Community discussions

MikroTik App
  4. RouterOS
  5. RouterOS beta

IPv6 forwarding not working in 7.1beta6

Post Reply
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

IPv6 forwarding not working in 7.1beta6

Sun May 23, 2021 1:41 pm

Hi!

UPDATE: IPv6 forwarding is not working at all - does not matter if I add 2 vlans and I try to ping between them or the below setup. The counters of the ipv6 firewall rules are not incremented (also the invalid drop rules. I've also disabled all queues - so that can't also be the problem.

I was running following on 6.x without problems
Code: Select all
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 name=pppoeDslInternet
/ipv6 dhcp-client add interface=pppoeDslInternet pool-name=poolIPv6ppp request=prefix use-peer-dns=no
/ipv6 address add address=::1 from-pool=poolIPv6ppp interface=vlanInternal
With 7.1beta6 I've the problem that the IPv6 traffic from the clients are not forwarded into pppoeDslInternet - I see the traffic in the sniffer on the vlanInternal going to the router but no going out on pppoeDslInternet. The routing table looks like this:
Code: Select all
> /ipv6/route/print 
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
        DST-ADDRESS                         GATEWAY                   D
  DAv   ::/0                                pppoeDslInternet          1
  DAd   xxxx:xxxx:xxxx:5f60::/60                                      1
  DAc   xxxx:xxxx:xxxx:5f61::/64            vlanInternal              0
Forwarding is enabled:
Code: Select all
/ipv6 settings set accept-router-advertisements=no max-neighbor-entries=1024
I've no bridge configured on the router (/interface/bridge/export is empty), the vlan is directly attached to the interface
Code: Select all
/interface vlan add interface=ether2 name=vlanInternal vlan-id=1
Also I can ping the ::1 on vlanInternal from the Internet, so IPv6 itself works. Also the firewall allows all packages origin from the internal network into the internet.
Code: Select all
/ipv6 firewall filter
add action=log chain=forward log=yes
add action=accept chain=forward comment="just the answer packets --> pass" connection-state=established
add action=accept chain=forward comment="just the answer packets --> pass" connection-state=related
add action=accept chain=forward comment="from our secure internal network --> pass" in-interface=vlanInternal
ps: I've tried disabling/enabling ipv6 as a workaround, but it did not help.

Any help is welcome!



Regard,
Robert
Last edited by robertpenz on Sun May 23, 2021 8:27 pm, edited 1 time in total.
Top
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: IPv6 forwarding not working in 7.1beta6

Sun May 23, 2021 8:24 pm

Downgrade to 7.1beta4 makes ping working, but TCP traffic is still not forwarded.
Last edited by robertpenz on Thu May 27, 2021 8:10 pm, edited 1 time in total.
Top
 
aliclubb
newbie
Posts: 26
Joined: Tue Mar 07, 2017 12:29 pm
Location: Cambridge, UK

Re: IPv6 forwarding not working in 7.1beta6

Tue May 25, 2021 4:32 pm

From my testing, the issue is with IPv6 connection tracking being broken for the forward chain. Input chain appears to be fine with connection tracking.
Top
 
noradtux
newbie
Posts: 39
Joined: Mon May 24, 2021 6:33 pm

Re: IPv6 forwarding not working in 7.1beta6

Tue May 25, 2021 8:34 pm

Strange, works fine for me.
Top
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1742
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:
Contact StubArea51

Re: IPv6 forwarding not working in 7.1beta6

Tue May 25, 2021 8:41 pm

Strange, works fine for me.
What hw platform are you using or is it CHR?
Top
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: IPv6 forwarding not working in 7.1beta6

Wed May 26, 2021 8:37 am

I'm running a hEX (model: RB750Gr3) - I don't believe it's a connection tracking issue as I don't see matches on the "invalid" rule also. And yes input is working, just forward not.
Top
 
noradtux
newbie
Posts: 39
Joined: Mon May 24, 2021 6:33 pm

Re: IPv6 forwarding not working in 7.1beta6

Thu Jun 03, 2021 10:45 am

Strange, works fine for me.
What hw platform are you using or is it CHR?
I use an RB4011. I have found an issue with v6 on my system, though. After reboot it seems I cannot get data forwarded through my wireguard interfaces. Doing an export of /ipv6/firewall/filter, removing all entries and then reapplying the export seems to help, though. Didn't have time to investigate any further.
Top
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: IPv6 forwarding not working in 7.1beta6

Tue Jun 08, 2021 9:07 pm

Thx for the tip - at least for beta4 that also worked for me ... deleted all ipv6 firewall rules and it started working and kept working after appling them again - at least for the last few minutes.
Top
 
volkirik
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 23, 2016 2:03 pm

Re: IPv6 forwarding not working in 7.1beta6

Mon Jul 12, 2021 8:47 pm

bug exists on my rb4011 with 7.1beta6...

