Hello there,
I'm actually using IPv6 for the first time but I'm having problems using it with my Mikrotik Router and I'm really looking for some help from someone.
At the moment, I've set the firewall up on IPv4 side to allow protocal 41.
And I have used the following code to my router:
/interface 6to4
add comment="HE IPv6" local-address=81.106.XXX.XXX mtu=1280 name=sit1 remote-address=\
216.66.80.26
/ipv6 address
add address=2001:470:XXX:17a5::2/64 advertise=no eui-64=no interface=sit1
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:XXX:17a5::1 scope=30 target-scope=10
All the LAN computers now have the IPv6 addresses, but no DNS addresses for IPv6.
Also on my windows 7 machines they are reporting "no internet access" on the IPv6 status area.
Thank you
So what problems are you having?
If you could remove the X's in your IPv6 addresses, it would be helpful.
Well the problem I'm having is that I'm not able to verify that its actually working - i.e. webpages don't seem to be loading expect for ipv6.he.net - when I test my configuration here: http://test-ipv6.com - is shows that its not working.
Here is the code again without the XXX
/interface 6to4
add comment="HE IPv6" local-address=81.106.119.233 mtu=1280 name=sit1 remote-address=\
216.66.80.26
/ipv6 address
add address=2001:470:1f08:17a5::2/64 advertise=no eui-64=no interface=sit1
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f08:17a5::1 scope=30 target-scope=10
Thanks
Are you able to open a console session on your router to try something like "ping ipv6.google.com" ? I'd like to make sure the tunnel is working before we start "fixing" clients
Edit:
I don't know if this matters, but I noticed you're using a 6to4 interface on your router...is that something you named or is that what the OS calls it?
Does your router have a NAT address or does it actually have that 81.106 address that you list?
cholzhauer:
For a mikrotik, that would be the correct interface name.
Based on what the OP posted it looks like they copied and pasted the example configuration they got from the tunnel detail page.
*EDIT*
I to question the status of the IPv6 tunnel...
# ADDRESS RT1 RT2 RT3 STATUS
1 2001:470:7:303::1 43ms 43ms 43ms
2 2001:470::90:0:0:0:1 41ms 41ms 45ms
3 2001:470::36:0:0:0:2 48ms 58ms 47ms
4 2001:470::128:0:0:0:2 118ms 125ms 124ms
5 2001:470::67:0:0:0:2 121ms 122ms 121ms network unreachable
Yes I have a console open now, but I am unable to ping the google address.
The tunnel, doesn't seem to be receiving data. The guide I used to configure the router was this: http://wiki.mikrotik.com/wiki/Manual:My_First_IPv6_Network
I have also tried the configuration which tunnelbrokers creates (but same issues occurs).
6to4 is the bridge between my IPv4 and IPv6 - i.e. the tunnelling system.
My public (static) IP from my ISP is 81.106
Thank you for your help in this issue.
Is this router behind a router/modem?
Do you have a public IP on your mikrotik?
*EDIT*
Isnt the tunnel broker suppose to be able to ping your ipv4 endpoint?
[mindlesstux@Router-Davenport] > ping 81.106.119.233
HOST SIZE TTL TIME STATUS
81.106.119.233 timeout
81.106.119.233 timeout
81.106.119.233 timeout
81.106.119.233 timeout
sent=4 received=0 packet-loss=100%
Quote
Isnt the tunnel broker suppose to be able to ping your ipv4 endpoint?
He could be only allowing ping from HE
I'm unable to ping the HE side of the tunnel, and I"m always able to do that
[carl@mars ~]$ ping6 2001:470:1f08:17a5::1
PING6(56=40+8+8 bytes) 2001:470:c27d:e000:20c:29ff:fe8a:1618 --> 2001:470:1f08:17a5::1
^C
--- 2001:470:1f08:17a5::1 ping6 statistics ---
13 packets transmitted, 0 packets received, 100.0% packet loss
My firewall prevent any kind of ping expect from the address I allow (which is confirmed as working using the tools on HE).
