Mikrotik + IPV6

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik + IPV6

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#236175 21-May-2018 21:08

Simply enabling the IPV6 package (disabled by default) causes the router to not be able to connect to the internet. PPPoE connect attempts fail with no useful information in the log.

Has someone else seen this weird issue before?

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

1 | 2

8954 posts

Uber Geek

#2020081 21-May-2018 21:13

Not seen that, however, /system logging (and assuming winbox/webfig) add a new log type with no topics selected, and action memory. That should enable more info in the log to troubleshoot. Delete or disable that rule though when finished or it will overrun the log very quickly.

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2020090 21-May-2018 21:40

For equally unknown reasons it has now decided to work as far as connecting. But I still don't have working IPV6.

The 'howtos' I have found so far indicate the way to do this with Mikrotik is to run a DHCPv6 client on the WAN interface. This does not appear to be working either showing status of "searching". Additionally, none of the advice topology I have found refloects how things are done here, leaving me to fill in the blanks.

Should this client run on vlan 10 or the pppoe interface?

Is the advice wrong and there is another way?

What I have done so far:

ipv6 / dhcpv6-client

interface = dialer0 (pppoe interface)

request = prefix

pool name = ipv6-pool

add default route = yes

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

MattR

224 posts

Master Geek

#2020488 22-May-2018 16:17

I've had no trouble running IPv6 on PPPoE on VLAN 10.

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

Which ISP are you with?

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2020489 22-May-2018 16:19

MattR:

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

Which ISP are you with?

So my config should be "correct" then... I am with InspireNet.

The IPV6 module thing was weird. It appeared to break it but next time it worked... No explanation.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

MattR

224 posts

Master Geek

#2020494 22-May-2018 16:58

I'm on 2degrees, so I'm just guessing here.

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

Edit: I see you've already got that..

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2020495 22-May-2018 16:59

MattR:

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

That's what I have, thanks.

As follows:

ipv6 / dhcpv6-client

interface = dialer0 (pppoe interface)

request = prefix

pool name = ipv6-pool

add default route = yes

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

MattR

224 posts

Master Geek

#2020516 22-May-2018 17:33

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

Are you firewalling icmp6 and/or udp/546?

Can't think of any other reason why it wouldn't work.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2020522 22-May-2018 17:42

MattR:

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

Are you firewalling icmp6 and/or udp/546?

I was alocated a /56 at the time of setting up the account.

I don't see anything mentioned under IP / Firewall or IPV6 / Firewall.

But it doesn't say what the default is and I am not yet familiar enough with Mikrotik.

Is this something which needs to be explicitly set?

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

MattR

224 posts

Master Geek

#2020535 22-May-2018 18:10

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2020578 22-May-2018 18:59

MattR:

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.

I have already restricted access to the management interface and it's the latest O/S. But good advice thanks.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

raytaylor

4014 posts

Uber Geek

Trusted

#2020742 22-May-2018 21:25

If you ask mikrotik support "It will be fixed in ROS 7"

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2021121 23-May-2018 13:05

Inspire have fixed the issue (configuration problem at their end) and I now have IPV6 (yay!), however, all my DMZ IPV4 traffic is now showing at the remote end as originating from the WAN IP address and not the host's statically assigned publicly-routable IPV4 address.

I have covered the obvious bases - checked the host has it's correct IPV4 address configured. Check.

Plugged my Cisco back in and the problem is fixed so it's definately at my end.

It appears what is happening is the Mikrotik is NATing IPV4 even though it doesn't need to NAT hosts in the DMZ vlan.

Whether this is a consequence of enabling IPV6 or something I have just noticed, I don't know. I have only had the Mikrotik for about a week. I disabled IPV6 by stopping the DHCPv6 client and the issue persisisted.

Can anyone here shed some light on what is happening please? I will continue to Google for a resolution.

In Cisco terminology, I assume what's needed is to specify an internal interface for "nat inside".

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

Spyware

3761 posts

Uber Geek

Lifetime subscriber

#2021141 23-May-2018 13:23

You need to look at any masquerade/srcnat rules and apply to a specific source address only (rather than all).

MichaelNZ

1385 posts

Uber Geek

Trusted

Integrity Tech Solutions

#2021147 23-May-2018 13:38

Spyware:

You need to look at any masquerade/srcnat rules and apply to a specific source address only (rather than all).

Thanks for that. All fixed now.

I have learned a new some new Mikrotik stuff today. :-)

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2021153 23-May-2018 13:56

You should put a srcnat accept rule before the srcnat masqerade rule that filters the specific addresses in the firewall nat

Cyril

1 | 2