I rolled-back to 6.49beta54 until v7.1 ipv6 bugfix becomes available.

cleaning firewall rules and then re-importing didnt help. all TCP connections become untracked and invalid on 7.1beta6
Top
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: IPv6 forwarding not working in 7.1beta6

Mon Jul 12, 2021 9:23 pm

7.1beta6 is super buggy on the RB4011, so good thing you made that downgrade.
Top
 
volkirik
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 23, 2016 2:03 pm

Re: IPv6 forwarding not working in 7.1beta6

Mon Jul 12, 2021 9:55 pm

Thank you for your response. Yes lots of bugs to fix, it seems.
7.1beta6 is super buggy on the RB4011, so good thing you made that downgrade.
Top
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 forwarding not working in 7.1beta6

Tue Jul 13, 2021 6:42 am

The issues that I have with the RB4011 and IPv6 are to do with missing link-local addresses. When the router first boots, I get link-local IPv6 addresses for some interfaces, but not the bridge. Without this, the hosts on the bridge cannot get connectivity to the Internet. Disabling IPv6 through IPv6->Settings, and immediately re-enabling it, causes the missing link-local to be applied to "bridge" and the other interfaces that are missing the link-local.
Top
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: IPv6 forwarding not working in 7.1beta6

Tue Jul 13, 2021 8:32 am

I don't have a bridge on my setup, everything is routed. So these seem to be separated problems.
Top
 
Foxeh
just joined
Posts: 10
Joined: Mon Oct 05, 2015 12:42 pm

Re: IPv6 forwarding not working in 7.1beta6

Fri Jul 16, 2021 8:49 am

agreed.
951G-2HnD 7.1 beta6 after reboot doesn't have IPv6 in the bridge. Re enabling IPv6 in settings resolve that.
Top
 
hacky
just joined
Posts: 3
Joined: Thu Nov 25, 2021 4:25 pm

Re: IPv6 forwarding not working in 7.1beta6

Thu Nov 25, 2021 4:36 pm

Having issues with IPv6 in 7.1beta6+ as well.

7.1 beta4 works fine. Tested on 750G r3.

I'm using the following configuration which works fine with 7.1 beta4, but RA seems not to be working with 7.1 beta6 and later. Clients do not get any IPv6 assigned from the pool.
Strange thing is I had this problem before on RouterOS 6.48 or 6.49 stable as well and I had to switch to long-term branch in order to have it functional. So I suspect it may be regression ("ported features and fixes introduced in v6.49" in the beta6 changelog).

Is there something wrong or unusual in my configuration? I receive /56 IPv6 pool from my DSL provider and use Mikrotik's RA to distribute IPv6 to the devices on the network...
I'm happy to provide more info if you find it useful.
Code: Select all
[admin@MikroTik] /ipv6> export 
# nov/25/2021 15:30:03 by RouterOS 7.1beta4
#
# model = RouterBOARD 750G r3
/ipv6 dhcp-server
add disabled=yes interface="VDSL" name=ipv6
/ipv6 address
add from-pool=ppp-ipv6-pool interface=bridge no-dad=yes
/ipv6 dhcp-client
add add-default-route=yes interface="VDSL" pool-name=ppp-ipv6-pool pool-prefix-length=56 prefix-hint=::/56 request=prefix use-peer-dns=no
/ipv6 firewall filter
add chain=input comment="Router - Allow IPv6 ICMP" protocol=icmpv6
add chain=input comment="Router - Accept established connections" connection-state=established
add chain=input comment="Router - Accept related connections" connection-state=related
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid
add chain=input comment="Router- UDP" dst-port=546 protocol=udp src-address=fe80::/64
add action=drop chain=input comment="Router - Drop other traffic"
add action=drop chain=forward comment="LAN - Drop invalid Connections" connection-state=invalid
add chain=forward comment="LAN - Accept ICMPv6 " protocol=icmpv6
add chain=forward comment="LAN - Accept established Connections" connection-state=established
add chain=forward comment="LAN - Accept related connections" connection-state=related
add action=log chain=forward comment="LAN - Log everything else" disabled=yes log-prefix="Log IPv6"
add action=drop chain=forward comment="LAN - Drop everything else" connection-state=new in-interface="VDSL"
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=bridge
/ipv6 settings
set accept-redirects=no
[admin@MikroTik] /ipv6>
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12578
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 forwarding not working in 7.1beta6

