I've been using an IPv6 tunnel at home on a fiber optic/PPPoE connection. It's terminated by a Mikrotik RB450Gx4 router with latest stable firmware (6.45.7). It used to work fine, but now that I want to test a few services it doesn't work. I'm using the default Mikrotik template script the site is offering generated for my IP (see below) for the /64 subnet. Pings are working, but TCP connections are not working, or at least partially. MTU can't be a problem at 1280 bytes (it used to work up to 1460 on this connection). I don't understand why. The same configuration on different Mikrotik models work with the 2 other tunnels without issues. Both are in Prague, so I thought maybe there's some problem with The Budapest endpoint in some circumstances.

Some examples (on the router, RouterOS to exclude potential forwarding issues):

OK: /tool fetch url=http://ip6only.me/ keep-result=yes dst-path=aaa
not OK: /tool fetch url=https://ipv6.google.com/ keep-result=yes dst-path=aaa
not OK: /tool fetch url=https://xxxx:yyyy:zzzz:8214::c001/ keep-result=yes dst-path=aaa  # own server with native IPv6

The not OK ones simply time out.

Mikrotik ROS script:

Code: [Select]

/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=a.b.c.d mtu=1280 name=sit1 remote-address=216.66.87.14
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:xxxx:45::1 scope=30 target-scope=10
/ipv6 address add address=2001:470:xxxx:45::2/64 advertise=no disabled=no eui-64=no interface=sit1
Could you please help me diagnosing this. I suspect issues with the Budapest endpoint.

ifconfig output:
sit0: flags=193<UP,RUNNING,NOARP>  mtu 1480
        inet6 ::127.0.0.1  prefixlen 96  scopeid 0x90<compat,host>
        inet6 ::192.168.1.6  prefixlen 96  scopeid 0x80<compat,global>
        inet6 ::192.168.0.244  prefixlen 96  scopeid 0x80<compat,global>

...

sit1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
        inet6 2001:470:6840::2  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::1  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:6840::9  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::6  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::10  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::4  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::9  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:6840::1  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::8  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::5  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::7  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::8  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::3  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f08:7e::2  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::c0a8:106  prefixlen 64  scopeid 0x20<link>
        inet6 2001:470:6840::4  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::10  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:6840::3  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::6  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::c0a8:f4  prefixlen 64  scopeid 0x20<link>
        inet6 2001:470:6840::7  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::2  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::5  prefixlen 64  scopeid 0x0<global>
        sit  txqueuelen 1000  (IPv6-in-IPv4)
        RX packets 878  bytes 77840 (76.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3186  bytes 286878 (280.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

...

/etc/postfix/main.cf:
inet_protocols = ipv6
inet_interfaces = all
smtpd_banner = $myhostname ESMTP $mail_name (Debian)

...

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = born2host.com.   # fqdn??
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
mydomain = born2host.com.       # or domain name?? if you leave hostname blank it'll take from server hostname.
myorigin = mail.born2host.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
relayhost =
mynetworks = 127.0.0.0/8 192.168.0.244/28 192.168.1.6/28 [2001:470:1f09:7e::8]/64 [2001:470:6840::8]/48 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
relay_domains = born2host.com, mail.born2host.com, srv.born2host.com, mx.born2host.com, lists.born2host.com,


I skipped some lines from main.cf as they are default by installation. As I`m using NowTV (UK) as an internet provider I think that their router is blocking me. But the server is DMZ + I added firewall rules in the router to accept any requests on port 25. As they provide me with IPv6 the router can`t be configured with the tunnel. I think this is the problem with the Now TV Hub Two.

Well I mean port 25 blocking could still be a problem, since if your ISP blocks the port, unless it's encapped or encrypted over a different port there's nothing you can do about the firewall on the ISP end. But it looks like the first problem to tackle is that local postfix is getting all ip tcp 25 no matter what you put in so lets try fixing that and then go from there.

I saw your interface setup and thought there is no way that thing works but does it actually work? Like can you ping6 outside network at all?? Anyway, what I actually meant to ask you for are the routes (routing table) like `ip -6 route show`. And idk what Debian you're running but I'm pretty sure ifconfig is deprecated. Like I can't see the tunnel endpoints, I'm not sure if you didn't configure it correctly or if it's just ifconfig problem, `ip tun show dev sit<0,1>` should return more germane info, I should think.

Try ping

The question comes down that are the Dlink DIR 819, TP Link TL-R470T+ & TPLINK Archer C60 routers capable of IPV6 with /48 prefix?
As far as I can understand they are good only for /64 prefixes.

ifconfig output:
sit0: flags=193<UP,RUNNING,NOARP>  mtu 1480
        inet6 ::127.0.0.1  prefixlen 96  scopeid 0x90<compat,host>
        inet6 ::192.168.1.6  prefixlen 96  scopeid 0x80<compat,global>
        inet6 ::192.168.0.244  prefixlen 96  scopeid 0x80<compat,global>
        sit  txqueuelen 1000  (IPv6-in-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
        inet6 2001:470:6840::2  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::1  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:6840::9  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::6  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::10  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::4  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::9  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:6840::1  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::8  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:6840::5  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::7  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::8  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::3  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f08:7e::2  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::c0a8:106  prefixlen 64  scopeid 0x20<link>
        inet6 2001:470:6840::4  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::10  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:6840::3  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::6  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::c0a8:f4  prefixlen 64  scopeid 0x20<link>
        inet6 2001:470:6840::7  prefixlen 48  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::2  prefixlen 64  scopeid 0x0<global>
        inet6 2001:470:1f09:7e::5  prefixlen 64  scopeid 0x0<global>
        sit  txqueuelen 1000  (IPv6-in-IPv4)
        RX packets 878  bytes 77840 (76.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3186  bytes 286878 (280.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

/etc/postfix/main.cf:
inet_protocols = ipv6
inet_interfaces = all

smtpd_banner = $myhostname ESMTP $mail_name (Debian)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = born2host.com
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
mydomain = born2host.com
myorigin = mail.born2host.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
relayhost =
mynetworks = 127.0.0.0/8 192.168.0.244/28 192.168.1.6/28 [2001:470:1f09:7e::8]/64 [2001:470:6840::8]/48 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
relay_domains = born2host.com, mail.born2host.com, srv.born2host.com, mx.born2host.com, lists.born2host.com,


I skipped some lines from main.cf as they are default by installation. As I`m using NowTV (UK) as an internet provider I think that their router is blocking me. But the server is DMZ + I added firewall rules in the router to accept any requests on port 25. As they provide me with IPv6 the router can`t be configured with the tunnel. I think this is the problem with the Now TV Hub Two.

It seems it just works perfect with bridge modes. I am trying with the manual static & Slaac but failing.

Well at each point you turn off bridging you're essentially cutting off and creating a separate network so you will have to manually configure at least one thing that can actually route ipv6 (respond to rs that is)

How exactly are you configuring the devices manually? Also is there way to get into the settings anything other than the web based one because it was completely useless at least to me.

What do your routes/postfix configuration look like?

Everything gets addresses fine.  Traceroute/ping gets me a "connect: Network is unreachable."  All other connection attempts through the interface just hang.  Additionally, I get the same results if I disable the firewall completely, allowing all traffic from all sources.

If you can ping HE over IPv6, that means the tunnel is up and the issue is on your side.

What isn't working? Do your clients get IPv6 addresses? Where does traceroute break?  You haven't provided many details

The server on HE's end of the tunnel.

When you say gateway server, what do you mean by that?