LAN/64                   LAN                          0
DAc  fe80::%KeepSolidVPN-Germany/64  KeepSolidVPN-Germany         0
DAc  fe80::%KeepSolidVPN-P2P/64      KeepSolidVPN-P2P             0
DAc  fe80::%KeepSolidVPN-Poland/64   KeepSolidVPN-Poland          0
DAc  fe80::%KeepSolidVPN-UK/64       KeepSolidVPN-UK              0
DAc  fe80::%ProtonVPN-Germany/64     ProtonVPN-Germany            0
DAc  fe80::%ProtonVPN-P2P/64         ProtonVPN-P2P                0
DAc  fe80::%ProtonVPN-Poland/64      ProtonVPN-Poland             0
DAc  fe80::%ProtonVPN-UK/64          ProtonVPN-UK                 0
DAc  fe80::%wg0/64                   wg0                          0
DAc  fe80::%wg1/64                   wg1                          0

This is when the default route is added

/ipv6 dhcp-client add add-default-route=yes disabled=no interface=WAN pool-name=Home-Main-DHCP-Pool-IPV6 request=prefix pool-prefix-length=56 prefix-hint=::/56 use-peer-dns=no

The result is:

[admin@MikroTik] /ipv6/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS                     GATEWAY                        DISTANCE
DAd  ::/0                            fe80::2e21:72ff:fe77:5bc1%WAN         1
DAd  2600:4040:a390:e700::/56                                              1
DAc+ 2600:4040:a390:e700::/64        LAN                                   0
DAc+ 2600:4040:a390:e700::/64        LAN                                   0
DAc  fe80::%WAN/64                   WAN                                   0
DAc  fe80::%LAN/64                   LAN                                   0
DAc  fe80::%KeepSolidVPN-Germany/64  KeepSolidVPN-Germany                  0
DAc  fe80::%KeepSolidVPN-P2P/64      KeepSolidVPN-P2P                      0
DAc  fe80::%KeepSolidVPN-Poland/64   KeepSolidVPN-Poland                   0
DAc  fe80::%KeepSolidVPN-UK/64       KeepSolidVPN-UK                       0
DAc  fe80::%ProtonVPN-Germany/64     ProtonVPN-Germany                     0
DAc  fe80::%ProtonVPN-P2P/64         ProtonVPN-P2P                         0
DAc  fe80::%ProtonVPN-Poland/64      ProtonVPN-Poland                      0
DAc  fe80::%ProtonVPN-UK/64          ProtonVPN-UK                          0
DAc  fe80::%wg0/64                   wg0                                   0
DAc  fe80::%wg1/64                   wg1                                   0

Either way, this is not working.

On both occasions, /56 route is considered as "Blackhole"

Any other options I should consider?

Sob · Sat Jul 30, 2022 8:30 pm

You definitely need default route, it can't work without it. The add-default-route=yes in DHCPv6 client is a hack that adds DHCPv6 server as default gateway, which sometimes works and sometimes doesn't, because it isn't always the same machine. Correct way is to get it from RA, but there's a catch, current RouterOS won't show it even when it has it. Start with ping from router and you'll see if there's "no route to host" (= there's no default route) or not. If there isn't, then verify if there are any RAs on WAN interface coming from ISP's router. Either enable logging for "radvd" or use packet sniffer.

pawlisko · Sat Jul 30, 2022 10:54 pm

You definitely need default route, it can't work without it. The add-default-route=yes in DHCPv6 client is a hack that adds DHCPv6 server as default gateway, which sometimes works and sometimes doesn't, because it isn't always the same machine. Correct way is to get it from RA, but there's a catch, current RouterOS won't show it even when it has it. Start with ping from router and you'll see if there's "no route to host" (= there's no default route) or not. If there isn't, then verify if there are any RAs on WAN interface coming from ISP's router. Either enable logging for "radvd" or use packet sniffer.

This is from Windows computer in my network. It has proper IPv6 addressing from RA

ping -6 ipv6.google.com

Pinging ipv6.l.google.com [2607:f8b0:4006:817::200e] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2607:f8b0:4006:817::200e:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

This is from MT.

