IPv6/MikroTik hEX S | RB760iGS - UVT Internet/Terminator

[Jigdo]

Dobry den,


technicka podpora na UVT pokulhava a uz nejakych par mesicu se snazim nastavit
IPv6 na MikroTik Routeru hEX S | RB760iGS co mam pripojeny k Terminatoru od UVT.

Psal, jsem tam, volal, ale nikdo u nich neni schopny poradit jak to nastavit.

Odkazuji mne na stranky MikroTiku .....
https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client


Tady je postup co jsem nastavil.

#1

Kód: [Vybrat]

!interface=pppoe-out
!pool-prefix-length=64
/ipv6 dhcp-client add add-default-route=yes request=prefix pool-name="ipv6" pool-prefix-length=64 interface=pppoe-out

Dostal jsem 2a03:c20:803:xxxx::/56 site prefix/subnet ID/56 ktery mi UVT pridelili.

#2

Kód: [Vybrat]

!interface=bridge
!from-pool="ipv6"
/ipv6 address add address=::1 from-pool="ipv6" interface=bridge eui-64=no advertise=yes

Ted se u vsech PC pripojenych k routeru hEX S | RB760iGS nabehli IPv6 adresy 2a03:c20:803:xxxx::/64

#3

Vygeneroval jsem si ULA z teto stranky
https://www.ultratools.com/tools/rangeGenerator
Global ID:  2a03c20803
Subnet ID:  xxxx

Kód: [Vybrat]

/ipv6 address add address=fdxx:xxxx:xxx:xxx::/64 interface=bridge eui-64=no advertise=yes

Vsechny PC pripojene k routeru hEX S | RB760iGS dostaly lokalni IPv6 fdxx ....

#4

Kód: [Vybrat]

/ipv6 route add dst-address=::/0 gateway=pppoe-out

ping6 na IPv6 adresu funguje na zarizenich, ktere jsou k routeru pripojene (RaspberyPi/Windows 10),
ale WWW weby ktere jsou na IPv6 ne (Windwows 10). test-ipv6.cz tu IPv6 adresu nezobrazuje (0/10) score.

SSH z RaspberryPi ven funguje vsude pres IPv6, ale dovnitr na tu samou adresu se nedostanu

Na router se pres IPv6 pripojem pres SSH,WinBox bez problemu.

#5 - Jeste sem prikladam firewall nastaveni, jestli nahodou neni chyba tam:

Kód: [Vybrat]

/ipv6 firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 2    ;;; defconf: accept ICMPv6
      chain=input action=accept protocol=icmpv6 

 3    ;;; defconf: accept UDP traceroute
      chain=input action=accept protocol=udp port=33434-33534 

 4    ;;; defconf: accept DHCPv6-Client prefix delegation.
      chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546 

 5    ;;; defconf: accept IKE
      chain=input action=accept protocol=udp dst-port=500,4500 

 6    ;;; defconf: accept ipsec AH
      chain=input action=accept protocol=ipsec-ah 

 7    ;;; defconf: accept ipsec ESP
      chain=input action=accept protocol=ipsec-esp 

 8    ;;; allow SSH
      chain=input action=accept protocol=tcp src-address-list=allow-to-router dst-port=22 log=yes log-prefix="" 

 9    ;;; allow WinBOX
      chain=input action=accept protocol=tcp src-address-list=allow-to-router dst-port=8291 log=yes log-prefix="" 

10    ;;; defconf: accept all that matches ipsec policy
      chain=input action=accept ipsec-policy=in,ipsec 

11    ;;; defconf: drop everything else not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

12    ;;; defconf: accept established,related,untracked
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

14    ;;; defconf: drop packets with bad src ipv6
      chain=forward action=drop src-address-list=bad_ipv6 

15    ;;; defconf: drop packets with bad dst ipv6
      chain=forward action=drop dst-address-list=bad_ipv6 

16    ;;; defconf: rfc4890 drop hop-limit=1
      chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 

17    ;;; defconf: accept ICMPv6
      chain=forward action=accept protocol=icmpv6 

18    ;;; defconf: accept HIP
      chain=forward action=accept protocol=139 

19    ;;; defconf: accept IKE
      chain=forward action=accept protocol=udp dst-port=500,4500 

20    ;;; defconf: accept ipsec AH
      chain=forward action=accept protocol=ipsec-ah 

21    ;;; defconf: accept ipsec ESP
      chain=forward action=accept protocol=ipsec-esp 

22    ;;; defconf: accept all that matches ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

23    ;;; allow SSH
      chain=forward action=accept protocol=tcp dst-address=2a03:c20:803:xxxx:xxxx:xxxx:xxxx:afc/128 src-address-list=allow-to-router dst-port=22 log=yes log-prefix="" 

24    ;;; allow SSH
      chain=forward action=accept protocol=tcp dst-address=2a03:c20:803:xxxx:xxxx:xxxx:xxxx:c3f8/128 src-address-list=allow-to-router dst-port=22 log=yes log-prefix="" 

25    ;;; defconf: drop everything else not coming from LAN
      chain=forward action=drop in-interface-list=!LAN 

Vidi tady nekdo nekde nejkou chybu?

