Router Advertisement leakage across VLANs

Hi all,

I am running a CRS125-24G-1S-RM with RouterOS version 6.24. I am seeing a rather strange issue where I’m seeing IPv6 router advertisements leaking across VLANs. Unsure if this a bad configuration somewhere on my part or a bug.

Example:
My desktop PC on VLAN 10, whenever I turn on something in VLAN 20, I see the router solicitation and the corresponding router advertisements which confuses the host in VLAN 10.

Thank you in advance for any help.

My configuration:

[admin@janus] > /export compact hide-sensitive
# dec/28/2014 16:27:10 by RouterOS 6.24
# software id = ZLEQ-11VA
#
/interface bridge
add comment="Wired Standard" name=br10
add comment="Wireless Standard" name=br20
add comment="IPv6Only Experimental" name=br30
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-slave-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-slave-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether1-gateway name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether1-gateway name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether1-gateway name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether1-gateway name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether1-gateway name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether1-gateway name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether1-gateway name=ether16-slave-local
set [ find default-name=ether17 ] master-port=ether1-gateway name=ether17-slave-local
set [ find default-name=ether18 ] master-port=ether1-gateway name=ether18-slave-local
set [ find default-name=ether19 ] master-port=ether1-gateway name=ether19-slave-local
set [ find default-name=ether20 ] master-port=ether1-gateway name=ether20-slave-local
set [ find default-name=ether21 ] master-port=ether1-gateway name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether1-gateway name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether1-gateway name=ether23-slave-local
set [ find default-name=ether24 ] master-port=ether1-gateway name=ether24-slave-local
set [ find default-name=sfp1 ] master-port=ether1-gateway name=sfp1-slave-local
/interface 6to4
add local-address=174.117.80.88 mtu=1480 name=sit1 remote-address=216.66.38.58
/ip neighbor discovery
set br10 comment="Wired Standard"
set br20 comment="Wireless Standard"
set br30 comment="IPv6Only Experimental"
/interface vlan
add comment="Wired Standard" interface=ether2-slave-local l2mtu=1584 name=vlan10 vlan-id=10
add comment="Wireless Standard" interface=ether2-slave-local l2mtu=1584 name=vlan20 vlan-id=20
add comment="IPv6Only Experimental" interface=ether2-slave-local l2mtu=1584 name=vlan30 vlan-id=30
/ip neighbor discovery
set vlan10 comment="Wired Standard"
set vlan20 comment="Wireless Standard"
set vlan30 comment="IPv6Only Experimental"
/ip pool
add name="VLAN10 pool" ranges=10.0.10.2-10.0.10.253
add name="VLAN20 pool" ranges=10.0.20.3-10.0.20.253
/ip dhcp-server
add add-arp=yes address-pool="VLAN10 pool" always-broadcast=yes authoritative=yes disabled=no interface=br10 name="VLAN10 DHCP"
add add-arp=yes address-pool="VLAN20 pool" always-broadcast=yes authoritative=yes disabled=no interface=br20 name="VLAN20 DHCP"
/port
set 0 name=serial0
/interface bridge port
add bridge=br20 interface=ether4-slave-local
add bridge=br20 interface=vlan20
add bridge=br10 interface=ether2-slave-local
add bridge=br10 interface=vlan10
add bridge=br10 interface=ether3-slave-local
add bridge=br10 interface=ether5-slave-local
add bridge=br10 interface=ether6-slave-local
add bridge=br10 interface=ether7-slave-local
add bridge=br10 interface=ether8-slave-local
add bridge=br30 interface=ether9-slave-local
add bridge=br30 interface=vlan30
/interface ethernet switch egress-vlan-tag
add disabled=yes tagged-ports=switch1-cpu vlan-id=10
add disabled=yes tagged-ports=switch1-cpu vlan-id=20
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 disabled=yes new-customer-vid=20 ports=ether4-slave-local sa-learning=yes
add customer-vid=0 disabled=yes new-customer-vid=10 ports=ether2-slave-local,ether3-slave-local,ether5-slave-local,ether6-slave-local sa-learning=yes
/ip address
add address=10.0.10.1/24 interface=br10 network=10.0.10.0
add address=10.0.20.1/24 interface=br20 network=10.0.20.0
add address=10.0.10.254/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.254/24 interface=vlan20 network=10.0.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
*snip static leases*
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.3 gateway=10.0.10.1 netmask=24
add address=10.0.20.0/24 dns-server=10.0.10.3 gateway=10.0.20.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=2001:470:b2c9:10:c23f:d5ff:fe68:2453
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.10.0/24,10.0.20.0/24
set ssh address=10.0.10.0/24,10.0.20.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-gateway type=external
add interface=br10 type=internal
add interface=br20 type=internal
/ipv6 address
add address=2001:470:1c:96b::2 advertise=no interface=sit1
add address=2001:470:b2c9:10::1 advertise=no interface=br10
add address=2001:470:b2c9:20::1 advertise=no interface=br20
add address=2001:470:b2c9:30::1 advertise=no interface=br30
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-mac-address=no hop-limit=64 interface=br10 mtu=1480
add advertise-mac-address=no disabled=yes hop-limit=64 interface=br20 mtu=1480
add advertise-mac-address=no disabled=yes hop-limit=64 interface=br30 mtu=1480
/ipv6 nd prefix
add interface=br10 prefix=2001:470:b2c9:10::/64
add disabled=yes interface=br20 prefix=2001:470:b2c9:20::/64
add disabled=yes interface=br30 prefix=2001:470:b2c9:30::/64
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:1c:96b::1
/lcd
set read-only-mode=yes
/system clock
set time-zone-name=Etc/UTC
/system identity
set name=janus
/system ntp client
set enabled=yes primary-ntp=192.67.222.4 secondary-ntp=167.88.40.177