[admin@MikroTik] > ping 2607:f8b0:4006:817::200e
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 2607:f8b0:4006:817::200e                                     timeout       
    1 2607:f8b0:4006:817::200e                                     timeout       
    2 2607:f8b0:4006:817::200e                                     timeout       
    3 2607:f8b0:4006:817::200e                                     timeout       
    4 2607:f8b0:4006:817::200e                                     timeout       
    5 2607:f8b0:4006:817::200e                                     timeout       
    6 2607:f8b0:4006:817::200e                                     timeout       
    7 2607:f8b0:4006:817::200e                                     timeout       
    8 2607:f8b0:4006:817::200e                                     timeout       
    9 2607:f8b0:4006:817::200e                                     timeout       
   10 2607:f8b0:4006:817::200e                                     timeout       
   11 2607:f8b0:4006:817::200e                                     timeout       
    sent=12 received=0 packet-loss=100%

Advice?

Sob · Sat Jul 30, 2022 11:20 pm

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something wrong at ISP's side. Not the first thing to assume, but not impossible.

Btw, accepting all tcp and udp in input chain is probably not what you want.

pawlisko · Sat Jul 30, 2022 11:28 pm

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something wrong at ISP's side. Not the first thing to assume, but not impossible.

Btw, accepting all tcp and udp in input chain is probably not what you want.

This is from Log (DHCP and RADVD) - IPv6 DHCP ON to OFF

Jul/30/2022 16:17:48 dhcp,debug using recorded advertise
Jul/30/2022 16:17:48 dhcp,debug,packet send WAN -> ff02::1:2%15
Jul/30/2022 16:17:48 dhcp,debug,packet type: request
Jul/30/2022 16:17:48 dhcp,debug,packet transaction-id: 29c3f0
Jul/30/2022 16:17:48 dhcp,debug,packet  -> clientid:   00030001 dc2c6e47 207b
Jul/30/2022 16:17:48 dhcp,debug,packet  -> serverid:   00020000 05833263 3a32313a 37323a37 373a3562 3a633000 0000
Jul/30/2022 16:17:48 dhcp,debug,packet  -> elapsed_time: 0
Jul/30/2022 16:17:48 dhcp,debug,packet  -> ia_pd: 
Jul/30/2022 16:17:48 dhcp,debug,packet    t1: 3600
Jul/30/2022 16:17:48 dhcp,debug,packet    t2: 5760
Jul/30/2022 16:17:48 dhcp,debug,packet    id: 0x9
Jul/30/2022 16:17:48 dhcp,debug,packet   -> ia_prefix: 
Jul/30/2022 16:17:48 dhcp,debug,packet     prefix: 2600:4040:a392:8300::/56
Jul/30/2022 16:17:48 dhcp,debug,packet     valid time: 7200
Jul/30/2022 16:17:48 dhcp,debug,packet     pref. time: 7200
Jul/30/2022 16:17:48 dhcp,debug,packet recv client: WAN fe80::2e21:72ff:fe77:5bc1 -> fe80::de2c:6eff:fe47:2083
Jul/30/2022 16:17:48 dhcp,debug,packet type: reply
Jul/30/2022 16:17:48 dhcp,debug,packet transaction-id: 29c3f0
Jul/30/2022 16:17:48 dhcp,debug,packet  -> clientid:   00030001 dc2c6e47 207b
Jul/30/2022 16:17:48 dhcp,debug,packet  -> serverid:   00020000 05833263 3a32313a 37323a37 373a3562 3a633000 0000
Jul/30/2022 16:17:48 dhcp,debug,packet  -> ia_pd: 
Jul/30/2022 16:17:48 dhcp,debug,packet    t1: 3600
Jul/30/2022 16:17:48 dhcp,debug,packet    t2: 5760
Jul/30/2022 16:17:48 dhcp,debug,packet    id: 0x9
Jul/30/2022 16:17:48 dhcp,debug,packet   -> ia_prefix: 
Jul/30/2022 16:17:48 dhcp,debug,packet     prefix: 2600:4040:a392:8300::/56
Jul/30/2022 16:17:48 dhcp,debug,packet     valid time: 7200
Jul/30/2022 16:17:48 dhcp,debug,packet     pref. time: 7200
Jul/30/2022 16:17:48 dhcp,debug handle reply
Jul/30/2022 16:17:48 dhcp,debug ia_pd 2600:4040:a392:8300:: updating lifetime
Jul/30/2022 16:17:49 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:17:49 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:17:49 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:18:16 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:18:16 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:18:16 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:18:54 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:18:54 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:18:54 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:19:23 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:19:23 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:19:23 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:19:40 radvd,debug received Router Advertisement on unconfigured interface=WAN
Jul/30/2022 16:20:14 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:20:14 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:20:14 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:20:38 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:20:38 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:20:38 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:21:05 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:21:05 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:21:05 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:21:38 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:21:38 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:21:38 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:22:21 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:22:21 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:22:21 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:23:12 radvd,debug sending Router Advertisement on LAN
Jul/30/2022 16:23:12 radvd,debug adding link-layer address option, mac-address=DC:2C:6E:47:20:7F
Jul/30/2022 16:23:12 radvd,debug adding prefix=2600:4040:a392:8300::/64
Jul/30/2022 16:23:27 dhcp,debug releasing...
Jul/30/2022 16:23:27 dhcp,debug,packet send WAN -> ff02::1:2%15
Jul/30/2022 16:23:27 dhcp,debug,packet type: release
Jul/30/2022 16:23:27 dhcp,debug,packet transaction-id: 1c18b1
Jul/30/2022 16:23:27 dhcp,debug,packet  -> clientid:   00030001 dc2c6e47 207b
Jul/30/2022 16:23:27 dhcp,debug,packet  -> serverid:   00020000 05833263 3a32313a 37323a37 373a3562 3a633000 0000
Jul/30/2022 16:23:27 dhcp,debug,packet  -> elapsed_time: 0
Jul/30/2022 16:23:27 dhcp,debug,packet  -> ia_pd: 
Jul/30/2022 16:23:27 dhcp,debug,packet    t1: 1800
Jul/30/2022 16:23:27 dhcp,debug,packet    t2: 2880
Jul/30/2022 16:23:27 dhcp,debug,packet    id: 0x9
Jul/30/2022 16:23:27 dhcp,debug,packet   -> ia_prefix: 
Jul/30/2022 16:23:27 dhcp,debug,packet     prefix: 2600:4040:a392:8300::/56
Jul/30/2022 16:23:27 dhcp,debug,packet     valid time: 3600
Jul/30/2022 16:23:27 dhcp,debug,packet     pref. time: 2880