Fri Nov 26, 2021 7:21 am

Set prefix-length to 64 on DHCP client. This property sets the prefix length as used when IPv6 address is assigned and has nothing to do with requesting pool from ISP (the prefix-hint is for that).
Top
 
hacky
just joined
Posts: 3
Joined: Thu Nov 25, 2021 4:25 pm

Re: IPv6 forwarding not working in 7.1beta6

Fri Nov 26, 2021 12:55 pm

Set prefix-length to 64 on DHCP client. This property sets the prefix length as used when IPv6 address is assigned and has nothing to do with requesting pool from ISP (the prefix-hint is for that).
Thank you for your response!
Changed it to 64, updated to latest 7.1rc7 and clients do get IPv6, but the traffic does not go though on IPv6. So I guess I'm facing this IPv6 forward issue. I've also tried disabling and enabling IPv6 in the IPv6->settings, but no dice. Even the ping6 does no go though.

edit: once I've downgraded back to 7.1beta4 it immediately started to work again. Without any configuration changes. It works with either prefix-length 64 and even 56. So for me it seems like the forwarding is indeed broken in the later revisions of 7.1 (and I still believe it's something with merging 6.49 features in the beta6, because I had same issue on the 6.48 or 6.49 - can't remember the exact version now).
Top
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1350
Joined: Mon Sep 23, 2019 1:04 pm

Re: IPv6 forwarding not working in 7.1beta6

Fri Nov 26, 2021 1:12 pm

Are you sure your issue isn't related to this? viewtopic.php?t=177800#p874200
Top
 
hacky
just joined
Posts: 3
Joined: Thu Nov 25, 2021 4:25 pm

Re: IPv6 forwarding not working in 7.1beta6

Fri Nov 26, 2021 1:58 pm

Are you sure your issue isn't related to this? viewtopic.php?t=177800#p874200
Thank you very much! This fixed it. Removed add-default-route from the DHCPv6 client, upgraded to rc7 and it now works like a charm.

It's quite strange that it worked long time with default route from the DHCPv6 client.
Top
 
lightbulb703
just joined
Posts: 1
Joined: Thu Dec 30, 2021 12:41 am

Re: IPv6 forwarding not working in 7.1beta6

Thu Dec 30, 2021 12:57 am

I had this issue in v7.1.1 (stable). Maybe this will help someone else. I set up a rule in the Mangle table to mark packets in the prerouting chain for new connections coming from Global Addresses on the LAN (using an address list dynamically updated when DHCPv6-Client renews) and then excluding those packets from invalid drops (add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid packet-mark=!ipv6-packet-from-LAN) in the forward chain in the Filter table:
Code: Select all
/ipv6 firewall address-list
add address=2001:db8::/56 comment=ipv6pool list=globalallowed
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid packet-mark=!ipv6-packet-from-LAN
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-packet chain=prerouting connection-state=new in-interface-list=LAN new-packet-mark=ipv6-packet-from-LAN \
    passthrough=yes src-address-list=globalallowed
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
Top
 
brotherdust
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Jun 05, 2007 1:31 am

Re: IPv6 forwarding not working in 7.1beta6

Fri Jan 07, 2022 12:40 am

I had this issue in v7.1.1 (stable). Maybe this will help someone else. I set up a rule in the Mangle table to mark packets in the prerouting chain for new connections coming from Global Addresses on the LAN (using an address list dynamically updated when DHCPv6-Client renews) and then excluding those packets from invalid drops (add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid packet-mark=!ipv6-packet-from-LAN) in the forward chain in the Filter table:
Code: Select all
/ipv6 firewall address-list
add address=2001:db8::/56 comment=ipv6pool list=globalallowed
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid packet-mark=!ipv6-packet-from-LAN
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-packet chain=prerouting connection-state=new in-interface-list=LAN new-packet-mark=ipv6-packet-from-LAN \
    passthrough=yes src-address-list=globalallowed
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
Thank you for posting this workaround. The IPv6 connection tracking table in RouterOS 7 seems kinda wonky to me. I found out that enabling a simple queue will cause IPv6 connection tracking to stop
Top
 
kissarmy
just joined
Posts: 1
Joined: Mon Jun 06, 2011 7:04 pm

Re: IPv6 forwarding not working in 7.1beta6

Fri Feb 18, 2022 5:58 pm

Hi,
it works for me. I disable all "Simply queues" rules in Queues and disable "Other Configuration" in IPv6 - ND. "Other Configuration" in IPv6 - ND make a lot of packets for WAN port for me.
2022-02-18_16.53.32.png
2022-02-18_16.53.15.png
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests
  4. RouterOS
  5. RouterOS beta