[Reklama]

[Radek Zajíc]

Co vygenerovalo ty pravidla firewallu? Je to možná až příliš komplikované.
Navíc pravidlo úplně na konci, tj.:

Kód: [Vybrat]

25    ;;; defconf: drop everything else not coming from LAN
      chain=forward action=drop in-interface-list=!LAN

tohle zahodí všechno, co nepřichází z LAN. Jak ale vypadá interface list LAN?

Jak vypadá ICMPv6 traceroute (traceroute6 -I) na 2001:4860:4860::8888?
Jak vypadá ICMPv6 traceroute (traceroute6 -I) zvenku na to Raspberry? (HE má ICMPv6 traceroute na http://lg.he.net/)
Co se stane, když ve firewallu zakážete všechna DROP pravidla (pro input i forward) a reinicializujete PPPoE spojení?

[Jose D]

Vidi tady nekdo nekde nejkou chybu?

nn. povol si tam logování pro všechna dropovací pravidla a koukej do logu na čem se to bude dropovat a jestli ti to vubec dorazilo.

[Jigdo]

Co vygenerovalo ty pravidla firewallu? Je to možná až příliš komplikované.
Navíc pravidlo úplně na konci, tj.:

Kód: [Vybrat]

25    ;;; defconf: drop everything else not coming from LAN
      chain=forward action=drop in-interface-list=!LAN

tohle zahodí všechno, co nepřichází z LAN. Jak ale vypadá interface list LAN?

Jak vypadá ICMPv6 traceroute (traceroute6 -I) na 2001:4860:4860::8888?
Jak vypadá ICMPv6 traceroute (traceroute6 -I) zvenku na to Raspberry? (HE má ICMPv6 traceroute na http://lg.he.net/)
Co se stane, když ve firewallu zakážete všechna DROP pravidla (pro input i forward) a reinicializujete PPPoE spojení?

LAN=bridge
WAN=ether1 (pppoe-out)
Bridge = ether2,3,4,5,sfp1

Vsechna DROP pravidla v IPv6 jsem "disable" [input/forward] a router restartoval (reinicializujete PPPoE spojení nepripada v uvahu,
nemam pristup k tomuto zarizeni momentalne).

Firewall pise ze spojeni na SSH port RaspberryPi je "established" ale v konzoli po nejakem case naskoci:
"Connection closed by 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx port xx"


Windows 10 PC stale nevidi IPv6 konektivitu .........

Z MikroTiku se na RPi dostany pres
/system ssh 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx user=pi
ale fd a fe adresy nefunguji .....aspon ta fd by mnela ........ale nefunguje .......

Kód: [Vybrat]

$ sudo traceroute6 -I 2001:4860:4860::8888
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  2a03:c20:803:xxxx::xxxx (2a03:c20:803:xxxx::xxxx)  0.394 ms  0.368 ms  0.396 ms
 2  * * *
 3  * * *
 4  2a03:c20:ce::1 (2a03:c20:ce::1)  14.878 ms  14.913 ms  14.874 ms
 5  2a00:1238:0:160::2 (2a00:1238:0:160::2)  15.166 ms  15.174 ms  15.138 ms
 6  2001:4860:0:101a::1 (2001:4860:0:101a::1)  15.154 ms  14.580 ms  14.696 ms
 7  2001:4860:0:1::1dff (2001:4860:0:1::1dff)  14.599 ms  14.299 ms  14.416 ms
 8  dns.google (2001:4860:4860::8888)  13.977 ms  14.042 ms  14.050 ms

Kód: [Vybrat]

 core1.prg1.he.net> traceroute ipv6 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx source 2001:470:0:212::1 numeric Target 	2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx
Hop Start 	1
Hop End 	30
Hop 	Packet 1 	Packet 2 	Packet 3 	Hostname
1 	71 ms 	<1 ms 	<1 ms 	nix-ipv6.2connect.cz (2001:7f8:14::24:1)
2 	<1 ms 	<1 ms 	<1 ms 	2a03:c20:ce::2
3 	* 	* 	* 	?
4 	14 ms 	14 ms 	14 ms 	2a03:c20:803:xxxx::xxxx
5 	25 ms 	14 ms 	15 ms 	2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx

[Jigdo]

Mikrotik ma verzi 6.48 stable ......