pawlisko · Sat Jul 30, 2022 11:48 pm

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something wrong at ISP's side. Not the first thing to assume, but not impossible.

Btw, accepting all tcp and udp in input chain is probably not what you want.

Attached

pawlisko · Sun Jul 31, 2022 4:44 am

Tools->Torch, check WAN interface and you should see outgoing packets. As for incoming ones, if there are no responses, you can test your address range from internet (you can use some online ping or port tester) and you should see that traffic reaching your router. If not, there could be something wrong at ISP's side. Not the first thing to assume, but not impossible.

Btw, accepting all tcp and udp in input chain is probably not what you want.

These are connections when I tried to send ping from Router to ipv6.google.com

pawlisko · Wed Aug 03, 2022 2:07 am

OK, it seems to be Verizon's issue with routing. Several people also have issues using non-Verizon routers. Some claim that it started working with Intel NIC after turning off hardware off-load. I am using S+RJ10 SFP+ connector on RB5009 router.

I am able from time to time to go outside with IPv6, and at times, I can get my to WG server (on MT) from outside using IPv6. IPv4 works like a rock.

My current code looks like this:

/ipv6 settings set max-neighbor-entries=8192
/ipv6 settings set accept-router-advertisements=yes
/ipv6 dhcp-client add add-default-route=yes disabled=no interface=WAN pool-name=Home-Main-DHCP-Pool-IPV6 request=prefix prefix-hint=::/56 use-peer-dns=no use-interface-duid=yes
/ipv6 address add address=::1 from-pool=Home-Main-DHCP-Pool-IPV6 interface=WAN advertise=no
/ipv6 address add from-pool=Home-Main-DHCP-Pool-IPV6 interface=LAN advertise=yes
/ipv6 nd set [ find default=yes ] interface=LAN managed-address-configuration=yes
/ipv6 firewall address-list add address=::/128 comment="Wrong IPv6: unspecified address" list="Bad IPv6"
/ipv6 firewall address-list add address=::1/128 comment="Wrong IPv6: lo" list="Bad IPv6"
/ipv6 firewall address-list add address=fec0::/10 comment="Wrong IPv6: site-local" list="Bad IPv6"
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="Wrong IPv6: ipv4-mapped" list="Bad IPv6"
/ipv6 firewall address-list add address=::/96 comment="Wrong IPv6: ipv4 compat" list="Bad IPv6"
/ipv6 firewall address-list add address=100::/64 comment="Wrong IPv6: discard only " list="Bad IPv6"
/ipv6 firewall address-list add address=2001:db8::/32 comment="Wrong IPv6: documentation" list="Bad IPv6"
/ipv6 firewall address-list add address=2001:10::/28 comment="Wrong IPv6: ORCHID" list="Bad IPv6"
/ipv6 firewall address-list add address=3ffe::/16 comment="Wrong IPv6: 6bone" list="Bad IPv6"
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="Wrong IPv6: other" list="Bad IPv6"
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="Wrong IPv6: other" list="Bad IPv6"
/ipv6 firewall address-list add address=::/104 comment="Wrong IPv6: other" list="Bad IPv6"
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="Wrong IPv6: other" list="Bad IPv6"
##Multiple IP addresses I am blocking (below is an example of the code)
/ipv6 firewall address-list add address=asshole.com comment="To block PRIVATE site" list="IPv6 Block"
/ipv6 firewall filter add chain=output action=accept comment="Accept all out of MikroTik"
/ipv6 firewall filter add chain=forward action=jump comment="jump to kid-control rules" jump-target=kid-control
##Multiple MAC addresses from inside my network I am blocking or not using IPv6 outside my network (below example of code)
/ipv6 firewall filter add chain=forward action=drop comment="Drop AppleTV" src-mac-address=PRIVATE
/ipv6 firewall filter add chain=forward action=drop comment="IPv6 block of bad IPs - destination" dst-address-list="Bad IPv6" out-interface=WAN
/ipv6 firewall filter add chain=forward action=drop comment="IPv6 block of bad IPs - source" src-address-list="Bad IPv6" out-interface=WAN
