• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Tunnelbroker tunnel on Mikrotik

Started by IUL, October 04, 2013, 02:28:57 PM

Previous topic - Next topic

IUL

I've been pulling my hair out to try and get this configuration working, I'm using virtually identical (ipv6) config on this as another router at another location... but I just can't get things to click.  The machines seem to all get a valid IPV6 address, and register into the lan just fine, I can ping and receive a response within the lan.  Unfortunately don't seem to be able to communicate outbound nor inbound  to the Internet.   

Have tried building a new tunnel but get the exact same result.

I'm sure it must be something minor as the base configuration is the example settings from the tunnelbroker set up page, and the settings as a whole are working great on another router/network.

Cheers,
Mike


/ipv6 address
add address=2001:470:a:cb::2 interface=sit1
add address=2001:470:b:cb::1 interface=bridge1

/ipv6 firewall address-list
add address=2001:470:b:cb::/64 list=local-IPv6

/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Internal traffic can do what it wants" src-address-list=local-IPv6
add chain=input comment="Allow limited ICMP" limit=50/5s,5 protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add chain=forward comment="Internal traffic can do what it wants" dst-address-list="" src-address-list=local-IPv6
add action=drop chain=forward comment="And drop everything else"
add chain=output comment="Internal traffic can do what it wants" src-address-list=local-IPv6
add chain=output comment="Allow everything out" disabled=yes
add action=drop chain=output comment="And drop everything else" disabled=yes

/ipv6 nd prefix default
set preferred-lifetime=2m valid-lifetime=5m

/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:a:cb::1

cholzhauer

I don't know anything about the OS so forgive me if this is a dumb question, but what happens if you remove all of the firewall blocking rules for testing?

mindlesstux

I use the tunnel on my mikrotik without issue, so I agree with cholzhauer disable all the firewall rules (not remove them) and check connectivity again.  Lets get it down as far as the example config from the tunnel configuration screen and verify that works first.

Also can you ping from the router to your gateway in v6?  Just have to cover the bases here.  Your example it would be 2001:470:a:cb::1

IUL

I've tried disabling all of the v6 firewall rules to no avail.  And no, I'm not able to ping the gateway.

<Scratches head>

Cheers,
>>>>> Mike <<<<<

broquea

Any IPv4 firewall rules? Blocking Proto 41 maybe?

IUL

There are IPV4 firewall rules (as with the rest of the config, originally copied over from a router that has a working tunnel).  I've tried adding a rule to accept all protocol 41, and also short circuiting with an unconditional accept all as the first rule.

Cheers,
>>>>> Mike <<<<<