Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Tunnelbroker tunnel on Mikrotik  (Read 6468 times)

IUL

  • Newbie
  • *
  • Posts: 3
Tunnelbroker tunnel on Mikrotik
« on: October 04, 2013, 02:28:57 PM »

I've been pulling my hair out to try and get this configuration working, I'm using virtually identical (ipv6) config on this as another router at another location... but I just can't get things to click.  The machines seem to all get a valid IPV6 address, and register into the lan just fine, I can ping and receive a response within the lan.  Unfortunately don't seem to be able to communicate outbound nor inbound  to the Internet.   

Have tried building a new tunnel but get the exact same result.

I'm sure it must be something minor as the base configuration is the example settings from the tunnelbroker set up page, and the settings as a whole are working great on another router/network.

Cheers,
Mike


Code: [Select]
/ipv6 address
add address=2001:470:a:cb::2 interface=sit1
add address=2001:470:b:cb::1 interface=bridge1

/ipv6 firewall address-list
add address=2001:470:b:cb::/64 list=local-IPv6

/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Internal traffic can do what it wants" src-address-list=local-IPv6
add chain=input comment="Allow limited ICMP" limit=50/5s,5 protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add chain=forward comment="Internal traffic can do what it wants" dst-address-list="" src-address-list=local-IPv6
add action=drop chain=forward comment="And drop everything else"
add chain=output comment="Internal traffic can do what it wants" src-address-list=local-IPv6
add chain=output comment="Allow everything out" disabled=yes
add action=drop chain=output comment="And drop everything else" disabled=yes

/ipv6 nd prefix default
set preferred-lifetime=2m valid-lifetime=5m

/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:a:cb::1
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: Tunnelbroker tunnel on Mikrotik
« Reply #1 on: October 04, 2013, 06:08:24 PM »

I don't know anything about the OS so forgive me if this is a dumb question, but what happens if you remove all of the firewall blocking rules for testing?
Logged

mindlesstux

  • Newbie
  • *
  • Posts: 44
    • MindlessTux.com
Re: Tunnelbroker tunnel on Mikrotik
« Reply #2 on: October 05, 2013, 06:55:23 AM »

I use the tunnel on my mikrotik without issue, so I agree with cholzhauer disable all the firewall rules (not remove them) and check connectivity again.  Lets get it down as far as the example config from the tunnel configuration screen and verify that works first.

Also can you ping from the router to your gateway in v6?  Just have to cover the bases here.  Your example it would be 2001:470:a:cb::1
Logged

IUL

  • Newbie
  • *
  • Posts: 3
Re: Tunnelbroker tunnel on Mikrotik
« Reply #3 on: October 05, 2013, 11:06:19 PM »

I've tried disabling all of the v6 firewall rules to no avail.  And no, I'm not able to ping the gateway.

<Scratches head>

Cheers,
>>>>> Mike <<<<<
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1731
Re: Tunnelbroker tunnel on Mikrotik
« Reply #4 on: October 05, 2013, 11:08:51 PM »

Any IPv4 firewall rules? Blocking Proto 41 maybe?
Logged

IUL

  • Newbie
  • *
  • Posts: 3
Re: Tunnelbroker tunnel on Mikrotik
« Reply #5 on: October 10, 2013, 07:31:11 PM »

There are IPV4 firewall rules (as with the rest of the config, originally copied over from a router that has a working tunnel).  I've tried adding a rule to accept all protocol 41, and also short circuiting with an unconditional accept all as the first rule.

Cheers,
>>>>> Mike <<<<<
Logged