I have exactly the same issue.
I have a MT at my home office with:

hAP AC2:

• bridge (is default vlan1) without vlan filtering enabled
• vlans configured on switch chip

On my macbook connected via WLAN i have a windows VM running which gets IPv6 addresses from a few, sometimes all vlan interfaces with advertising turned on.
This happens on every reboot. If I disable IPv6 on the Windows NIC and re-enable it, I “only” get the IPv6 address as expected.
After a reboot I have at least two IPv6 addresses from at least two different vlans and this is also random on every reboot.
The virtual NIC of the VM is bridged on macOS via the Hypervisor Parallels…

How is this possible?

The still persists, even when I disable the particular VLANs on the switch:

Most Windows network card drivers silently strip any VLAN tags from received frames, rather than ignoring VLAN-tagged ones.

Hm. How is it possible that this is going over WiFi?
IIRC WLAN tags aren’t sent over WiFi, right? But my Win-VM running on the mac (connected via WiFI) inside Parallels Hypervisor receives RAs so there must be some leak…

You ressurected 8 years old topic started for 6.24 ROS version. Is your configuration really the same as that old one? There was a big change @6.41 version są maybe you should send your configuration? Do you still use 6.24? Think not as hAP is IMHO not ready for 6.24.

No,
I am on current ROS 7 and I answered here because the topic perfectly matches my issue.

OK, so go ahead and post the export of the actual configuration, not just random screenshosts. If no misconfiguration can be found in the export, the next step is to sniff on the bridge interface, to see what is really going on there when the Windows boot.

There is a manual https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-PortSwitching
maybe it could put some light on the problem:

Switch chips with a VLAN table support (QCA8337, > Atheros8327> , Atheros8316, Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a VLAN lookup on the switch port (the vlan-mode is set to fallback, check or secure). If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.

Config Export

/interface bridge
add admin-mac=AA:BB:CC:DD:EE:C8 auto-mac=no comment=defconf name=bridge \
    protocol-mode=stp
/interface ethernet
set [ find default-name=ether1 ] comment="connected to M-net FritzBox" name=\
    ether1-wan speed=100Mbps
set [ find default-name=ether2 ] comment=\
    "conntected to MikroTik2 SleepingRoom" speed=100Mbps
set [ find default-name=ether3 ] comment="Subwoofer KH 750 DSP" speed=100Mbps
set [ find default-name=ether4 ] comment=ThunderboltDock speed=100Mbps
set [ find default-name=ether5 ] comment="conntected to MikroTik3 Kitchen"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors installation=indoor mode=\
    ap-bridge ssid=MyNET2G station-roaming=enabled wireless-protocol=\
    802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \
    country=germany disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MyNET station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out1 \
    user=USERNAME@mdsl.mnet-online.de

/interface vlan
add comment="vlan2 DMZ" interface=bridge name=vlan2-dmz vlan-id=2
add interface=bridge name=vlan3-test vlan-id=3
add comment="vlan11 Guest" interface=bridge name=vlan11-guest vlan-id=11
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=secure
set 2 default-vlan-id=0 vlan-mode=secure
set 3 default-vlan-id=0 vlan-mode=secure
set 4 default-vlan-id=0 vlan-mode=secure
set 5 default-vlan-id=0 vlan-mode=secure


