参照网上教程设置好了 RouterOS 的 IPv6 ,现在的情况是路由器和内网设备可以正常获取到 IPv6 地址,内网设备间也均可互通。但所有设备均无法通过 IPv6 ping 通外网的 IPv6 服务器,Windows 网络连接显示 IPv6 无网络访问权限。
其中,ether1 直连光猫,做 PPPoE 拨号 ether2 连交换机,交换机下再连所有内网设备
防火墙规则使用脚本:
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
具体配置如下:
1
jtshs256 2022-01-21 10:08:01 +08:00 via iPhone 2
ROS7 的话去掉 dhcpv6 client 里 add default route 的勾试下…
|
2
laincat 2022-01-21 10:21:41 +08:00
RouterOS ,开 ipv6 这么复杂的?=。=
|
3
wm5d8b 2022-01-21 12:25:47 +08:00 via Android
@laincat 感觉 op 搞错了,我拨号成功后,就配了一个 ipv6 client 和一个 ipv6 relay ,然后就好了
|
4
ZRS 2022-01-21 12:43:34 +08:00 via iPhone 1
|
5
dndx 2022-01-21 13:42:45 +08:00 1
先确定一下 ROS 的 IPv6 正常,再研究是不是转发问题。ROS 上 `/ping 2402:4e00::` 看看通不通,如果不通的话那局域网的机器更不可能通了。
|
7
Citrus OP @dndx 这个是什么地址呀?我之前一直在用网上搜的一些 IPv6 DNS 做 ping 测试,但是全都不通,导致我也不知道是我选的地址有问题还是网的问题
|
8
Citrus OP |
9
jtshs256 2022-01-21 21:50:01 +08:00
|
10
Citrus OP @jtshs256
我在外网弄了台腾讯云的服务器挂上了 IPv6 地址。安全组放通之后,只能单向通。 内网可以用 v6 地址访问外网服务器,ping 和 Web 服务均可。 但是外网服务器反向使用 v6 访问内网服务器,所有的都不通。 |
11
SSyang 2022-01-23 11:23:00 +08:00
单向可以出,不能入,大概率不是网络问题,可能是策略限制,建议排查防火墙或者看看厂商网络方面的限制策略,如果还没解决,建议可以咨询官方了解下,望采纳。
|
12
Citrus OP @SSyang 我也觉得是策略问题,但是我这家用网络也没啥防火墙,唯一的出口路由的防火墙我也贴在上面了,并不清楚是哪天规则出了问题。。。
|
13
jtshs256 2022-01-24 10:47:26 +08:00
这套防火墙里放行了 ICMPv6 ,照理 ping6 是没问题的。可以先用手机 ping 下,排除是服务器那边的配置问题。iPhone 的话装个 iSH 就行。tcp 流量就手动开端口吧,反正这 v6 防火墙不支持匹配后缀
|