/ipv6 firewall filter add chain=forward action=drop comment="IPv6 block of streaming sites" dst-address-list="IPv6 Block" out-interface=WANthe 
/ipv6 firewall filter add chain=forward action=drop comment="RFC4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add chain=forward action=drop comment="Drop (invalid)" connection-state=invalid
/ipv6 firewall filter add chain=forward action=accept comment="Accept (established, related, untracked)" connection-state=established,related,untracked
/ipv6 firewall filter add chain=forward action=accept comment="Accept new" connection-state=new in-interface=!WAN
/ipv6 firewall filter add chain=forward action=accept comment="Accept internal" in-interface=!WAN
/ipv6 firewall filter add chain=forward action=accept comment="Accept outgoing" out-interface=WAN
/ipv6 firewall filter add chain=forward action=accept comment="Accept external ICMP (20/sec) to LAN" in-interface=WAN protocol=icmpv6 limit=20,50:packet
/ipv6 firewall filter add chain=forward action=drop comment="Drop external ICMP (>20/sec) to LAN" in-interface=WAN protocol=icmpv6
/ipv6 firewall filter add chain=forward action=accept comment="Accept HIP" protocol=139
/ipv6 firewall filter add chain=forward action=accept comment="Accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add chain=forward action=accept comment="Accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add chain=forward action=accept comment="Accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add chain=forward action=accept comment="Accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add chain=forward action=drop comment="Drop external" in-interface=WAN 
/ipv6 firewall filter add chain=forward action=drop comment="Drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add chain=forward action=reject comment="Reject everything else"
/ipv6 firewall filter add chain=input action=drop comment="Drop (invalid)" connection-state=invalid
/ipv6 firewall filter add chain=input action=accept comment="Accept (established, related, untracked)"connection-state=established,related,untracked
/ipv6 firewall filter add chain=input action=accept comment="Accept new" connection-state=new in-interface=!WAN
/ipv6 firewall filter add chain=input action=accept comment="Accept DHCP (10/sec) to MikroTik" in-interface=WAN protocol=udp src-port=547 dst-port=546 limit=10,20:packet src-address=fe80::/10
/ipv6 firewall filter add chain=input action=drop comment="Drop DHCP (>10/sec) to MikroTik" in-interface=WAN protocol=udp src-port=547 dst-port=546
/ipv6 firewall filter add chain=input action=accept comment="Accept internal ICMP" in-interface=!WAN protocol=icmpv6
/ipv6 firewall filter add chain=input action=accept comment="Accept external ICMP (10/sec) to Mikrotik" in-interface=WAN protocol=icmpv6 limit=10,20:packet
/ipv6 firewall filter add chain=input action=drop comment="Drop external ICMP (>10/sec) to MikroTik" in-interface=WAN protocol=icmpv6
/ipv6 firewall filter add chain=input action=accept comment="WireGuard on MikroTik Home Network" dst-port=52850 protocol=udp in-interface=WAN
/ipv6 firewall filter add chain=input action=accept comment="WireGuard on MikroTik Guest Network" dst-port=52860 protocol=udp in-interface=WAN
/ipv6 firewall filter add chain=input action=accept comment="Accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add chain=input action=accept comment="Accept IKE" dst-port=500,4500 protocol=udp disabled=yes
/ipv6 firewall filter add chain=input action=accept comment="Accept ipsec AH" protocol=ipsec-ah disabled=yes
/ipv6 firewall filter add chain=input action=accept comment="Accept ipsec ESP" protocol=ipsec-esp disabled=yes
/ipv6 firewall filter add chain=input action=accept comment="Accept all that matches ipsec policy" ipsec-policy=in,ipsec disabled=yes
/ipv6 firewall filter add chain=input action=drop comment="Drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add chain=input action=drop comment="Drop external" in-interface=WAN
/ipv6 firewall filter add chain=input action=reject comment="Reject everything else"

