RouterOS7.9.2 IPV6设置求助

㊣川*** · 发表于 2023-6-29 17:37

本帖最后由㊣川仔.Net 于 2023-6-29 17:40 编辑

搞了2、3天，看了各种文章还是没有搞定

光猫是桥接模式
ROS中的Interface有3个：LAN、WAN、pppoe-out
IPV6的 DHCP client已经能获取到prefix了
电脑获取不到IPV6的地址，也访问不了IPV6的网站
没有开防火墙

iamy*** · 发表于 2023-6-29 20:41

OP不好吗

㊣川*** · 发表于 2023-6-29 21:10

iamyangyi 发表于 2023-6-29 20:41
OP不好吗

用了ros的防火墙，来控制小孩上网，也还挺稳定的，似乎没有出过问题。

aat*** · 发表于 2023-6-29 23:43

RouterOS 是个大美女就是太高冷一般人无法驾驭这个大美女没错就是RouterOS~~！

yyy*** · 发表于 2023-6-30 00:40

他们说升级到7.10就好了。

xukon*** · 发表于 2023-6-30 08:39

本帖最后由 xukongyang 于 2023-6-30 08:40 编辑

# jun/30/2023 08:35:57 by RouterOS 7.9
# software id =
#

#注意将bridge1修改为自己包含相关网口的桥接名称

/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=pool_ipv6 pool-prefix-length=60 request=\
prefix use-peer-dns=no

/ipv6 address
add address=::1 from-pool=pool_ipv6 interface=bridge1

/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fd00::/16 list=allowed
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,new,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,new,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" \
protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" \
protocol=ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN

/ipv6 firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1432 passthrough=\
yes protocol=tcp tcp-flags=syn

/ipv6 firewall nat
add action=masquerade chain=srcnat

/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1 other-configuration=yes ra-interval=1m-3m20s

/ipv6 nd prefix default
set preferred-lifetime=1d valid-lifetime=2d

小兵*** · 发表于 2023-6-30 09:01

我家里的躺着吃灰了。太难了。

manto*** · 发表于 2023-6-30 10:58

看前缀，楼主是移动的宽带？

如果彻底没有设置防火墙的话也许就是问题。

这几条必不可少，跟v4不一样，IPv6的正确运行特别依赖于ICMPv6，必须要保证能转发。

/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6

还有这个：

三*** · 发表于 2023-7-2 00:39

多找一些教程，有些文章误导人

fall*** · 发表于 2023-7-2 01:14

ros获得了ipv6后，还要选择菜单ipv6，子菜单address，from pool里面选择之前获取ipv6时设置的ipv6 pool名字，然后interface选择lan
这样才能把ipv6地址通过lan接口分配给局域网的设备，各设备的ipv6地址就从这个pool里分配。

你的描述似乎少了这步，只做了ros获取ipv6，并没有做分配ipv6的设置

㊣川*** · 发表于 2023-7-3 14:58

已基本搞定了，谢谢各位

manto*** · 发表于 2023-7-3 16:53

㊣川仔.Net 发表于 2023-7-3 14:58
已基本搞定了，谢谢各位

最后做了些啥，贴图出来看看，也方便后来人参考。

linux*** · 发表于 2023-7-3 22:07

我的就只设置了DHCP client就可以用了，没有其他特殊设置呀

manto*** · 发表于 2023-7-5 10:02

IPv6 防火墙里别忘了设置这一条：

/ipv6 firewall mangle add action=change-mss chain=forward comment="Change MSS to PMTU, make HTTPS happy" new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn

坚持*** · 发表于 2023-7-11 22:57

㊣川仔.Net 发表于 2023-7-3 14:58
已基本搞定了，谢谢各位

麻烦给个搞定的教程，谢谢了

账号		自动登录	找回密码
密码			立即注册

[Router OS] RouterOS7.9.2 IPV6设置求助

本帖子中包含更多资源

相关帖子

点评

本帖子中包含更多资源

点评

点评

欢迎大家光临恩山无线论坛 /1