/interface wireless
add comment=vlan11_guest disabled=no mac-address=AA:BB:CC:DD:EE:CD \
    master-interface=wlan2 name=wlan3-guest security-profile=JoeCockair ssid=\
    Vogelguest station-roaming=enabled vlan-id=11 vlan-mode=use-tag
add mac-address=AA:BB:CC:DD:EE:CC master-interface=wlan1 name=wlan4-guest \
    security-profile=JoeCockair ssid=MyNET-Guest2G station-roaming=\
    enabled

/ip pool
add comment="vlan1 LAN" name=vlan1-lan ranges=192.168.99.100-192.168.99.254
add comment="vpn clients" name=vpn ranges=192.168.101.250-192.168.101.253
add comment="vlan11 Guest" name=vlan11-guest ranges=\
    192.168.66.100-192.168.66.254
add comment="vlan2-dmz" name=vlan2-dmz ranges=\
    192.168.78.100-192.168.78.150
/ip dhcp-server
add address-pool=vlan1-lan bootp-support=none interface=bridge lease-time=\
    4w2d name=vlan0-lan
add address-pool=vlan11-guest bootp-support=none interface=vlan11-guest \
    lease-time=4w2d name=vlan11-guest
add address-pool=vlan2-dmz bootp-support=none interface=vlan2-dmz lease-time=\
    4w2d name=vlan2-dmz
/ipv6 dhcp-server option
add code=23 name=dns-powerDNS value="'2a02:8106:xxx:xxx::2'"
add code=23 name=blank-dns-no-dns-ipv6

/interface bridge filter
add action=drop chain=forward in-interface=wlan3-guest
add action=drop chain=forward out-interface=wlan3-guest
add action=drop chain=forward in-interface=wlan4-guest
add action=drop chain=forward out-interface=wlan4-guest

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge interface=wlan3-guest
/ip neighbor discovery-settings
set discover-interface-list=discover
/ipv6 settings
set accept-router-advertisements=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="vlan1 LAN" disabled=yes tagged=bridge,*9 vlan-ids=\
    1
add bridge=bridge comment="vlan2 DMZ" disabled=yes tagged=\
    bridge,vlan2-dmz,ether5 vlan-ids=2
add bridge=bridge comment="vlan11 Guest" disabled=yes tagged=\
    bridge,vlan11-guest,ether5,ether2 untagged=wlan3-guest vlan-ids=11
add bridge=bridge comment=vlan10-wan-sharing disabled=yes tagged=\
    bridge,*C,ether5 vlan-ids=10
add bridge=bridge comment=vlan3-test disabled=yes tagged=\
    bridge,vlan3-test,ether5 vlan-ids=3
/interface ethernet switch vlan
add comment="default vlan0" independent-learning=no ports=\
    ether2,ether3,ether4,ether5,switch1-cpu switch=switch1
add comment=vlan11-guest independent-learning=no ports=\
    ether2,ether5,switch1-cpu switch=switch1 vlan-id=11
add comment=vlan2-dmz independent-learning=no ports=ether2,ether5,switch1-cpu \
    switch=switch1 vlan-id=2
add comment=vlan3-test independent-learning=no ports=\
    ether2,ether5,switch1-cpu switch=switch1 vlan-id=3

/ip dhcp-server network
add address=192.168.66.0/24 comment="vlan11 Guest" dns-server=192.168.99.2 \
    gateway=192.168.66.1
add address=192.168.78.0/24 comment="vlan2-DMZ" dns-server=192.168.99.2 \
    gateway=192.168.78.1
add address=192.168.99.0/24 comment="vlan1 LAN" dns-server=192.168.99.2 \
    domain=MyNET.local gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.99.2

/ipv6 address
add address=::1 advertise=no from-pool=mnet interface=pppoe-out1
add address=::1 from-pool=mnet interface=bridge
add address=::1 from-pool=mnet interface=vlan2-dmz
add address=::1 advertise=no from-pool=mnet interface=vlan3-test
add address=::1 from-pool=mnet interface=vlan11-guest

/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=mnet prefix-hint=::/56 request=prefix

/ipv6 dhcp-server
add address-pool="" dhcp-option=blank-dns-no-dns-ipv6 interface=*9 name=\
    vlan1-lan
add address-pool="" dhcp-option=dns-powerDNS disabled=yes interface=\
    vlan3-test name=vlan3-test
add address-pool="" dhcp-option=blank-dns-no-dns-ipv6 interface=vlan11-guest \
    name=vlan11-guest

/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=bridge \
    other-configuration=yes
add advertise-dns=no interface=vlan2-dmz other-configuration=yes
add advertise-dns=no disabled=yes interface=vlan3-test other-configuration=\
    yes
add advertise-dns=no interface=vlan11-guest other-configuration=yes

Thanks @BartoszP for the suggestion.
I’m not sure if this can help - especially because the issue happens on WiFi.
It’s also possible that I just don’t understand - can you explain please?
Thanks a lot!