I am allowing IKEv2 from inside of my network just in case mobile phones will move from IPv4 to IPv6 for WiFi calling.

Can someone check if my firewall rules make sense? Did I forget about something? Have I not added something important?
Thanks in advance

pawlisko · Fri Aug 05, 2022 7:20 pm

It is working.

Verion FiOS issues with routing.

Thanks

superpaul · Thu Sep 15, 2022 4:30 am

Hi @pawlisko,

I'm in central NJ and have been wrestling with this for a few days now. Are you able to ping6 from clients within your LAN with your configuration? I (think I'm) getting the ipv6 address. I've followed your settings for the most part. I can ping v6 from the router, but not from within my LAN (web based ipv6 tests fail as well), and I'm not sure what (if anything) I'm doing differently. I've tried everything I can think of. Disabling all the firewall rules. Reboots. You can find my config below with the firewall rules removed for brevity.

/ipv6 address
add from-pool=FIOS-ipv6-pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-WAN pool-name=FIOS-ipv6-pool prefix-hint=::/56 request=prefix use-interface-duid=yes use-peer-dns=no
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192

Hoping you can point me in the right direction. Thanks!

DudeBeFishing · Sat Aug 05, 2023 10:09 am

Old thread, but I think I'm having the same issue. I can ping one of Verizon's routers, but can't ping beyond that. I restarted the router a few times. Prefix stays the same.
I'm guessing this is a routing issue on Verizon's end. Just want to confirm before contacting them. I'm also from central NJ.

I have tested Hurricane Electric IPv6 Tunnel and it works, so I don't think it's a firewall config issue.
I can list it if needed. It's basically the Advanced Firewall in the Mikrotik documentation, except all ICMP is currently allowed.

Current Config.

/ipv6 dhcp-server
add address-pool=ipv6-pool interface=bridge1 name=server1
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=4096
/ipv6 address
add address=::1 from-pool=ipv6-pool interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ipv6-pool request=prefix
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge1 managed-address-configuration=yes other-configuration=yes

Trace to ipv6.google.com. Edited out prefix.

1    <1 ms    <1 ms    <1 ms  2600:4040:e138:xxxx::1
2     *        *        *     Request timed out.
3     4 ms     *        *     2600:4000:1:222::e2
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.

Kentzo · Sat Aug 05, 2023 10:49 pm

What's your IPv6 routing table looks like? Try `add-default-route=no` and `/ipv6/nd add advertise-dns=no interface=ether1 ra-lifetime=none ra-preference=low reachable-time=5m`

IIRC, RouterOS's DHCPv6 Server cannot allocate non-temporary addresses and does prefix delegation only. Your configuration of the dhcp-server and managed-address-configuration=yes on bridge might not do what you expect.

DudeBeFishing · Tue Aug 08, 2023 4:41 am

You're right, the DHCv6 server does not do I what I expect. I disabled it since it's not needed. I'm still learning IPv6.

Here's the routes with my original configuration, with DHCPv6 Server Disabled.

And here's the routes with your suggested changes.

With 'add-default-route=yes', I can ping the first verizon hop, but it does not go further. With 'add-default-route=no', I cannot ping outside the router. Windows and the router itself have the same trace route.

Btw, this is a CCR2004-16G-2S+, RouterOS 7.10, Firmware 7.10.

