Hi, trying to get ipv6 working at home with mixed results.
IPv6 access seems to mess up my web browsing and apps, but I need to connect to prefixes on three ASs that are ipv6.
See Also
Ford Explorer – Fords bedste elbilWhat the Titan failure has taught us about exploring the deep oceanErnest Shackleton’s ‘last ship’ Quest found on ocean floor | CNNI’m stumped trying to expose three ipv6 prefixes to a local VLAN. My v6 upstream is HE.net/tunnelbroker.net
- I’m getting a SLAAC address and a default ipv6 route on my laptop
- Wireshark shows router advertisem*nts with my IPv6 prefixes (if I mess with on-link, I even see them in my laptop routing table)
- I can ping my router link-local address from a host on the LAN
- I can ping global ipv6 addresses from my router
- BUT….
I can’t seem to ping an internet host from my LAN devices. I used sniffer/quick to view pings seeming to go out off the VLAN interface, then onto the tunnelbroker.net 6to4 interface and seemingly back, but they never seem to make it back to my laptop
So what's wrong?
- Firewall?
- No route back to LAN machine? Or is that a neighbor thing?
- Bad ND settings?
How can I just let devices on one vlan get to v6 hosts without making every consumer device freak out trying to use ipv6?
Code: Select all
# 2023-11-28 20:42:42 by RouterOS 7.11.2# model = RB5009UG+S+/ipv6 addressadd address=2001:DB8:a:1::2 advertise=no interface=sit1/ipv6 ndset [ find default=yes ] advertise-dns=no disabled=yesadd advertise-dns=no interface=vlan-lan/ipv6 nd prefix# changed addresses here to 2001:db8, they do not conflict with fw rule and are global prefixesadd autonomous=no interface=vlan-lan on-link=no prefix=2001:db8:5::/36# this one is for tunnelbrokeradd interface=vlan-lan on-link=no prefix=2001:DB8:a:1::/64add autonomous=no interface=vlan-lan on-link=no prefix=2001:db8:9::/36/ipv6 routeadd comment="ATT mobility" disabled=no distance=10 dst-address=2600:300::/24 gateway=sit1 routing-table=main scope=30 target-scope=10add comment=someredactednet disabled=no distance=10 dst-address=2001:db8:9::/36 gateway=sit1/ipv6 settingsset accept-router-advertisem*nts=no/ipv6 firewall address-listadd address=::/128 comment="defconf_router: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf_router: RFC6890 lo" list=bad_ipv6add address=fec0::/10 comment="defconf_router: RFC3879 deprecated site-local addr" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf_router: RFC6890 ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf_router: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf_router: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf_router: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf_router: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf_router: 6bone" list=bad_ipv6add address=2001::/23 comment="defconf_mt_adv_fw: RFC6890 IETF Protocol Assignments" list=bad_ipv6add address=100::/64 comment="defconf_mt_adv_fw: RFC6890 Discard-only" list=not_global_ipv6add address=2001::/32 comment="defconf_mt_adv_fw: RFC6890 TEREDO" list=not_global_ipv6add address=2001:2::/48 comment="defconf_mt_adv_fw: RFC6890 Benchmark" list=not_global_ipv6add address=fc00::/7 comment="defconf_mt_adv_fw: RFC6890 Unique-Local" list=not_global_ipv6add address=fe80::/10 comment="defconf_mt_adv_fw: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6add address=ff00::/8 comment="defconf_mt_adv_fw: multicast" list=no_forward_ipv6add address=::/128 comment="defconf_mt_adv_fw: unspecified address" list=bad_dst_ipv6add address=::/128 comment="defconf_mt_adv_fw: unspecified" list=bad_src_ipv6add address=ff00::/8 comment="defconf_mt_adv_fw: multicast" list=bad_src_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf_router: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf_router: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf_router: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf_router: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf_router: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf_router: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf_router: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf_router: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf_router: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf_router: drop everything else not coming from safe-lan-ports" in-interface-list=!safe-lan-ports log-prefix=drop-everythingadd action=drop chain=forward comment="defconf_mt_adv_fw: drop bad forward IPs" src-address-list=no_forward_ipv6add action=drop chain=forward comment="defconf_mt_adv_fw: drop bad forward IPs (dst)" dst-address-list=no_forward_ipv6add action=accept chain=forward comment="defconf_router: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf_router: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf_router: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf_router: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 log-prefix=whats-thisadd action=drop chain=forward comment="defconf_router: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf_router: accept ICMPv6" log-prefix=allow-v6-ping protocol=icmpv6add action=accept chain=forward comment="defconf_router: accept HIP" protocol=139add action=accept chain=forward comment="defconf_router: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf_router: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf_router: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf_router: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="Drop IOT traffic to WAN interfaces" in-interface=vlan-iot out-interface-list=wan-ports protocol=udpadd action=drop chain=forward comment="Drop IOT traffic to internet addresses" dst-address=2000::/3 in-interface=vlan-iotadd action=drop chain=forward comment="Drop Guest traffic to lan" in-interface=vlan-guest out-interface-list=!wan-portsadd action=drop chain=forward comment="defconf_router: drop everything else not coming from safe-lan-ports" in-interface-list=!safe-lan-ports log-prefix=drop!safelan/ipv6 firewall mangle# inactive mangle rule/ipv6 firewall rawadd action=accept chain=prerouting comment="defconf_mt_adv_fw: enable for transparent firewall" disabled=yesadd action=accept chain=prerouting comment="defconf_mt_adv_fw: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop bogon IP's" src-address-list=bad_ipv6add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop bogon IP's" dst-address-list=bad_ipv6add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6add action=drop chain=prerouting comment="defconf_mt_adv_fw: drop non global from wan-ports" in-interface-list=wan-ports src-address-list=not_global_ipv6add action=accept chain=prerouting comment="defconf_mt_adv_fw: accept local multicast scope" dst-address=ff02::/16 log-prefix=accept_loc_mcast_scopeadd action=drop chain=prerouting comment="defconf_mt_adv_fw: drop other multicast destinations" dst-address=ff00::/8add action=accept chain=prerouting comment="JE: accept all icmp since I'm not using the icmp chain in the mt_adv_fw" protocol=icmpv6add action=accept chain=prerouting comment="defconf_mt_adv_fw: accept everything else from wan-ports" in-interface-list=wan-portsadd action=accept chain=prerouting comment="defconf_mt_adv_fw: accept everything else from safe-lan-ports" in-interface-list=safe-lan-portsadd action=drop chain=prerouting comment="defconf_mt_adv_fw: drop the rest" log=yes log-prefix=v6_DROP_THE_RESTYou do not have the required permissions to view the files attached to this post.