I’m experiencing the same issue on a CCR2004-1G-12S+2XS on 7.2. Upgrading it to the latest non RC when everyone leaves for the day. Hopefully it fixes the issue. I’ll be back with a config if it doesn’t. Nothing crazy with my config, just basic intervlan routing.

Issue still persist. Only on wired connections though. Wireless only gets their appropriate RA, but wired connections get ALL of them. I stripped out all the public addresses, but left the v4 internal as they are NAT’d anyway. New revelation today with this export is it looks like the 2 vlan interfaces (Data100 and Data102) on sfp-sfpplus2 are triggering a Duplicate Address Detected. Perhaps someone was nice enough to loop a cable back into another port in the wall crossing vlans? I know it’s an old thread that has been revived but thought more exploration may help someone aside from me.

Thanks!

REMOVED

So i found the issue. Nothing to do with Mirotik.

It’s coming from Ubiquiti. . . . . .

Every single In-Wall AP is sending out RA packets for VLANS on assigned physical ports. . . . .

I cannot wait till Mikrotik has WiFi 6/6e with CAPsMAN support.

Beating a dead horse, but thought all would find this interesting. Check out all this misbehaving Ubiquiti Unifi AP’s.

I’m still seeing this issue in various deployments.

Searching the net shows lots of people have similar issues only related to IPv6 RAs and it looks like only WindowscClients are affected…

It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets.

• PriorityVLANTag (standard Window keyword for NICs) documentation states (https://docs.microsoft.com/en-us/windows-hardware/drivers/network/enumeration-keywords):
  “The miniport driver should remove the 802.1Q header from all receive packets regardless of the *PriorityVLANTag setting.
  If the 802.1Q header is left in a packet, other drivers might not be able to parse the packet correctly.
  If the Rx flag is enabled on the receive path, the miniport driver should copy the removed 802.1Q header into OOB.
  Otherwise, if the Rx flag is disabled, the miniport driver should not copy the removed 802.1Q header into OOB.”

• https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=31121
  “Windows listens to RA’s coming in on tagged vlans.”

• http://forum.mikrotik.com/t/windows-10-router-advertisement-leaking/162655/1
  “This has nothing to do with Mikrotik specifically, the same would be seen using a router from any other network vendor.
  It is well known that most Microsoft network drivers strip VLAN tags on ingress,
  so any tagged broadcast/multicast packets will also be delivered to the network stack rather than being discarded.”
  Regarding IPv4 DHCP Broadcasts:
  “IPv4 is not targeted most of the time because DHCPv4 answers are normally unicast, except if the broadcast flag is set in the request”
  That makes perfect sense. Yes the broadcast can also leak but the answer is unicast and would never reach the server.

• VMWare: https://communities.vmware.com/t5/ESXi-Discussions/vmxnet3-NIC-removes-VLAN-tags-in-Windows-7-x64-VM/td-p/451197
  “Note: Some Windows machines can strip VLAN tags unless Monitor mode is enabled for the guest OS NIC (VLAN pass-thru).”

Anyone knows how to turn this off in Windows?

In my case a Windows Client is connected to a port with PVID 1 which also has some tagged vlans on it.
The Windows Client is running inside a VM. It’s not possible to remove the VLAN tags off of the port because they’re required for other VMs on the VM-Switch.
My hypervisor is Proxmox and I’m using virtio vNIC (https://bugzilla.redhat.com/show_bug.cgi?id=1854416).

There seem two workarounds:

Option #1:
Set “Priority and VLAN tagging” in the driver to disabled

Option #2:
Set VLAN ID to the untagged PVID of the port the machine is connected to.
In my case PVID is 1 so I set the NIC driver to vlan 1 (is set to zero by default):

IMO it’s a gross misconfiguration (of network admin mostly) to set port as hybrid or trunk when machibe, connecting to that port is a Windows machine. Only when machine administrator adjusts adapter/network stack settings to deal with tagged frames properly, then it’s time for network admin to allow tagged frames towards such machine.

If windows machine is running virtualized, then VM platform admin has to make appropriate configuration adjustments.

The whole thing is (almost) never due to bugs in switches/bridges, so it’s not clear why are we still discussing it in this forum?

I suspect this thread was manufactured by ChatGPT LOL…
OR.
We have a good reason finally to ditch the ridiculous concept of ipv6…

Good sunday morning… let the fun begin.

Maybe because people run into that issue, google it up, find this topic, and don’t read my post #4

I wish it was only related to Windows, but I have experienced in Linux and ChromeOS(Linux) as well, ironically not on Android(Another Linux), but only with the CCR2004-1G-12S+2XS as the source of the RA’s