Also I am unable to ping HE's server for IPv6.
My router (RB450G) has a public IP. (81.106.119.233)
Quote from: LANLink on April 06, 2011, 12:03:47 PM
Also I am unable to ping HE's server for IPv6.
Sure..if your tunnel isn't up, it won't work ;)
mindlesstux, can you try pinging the IPv6 address of the HE side of his tunnel to confirm?
EDIT:
I just tried the looking glass and was unable to ping 2001:470:1f08:17a5::1
HE page shows all tunnel servers as being up
LANLink,
What tunnel server are you using? (City, Country please)
I dont recognize the 1f08 prefix of the tunnel server. (At least I am fairly certain that is a identifier for which tunnel server.)
Also a reverse dns on the tunnel ip makes me wonder is it the right ipv6 address...
$ dig -x 2001:470:1f08:17a5::1 @4.2.2.2
; <<>> DiG 9.7.1-P2 <<>> -x 2001:470:1f08:17a5::1 @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12700
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.a.7.1.8.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
;; AUTHORITY SECTION:
8.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 900 IN SOA ns1.he.net. hostmaster.he.net. 2011040303 10800 1800 604800 86400
;; Query time: 94 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Wed Apr 6 15:13:33 2011
;; MSG SIZE rcvd: 147
If I do a reverse DNS check on my tunnel ip, I get something of the following...
;; ANSWER SECTION:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.3.0.7.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN PTR mindlesstux-1-pt.tunnel.tserv13.ash1.ipv6.he.net.
Sadly, I cannot ping the HE server on IPv6. But even on the HE webpage using the their looking glass I get theses results:
Count 5
Size 16 bytes
Target 2001:470:1f08:17a5::1
Timeout 5000ms
TTL 64
Receieved Percent 0%
Receieved Count 0/5
[Admin@MKroute] > ping 2001:470:1f08:17a5::1
2001:470:1f08:17a5::1 ping timeout
2001:470:1f08:17a5::1 ping timeout
2001:470:1f08:17a5::1 ping timeout
2001:470:1f08:17a5::1 ping timeout
2001:470:1f08:17a5::1 ping timeout
------
At the moment I am connected to the UK server (ipv4 = 216.66.80.26)
Can you go to the tunnel details page and go to the example configuration and copy to here the mikrotik example? With no edits...
Example configuration:
/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=81.106.119.233 mtu=1280 name=sit1 remote-address=216.66.80.26
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f08:17a5::1 scope=30 target-scope=10
/ipv6 address add address=2001:470:1f08:17a5::2/64 advertise=yes disabled=no eui-64=no interface=sit1
The tunnel wasn't properly built on our side, I've fixed that.
Thank you - I've just tried pinging again, but no luck 2001:470:1f08:17a5::1/64 - This is from my router. Although the webpage checker is working.
broquea, thank you for dropping in, I was about to go insane for a minute...
I can hit ::1/64 but not ::2/64 from my home router.
... and as I am about to hit post, ::2/64 pings...
[mindlesstux@Router-Davenport] > tool traceroute 2001:470:1f08:17a5::2
# ADDRESS RT1 RT2 RT3 STATUS
1 2001:470:7:303::1 43ms 43ms 46ms
2 2001:470::90:0:0:0:1 41ms 48ms 49ms
3 2001:470::36:0:0:0:2 48ms 47ms 47ms
4 2001:470::128:0:0:0:2 124ms 125ms 133ms
5 2001:470::67:0:0:0:2 121ms 122ms 121ms
6 2001:470:1f08:17a5::2 129ms 139ms 143ms
LANLink, try pinging ipv6.google.com now or visiting any ipv6 site.
I can't seem to visit any page yet, or ping anything directly from the router.
There must be something in the configuration of the router.....
Did you add one of the routed ips to the lan side of your router?
