Hi community,
yesterday my ROS4.6 drove me crazy:
It filtered IPv6 traffic on a bridged interface. So I updated to 4.8, but it didn´t solve my problem. So I removed the bridge, done all configuration absolutely right, but it doesn´t route IPv6 traffic anymore. The router it self can ping global destinations but any host behind the router can´t. A traceroute goes to the router but then ends without success. The firewall has got a rule which allows all packets to be forwarded on any interface.
Any ideas?
Best regards
Stefan
Re: IPv6 traffic not routed
Can you post router config and how network is set up?
edit because I was tired and forget IPv6 not need nat
edit because I was tired and forget IPv6 not need nat
Last edited by Lev on Fri Apr 30, 2010 11:11 pm, edited 1 time in total.
Re: IPv6 traffic not routed
OK, here is my config:
And now the important thing, i can see a ping running to a global destination through r2, r1 and the answer back from r1 but not on r2.
--GLOBAL--|<--CISCO-->|<--R1-->|<--R2-->|<--int. Host-->
R1 and R2 are two Mikrotik with same OS, RB450G V4.8
here are the addresses of R1:
/ipv6 address
add address=2a01:138:9003::20/64 advertise=no comment="" disabled=no eui-64=no interface=eth01_WAN
add address=2a01:138:9003:10::1/64 advertise=yes comment="" disabled=no eui-64=no interface=bridge01_DMZ
here is the firewall of R1
/ipv6 firewall filter
add action=log chain=forward comment="" disabled=no log-prefix=IPv6_diag
add action=accept chain=input comment="" disabled=no protocol=icmpv6
add action=accept chain=input comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=drop chain=input comment="" disabled=no
add action=accept chain=output comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=ipsec-esp
add action=accept chain=forward comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=accept chain=forward comment="" disabled=no in-interface=bridge01_DMZ
add action=log chain=forward comment="" disabled=no log-prefix=LOG_before_DROP
add action=drop chain=forward comment="temp. disabled" disabled=yes
here are the addresses of R2:
/ipv6 address
add address=2a01:138:9003:10::2/64 advertise=no comment="" disabled=no eui-64=no interface=eth01_WAN
add address=2a01:138:9003:18::1/64 advertise=no comment="" disabled=no eui-64=no interface=eth04_LAN2_WIN-HyperV1
add address=fe80::1/64 advertise=no comment="" disabled=no eui-64=no interface=eth04_LAN2_WIN-HyperV1
here is the firewall of R2
/ipv6 firewall filter
add action=log chain=forward comment="" disabled=no log-prefix=IPv6_diag
add action=accept chain=forward comment="" disabled=no in-interface=eth04_LAN2_WIN-HyperV1
add action=accept chain=input comment="" disabled=no protocol=icmpv6
add action=accept chain=input comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=drop chain=input comment="" disabled=no
add action=accept chain=forward comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=accept chain=output comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=ipsec-esp
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=log chain=forward comment="" disabled=no log-prefix=IPv6_before_DROP
add action=drop chain=forward comment="temp. disabled" disabled=yes
I need to have this fix really urgent, because MS Active Directory isn't replicating anymore.
Hopefully
Stefan
And now the important thing, i can see a ping running to a global destination through r2, r1 and the answer back from r1 but not on r2.
--GLOBAL--|<--CISCO-->|<--R1-->|<--R2-->|<--int. Host-->
R1 and R2 are two Mikrotik with same OS, RB450G V4.8
here are the addresses of R1:
/ipv6 address
add address=2a01:138:9003::20/64 advertise=no comment="" disabled=no eui-64=no interface=eth01_WAN
add address=2a01:138:9003:10::1/64 advertise=yes comment="" disabled=no eui-64=no interface=bridge01_DMZ
here is the firewall of R1
/ipv6 firewall filter
add action=log chain=forward comment="" disabled=no log-prefix=IPv6_diag
add action=accept chain=input comment="" disabled=no protocol=icmpv6
add action=accept chain=input comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=drop chain=input comment="" disabled=no
add action=accept chain=output comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=ipsec-esp
add action=accept chain=forward comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=accept chain=forward comment="" disabled=no in-interface=bridge01_DMZ
add action=log chain=forward comment="" disabled=no log-prefix=LOG_before_DROP
add action=drop chain=forward comment="temp. disabled" disabled=yes
here are the addresses of R2:
/ipv6 address
add address=2a01:138:9003:10::2/64 advertise=no comment="" disabled=no eui-64=no interface=eth01_WAN
add address=2a01:138:9003:18::1/64 advertise=no comment="" disabled=no eui-64=no interface=eth04_LAN2_WIN-HyperV1
add address=fe80::1/64 advertise=no comment="" disabled=no eui-64=no interface=eth04_LAN2_WIN-HyperV1
here is the firewall of R2
/ipv6 firewall filter
add action=log chain=forward comment="" disabled=no log-prefix=IPv6_diag
add action=accept chain=forward comment="" disabled=no in-interface=eth04_LAN2_WIN-HyperV1
add action=accept chain=input comment="" disabled=no protocol=icmpv6
add action=accept chain=input comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=drop chain=input comment="" disabled=no
add action=accept chain=forward comment="" disabled=no src-address-list=TRUSTED-IPv6
add action=accept chain=output comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=icmpv6
add action=accept chain=forward comment="" disabled=no protocol=ipsec-esp
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=log chain=forward comment="" disabled=no log-prefix=IPv6_before_DROP
add action=drop chain=forward comment="temp. disabled" disabled=yes
I need to have this fix really urgent, because MS Active Directory isn't replicating anymore.
Hopefully
Stefan
Re: IPv6 traffic not routed
Try this
You add what needed for each router in right chains above jumps
I do not have time to test in lab but should work. Disable all firewall chain but drop first (it only logging at first, turn on real drop when working) and see what is logged. Modify from there.
Code: Select all
/ipv6 firewall filter
add chain=forward in-interface=eth04_LAN2_WIN-HyperV1 action=accept disabled=no comment="Allow local lan"
add chain=forward src-address-list=TRUSTED-IPv6 action=accept disabled=no comment="Route trusted hosts"
add chain=forward protocol=icmpv6 action=accept disabled=no comment="Route pings"
add chain=forward protocol=ipsec-esp action=accept disabled=no comment="Route VPN"
add chain=forward connection-state=established action=accept disabled=no comment="Allow existing connections"
add chain=forward connection-state=related action=accept disabled=no comment="Allow related connections"
add chain=forward connection-state=invalid action=jump jump-target=drop disabled=no comment="drop invalid connections"
add chain=input protocol=icmpv6 action=accept disabled=no comment="Allow icmpv6"
add chain=input src-address-list=TRUSTED-IPv6 action=accept disabled=no comment="Allow trusted hosts"
add chain=input action=jump jump-target=drop disabled=no comment="We jump to drop chain"
add chain=drop action=log disabled=no comment="Temp logging for debugging"
add chain=drop action=drop disabled=yes log-prefix=IPv6-DROP comment="Enable when not logging legitimate traffic"I do not have time to test in lab but should work. Disable all firewall chain but drop first (it only logging at first, turn on real drop when working) and see what is logged. Modify from there.
Re: IPv6 traffic not routed
Hi Lev,
that worked. But no my IPv6-DirectAccess doesn't work anymore. But this could be a MS related problem.
Thanks for your help - I reconstructed my rules to fit your example.
Best regards
Stefan
that worked. But no my IPv6-DirectAccess doesn't work anymore. But this could be a MS related problem.
Thanks for your help - I reconstructed my rules to fit your example.
Best regards
Stefan