Kentzo · Tue Aug 08, 2023 5:04 am

There is one caveat that after you follow my advice you might need to reboot the router. There is a time delay before new settings kick in since, AFAIK, RouterOS passively waits for upstream router to advertise itself (happens periodically, known as Router Advertisement). Reboot seems to trigger RouterOS to actively request upstream router (known as Router Solicitation).

tl;dr; please retry my settings and reboot.

DudeBeFishing · Tue Aug 08, 2023 8:39 am

Rebooted. Waited 20 minutes just in case. Same issue as having default route checked in. The ::/0 route came back. I still cannot ping beyond the second hop, 2600:4000:1:222::e2.

Kentzo · Tue Aug 08, 2023 6:42 pm

Rebooted. Waited 20 minutes just in case. Same issue as having default route checked in. The ::/0 route came back. I still cannot ping beyond the second hop, 2600:4000:1:222::e2.

Just to confirm, does the current list of routes on the screenshot correspond to my advice?

Overall it seems like IPv6 is functioning on your side, at least on your router.
Have you tried contacting Verizon support? You can tell them that per traceroute packets are being dropped inside their network and then give them IPv6 of these 2 devices you can reach.

DudeBeFishing · Thu Aug 10, 2023 12:28 am

I'll contact them. I just wanted to be sure it wasn't on my end since I'm using my own router. ISPs can be a pain when you don't use their equipment.

Kentzo · Thu Aug 10, 2023 1:07 am

Before you do, can you post /ipv6/address? Need to make sure your router got non link-local address which is necessary for routing when making requests that originate from the router. You can hide last half of the addresses.

Did your hosts configure addresses on themselves within the delegated prefix?

DudeBeFishing · Thu Aug 10, 2023 11:07 pm

Here's the Routes and IPs. My hosts do assign an address with the delegated prefix.

The sit1 is from testing Hurricane Electric's tunnel. That seems to work fine using their example config.

Kentzo · Thu Aug 10, 2023 11:20 pm

I see only a link-local address on ether1. Packets that originate from Router itself won't reach WAN, the 2 hops you see via traceroute are on the same link as ether1.

Looks like you need to modify dhcp-client config: "request=prefix" -> "request=address,prefix". Note that once you ensure that Router itself can reach WAN, I suggest to change it back.

DudeBeFishing · Fri Aug 11, 2023 8:13 am

Checking in Address causes the DHCP client to get stuck at "Searching..." status.

Kentzo · Fri Aug 11, 2023 8:35 am

Perhaps they expect you to allocate an IPv6 address on ether1 from the delegated prefix? But I'm not sure if RouterOS supports this configuration (DHCPv6 client need to send OPTION_PD_EXCLUDE to the upstream DHCPv6 server).

But before we explore this option, with current configuration, where hosts obtain IPv6 addresses within the delegated prefix via SLAAC, what is the traceroute, where does it break? Please attach full traceroute output, including what address it uses as source and destination (you can hide most of the source address, only need to see the first field). Please also disable IPv6 firewall for the test, to make sure it's not affecting ICMPv6 from hosts to WAN.

DudeBeFishing · Fri Aug 11, 2023 9:24 am

The ipv6 addresses assigned to my desktop and laptop match the prefix. Both have the same traceroute output. The first hop is the address assigned to the bridge. The next two hops appear to be out on the wan.

The 3rd hop changes randomly. Sometimes it ends in ::e0, sometimes in ::e2.

Tracing route to ipv6.l.google.com [2607:f8b0:4006:81f::200e]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  2600:4040:e1XX:XXXX::1
  2     7 ms     8 ms     4 ms  2600:4040:e130::1
  3     7 ms     7 ms     7 ms  2600:4000:1:222::e2
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.  
  
Tracing route to ipv6.l.google.com [2607:f8b0:4006:823::200e]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  2600:4040:e1XX:XXXX::1
  2     6 ms    10 ms     8 ms  2600:4040:e130::1
  3    11 ms    15 ms    16 ms  2600:4000:1:222::e0
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.

Kentzo · Fri Aug 11, 2023 9:48 am

Then I'd say something is wrong on FiOS side. Perhaps it's related to why GUA is not being allocated for your ether1 interface by neither DHCPv6 server nor RA.

IPv6 - Verizon Fios - problem [SOLVED]

IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem [SOLVED]

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem

Re: IPv6 - Verizon Fios - problem