-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Which is the most hair-raising South African mountain pass you've driven?
IPv6 Roll Out
- Thread starter AfriNatic
- Start date
Its just looking up the ASN number, dont know why they even include that, they probably using an old whois database
You need to ask @AfriNatic to enable it for you since it's not rolled out fully yet..
I actually used @websquadza's mikrotik howto @ https://mybroadband.co.za/forum/threads/web-squad-isp.1007232/page-197#post-25774445
rename "00-pppoe" to your pppoe connection name
Code:
/ipv6 dhcp-client
add add-default-route=yes interface=00-pppoe pool-name=ipv6-pool request=prefixrename "bridge" to whatever your bridge interface is called
Code:
/ipv6 address
add from-pool=ipv6-pool interface=bridgeThen I added their suggested firewall configs too
Code:
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANYea, didn't look important judging by the description. Odd it doesn't work here and does work for @AfriNatic
minkukel
Expert Member
thanks I'll try again.
minkukel
Expert Member
you asked @AfriNatic to enroll your account?
minkukel
Expert Member
Not yet, not feeling too well
@AfriNatic is it normal that my devices are getting 2 ipv6 addresses?
My phone has 2x afrihost ips, same prefix (first parts of the address) along with the internal fe80 v6 and it's LAN v4.
My MacBook also had 2 (on the same WiFi connection).
My phone has 2x afrihost ips, same prefix (first parts of the address) along with the internal fe80 v6 and it's LAN v4.
My MacBook also had 2 (on the same WiFi connection).
Nevermind I see it's normal.. https://apple.stackexchange.com/questions/223050/why-do-i-have-2-ipv6-addresses
One thing I have noticed since v6 was enabled is that I'm getting timeouts to certain sites (hetzner.com, parcelsapp.com).
Following google search results also randomly results in a timeout but stays on the Google search result page for quite a while without any signs of anything happening before it just shows a timeout page.
I have disabled v6 DNS and am only using v4 resolvers (I have my reasons). I did use afrihost v6 DNS and then cloudflares but it made no difference.
Following google search results also randomly results in a timeout but stays on the Google search result page for quite a while without any signs of anything happening before it just shows a timeout page.
I have disabled v6 DNS and am only using v4 resolvers (I have my reasons). I did use afrihost v6 DNS and then cloudflares but it made no difference.
After much googling I've added the following to my Mikrotik
Code:
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=synWhich seems to have resolved the random timeouts.
I am also getting 10/10 on https://test-ipv6.com/ now.
Last edited:
This morning my phone didn't have ipv6 anymore.. so I've adjusted ipv6 > ND > Default's valid lifetime to 00:12:00 and preferred lifetime to 00:10:00 (was 30d and 7d) and ipv6 > ND > interfaces > all's ra interval to 20-60s
Reconnected to WiFi and got a v6 again.. will see if it lasts the day
Reconnected to WiFi and got a v6 again.. will see if it lasts the day
Are the assigned prefixes changing so quickly?
They should assign a static prefix or at least a very long lived one
Unfortunately this is a must as some hosting companies block ICMP which breaks Path MTU
Mikrotik ads this automatically by default on the v4 side (for pppoe connections)
Also make sure your ipv6 firewall accept icmpv6 rule is before any general drop rules (apart from invalid drops)
@AfriNatic if you put together some default configs make sure to include this
Last edited:
Is your ISP constantly changing the delegated IPv6 prefix on your CPE/router?
ISP's changing the delegated IPv6 prefix on your CPE/router can be an inconvenience, to say the least.
www.6connect.com
Unfortunately this is a must as some hosting companies block ICMP which breaks Path MTU
Mikrotik ads this automatically by default on the v4 side (for pppoe connections)
Also make sure your ipv6 firewall accept icmpv6 rule is before any general drop rules (apart from invalid drops)
@AfriNatic if you put together some default configs make sure to include this
Is your ISP constantly changing the delegated IPv6 prefix on your CPE/router?
ISP's changing the delegated IPv6 prefix on your CPE/router can be an inconvenience, to say the least.
The prefix lease time is 24hrs and it's been the same one each time.
It is a /60
I haven't rearranged the rules from websquads post and it all seems good. ICMP is near the top and it's received some traffic.
Mikrotiks seem quite fiddly with IPv6 so definitely @AfriNatic you guys should put up a Mikrotik guide for others.. if mines all good I can export the final product for you.
Morning,
I must admit that personally I'm not that familiar with Mirotik routers. I will have to source one to play around with.
I will have a chat with our system engineers to talk about the lease time.
I suspect the loss of the v6 this morning on my phone is more a Mikrotik config thing than an Afrihost thing.
once you go mikrotik you won't go back...