The following should do ya, but thats assuming your lan router IPv4 address is on a interface called bridge1.
ipv6 address add address=2001:470:1f09:17a5::1/64 interface=bridge1 actual-interface=bridge1 eui-64=no advertise=yes
Hi there,
Yes I have added this to the LAN side. But just as we are speaking my mac is actually able to visit IPv6 pages now. I think this might be working now.... fingers crossed! Just running a few more tests.
Right ok I can:
Visit IPv6 webpages with no problems (actually faster than IPv4)
I cannot ping my HE server 2001:470:1f08:17a5::1
I can ping ipv6.google.com - using 2001:4860:8004::93
The IPv6 test site - passed on my mac expect for the "No IPv6 address detected" but all other test. It did not work on the windows pc's. I can't ping or visit any site.
(http://i54.tinypic.com/bhitsm.png)
You are using the wrong /64 for your hosts...on your tunnel info page, you should have two /64's...one says tunnel /64 and one says routed /64
Use the routed /64 for your hosts...you should only use ::1 and ::2 out of your tunnel /64
(I have seen posts saying that using your tunnel /64 works, but it's not "best practice" and HE doesn't delegate DNS for those)
I've tried changing the host as you've suggest but nothing has change.
you should be using 1f09 on the lan
1f08 is the tunnel
Ok right I got this working all working now.
For anyone else that may need it and also for the configuration tool (it needs updating to work with ROS V4.17+)
Add in firewall rules to allow protocal 41 to pass through firewall
Add in HE ip address when if needed to trusted list
Import the following replacing the details where needed.
NB = eth3 is the LAN
/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=81.106.119.233 mtu=1280 name=sit1 remote-address=216.66.80.26
/ipv6 address
add address=2001:470:96e0:1::1/64 advertise=yes comment="" disabled=no \
eui-64=no interface=ether3
add address=2001:470:1f08:17a5::2/64 advertise=yes comment="" disabled=no \
eui-64=no interface=sit1
/ipv6 firewall filter
add action=accept chain=input comment="Router - Allow IPv6 ICMP Traffic" \
disabled=no protocol=icmpv6
add action=accept chain=input comment=\
"Router - Accept established connections" connection-state=established \
disabled=no
add action=accept chain=input comment="Router - Accept related connections" \
connection-state=related disabled=no
add action=drop chain=input comment="Router - Drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=input comment="Router- UDP" disabled=no protocol=udp
add action=accept chain=input comment="Router - From our LAN" disabled=no \
in-interface=bridge1
add action=log chain=input comment="Router - Log everything else" disabled=no \
log-prefix="DROP IP6 INPUT"
add action=drop chain=input comment="Router - Drop everything else" disabled=\
no
add action=drop chain=forward comment="Lan - Drop invalid Connections" \
connection-state=invalid disabled=no
add action=accept chain=forward comment="Lan - Accept UDP" disabled=no \
protocol=udp
add action=accept chain=forward comment="LAN - Accept ICMPv6 " disabled=no \
protocol=icmpv6
add action=accept chain=forward comment=\
"Lan - Accept established Connections" connection-state=established \
disabled=no
add action=accept chain=forward comment="Lan - Accept related connections" \
connection-state=related disabled=no
add action=accept chain=forward comment="Lan - From our Lan" disabled=no \
in-interface=ether3 src-address=2001:470:1f09:17a5::/64
add action=log chain=forward comment="Lan - Log everything else" disabled=no \
log-prefix="Log IPv6"
add action=reject chain=forward comment="Lan - Drop everything else" \
connection-state=new disabled=no in-interface=sit1 reject-with=\
icmp-no-route
/ipv6 nd
add advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=64 \
interface=all managed-address-configuration=no mtu=unspecified \
other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=2001:470:1f08:17a5::2 \
scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=\
2001:470:1f08:17a5::1 scope=30 target-scope=10
Edit:
I forgot to say a thank you to everyone who help resolve this matter. Its now working perfectly and I've distributed it across 4 other routers now.