[Reklama]

[Jigdo]

Takze SSH problem se mi podarilo vyresit.

napadlo mne ze ssh se da debugovat s parametrem -vvvvvvvvv

a to se zaseklo na:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY


Prvni search result na StackExchange zminuje neco o MTU, takze jsem to zkousel s timto prikazem....
ssh -o MACs=hmac-sha2-256 pi@2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx
a funguje ...........


Tady je nastaveni Interface:

Kód: [Vybrat]

hEX S] > interface print detail 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  ;;; Terminator - ZYXEL VMG4005-B60A
       name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:26 link-downs=0 

....

 5  RS ;;; CSS106-1G-4P-1S <--> PoE Switch
       name="sfp1" default-name="sfp1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:25 link-downs=0 

 6  R  ;;; vLAN.TV
       name="VLAN.835.TV" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:26 link-downs=0 

 7  R  ;;; vLAN.NET
       name="VLAN.848.NET" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:26 link-downs=0 

 8  R  ;;; defconf
       name="bridge" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:16 link-downs=0 

 9  R  name="pppoe-out" type="pppoe-out" mtu=1480 actual-mtu=1480 last-link-up-time=jan/18/2021 21:14:30 link-downs=0 

A tady VLAN:

Kód: [Vybrat]

hEX S] > interface vlan print detail 
Flags: X - disabled, R - running 
 0 R ;;; vLAN.TV
     name="VLAN.835.TV" mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=835 interface=ether1 use-service-tag=no 

 1 R ;;; vLAN.NET
     name="VLAN.848.NET" mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=848 interface=ether1 use-service-tag=no 

Nema to MTU neco spolecneho z tim proc nefunguje IPv6?

A jestli se na to divam tak je to pppoe 1480 a mnelo by byt 1500/nebo 1496??

Ted jsem se dival do logu a ja mam doma u sveho oblibeneho ISP pppoe 1500:
2021-01-11T11:11:11.111111+00:00 clueless radius-auth: BBEU12345678 BT Accept 90.155.11.111 213.1.111.11#12345 ab123@a.1 i.gormless Via=21CN LCP-restart linerate=75916000/19999000 adjust=74524459(98.167%) MTU=1500

Tady k tomu maji zajimavy clanek:
https://support.aa.net.uk/MTU

[Jigdo]

Update/Upgrade on the RPi na IPv6 taky nefunguje

Kód: [Vybrat]

pi@RaspberryPi-4-2GB-1dot2-b03112:~ $ sudo apt update; sudo apt list --upgradable -a; sudo apt upgrade
Hit:1 http://deb.debian.org/debian buster-backports InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease                               
Err:3 http://archive.raspberrypi.org/debian buster InRelease                                  
  Connection failed [IP: 2a00:1098:80:56::2:1 80]
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://archive.raspberrypi.org/debian/dists/buster/InRelease  Connection failed [IP: 2a00:1098:80:56::2:1 80]
W: Some index files failed to download. They have been ignored, or old ones used instead.
Listing... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  linux-image-5.8.0-0.bpo.2-armmp-lpae
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[Radek Zajíc]

Jak mate nastavene MTU v ND?
V nastaveni RA/ND nastavte stejne MTU, jake bude mit PPPoE rozhrani, tj. melo by to byt taky 1480 (resp. shodne s MTU na PPPoE). Obvykle se u mikrotiku zapomina na tohle nastaveni RA/ND a pak se to chova spatne.
Ukazka: https://twitter.com/zajdee/status/1316472498935005184?s=21

[Jigdo]

Jak mate nastavene MTU v ND?
V nastaveni RA/ND nastavte stejne MTU, jake bude mit PPPoE rozhrani, tj. melo by to byt taky 1480 (resp. shodne s MTU na PPPoE). Obvykle se u mikrotiku zapomina na tohle nastaveni RA/ND a pak se to chova spatne.
Ukazka: https://twitter.com/zajdee/status/1316472498935005184?s=21

Vyreseno.
/ipv6 nd set mtu=1480



Pane Zajic, muzu se Vam nejak revanzovat za vasi pomoc?
Prosim poslete mi zpravicku.
Diky.

[Jigdo]

A jeste pro uplnost pridavam bod 7

#7 - TCP MSS Clamping

Kód: [Vybrat]

/ipv6 firewall mangle print detail 
/ipv6 firewall mangle add chain=postrouting action=change-mss new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn out-interface=pppoe-out
/ipv6 firewall mangle add chain=output action=change-mss new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn out-interface=pppoe-out 
/ipv6 firewall mangle print detail