MikroTik

Kentzo

In both cases you need to log to see what packets are being matched.

Kentzo

On the one hand I agree with your reasoning… on the other hand I'd prefer IPv6 to negotiate its configuration as intended by the protocol rather than relying on this ad-hoc knowledge of underlying connection and RouterOS "hacks".

Kentzo

I cannot point to a specific thread, but if you search this forum for "ipv6" you will find a few viable configs and useful discussions.

Kentzo

Did you identify the exact link where IPv6 routing breaks?

Kentzo

Why do you have VodafoneIPv6 both as a dynamic IPv6 pool (via the DHCPv6 Client) and a manually added pool? That might confuse RouterOS. Also, remember that RouterOS's DHCPv6 Server cannot hang out addresses as its DHCPv4 Server. It only works for prefix delegation to downstream Routers . Downstream...

Kentzo

I don't know if this is necessary for PPPoE connections, but I would recommend to at least try the following: Set `accept-router-advertisements=yes` in /ipv6/settings Set `add-default-route=no` in /ipv6/dhcp-client: route, normally, should be learned via RAs (but it might be a peculiarity of PPPoE I...

Kentzo

Noticed that I still had the rose-storage package enabled. Disabled it and rebooted. Now the reading speed over SMB does not progressively degrade and is stable. However, it seems to be slower than it used to be. It's definitely slower than both the `dd` and `iperf` speeds.

Kentzo

Pulled the disk and connected to my linux box: `e2fsck -fcck`: no bad sectors `dd if=... of=/dev/null bs=4K` on every file: no problems, healthy reading speed Connected back RouterOS, run the "samba" container: `dd if=... of=/dev/null bs=4K` on every file: no problems, healthy reading spee...

Kentzo

I'm hesitant to trust RouterOS's undocumented defaults regarding IPv6 just yet

Kentzo

It seems wrong to me to have an interface set on the "default" record. It also appears that you do not have ND on LAN interfaces, did you omit the output? For the reference, mine looks like this: /ipv6 nd set [ find default=yes ] disabled=yes add advertise-dns=no interface=ether1-gateway r...

Kentzo

This results in an failure of the ipv6 tests, and modifying it one by one found that setting ra-lifetime=none to be the culprit. I’m pretty sure that your ISP does not care for RAs sent by your router upstream , it should not break anything in itself. Perhaps this change forced a reconfiguration th...

Kentzo

Most of the settings in /ipv6/nd are for the case when RouterOS is the Advertising Router, i.e. when it sends a configuration. However, in case of the PPPoE interface it's acting as a Host because it receives a configuration. You, most likely, want the following settings on pppoe-out1: add advertise...

Kentzo

You want `/ipv6/settings/set accept-redirects=no` and `/ipv6/settings/set accept-router-advertisements=yes` as well as `/ipv6/nd/enable` on the pppoe-out1 interface. As @mkx mentioned, there are some IPv6-specific timeouts in RouterOS that are intrinsic to how the protocol works. A reboot might be a...

Kentzo

Is there any particular procedure I should follow to reformat the drive? Do I need to reformat whole drive or just the partition that is mounted into the samba container?

Kentzo

It might be a case of the disk simply dying, but I'm puzzled with that dd cannot reproduce it.

Kentzo

It's the hAP AX3 updated from 7.13.x

Kentzo

I run Samba container and host shares on a USB attached HDD. Looks like after the 7.14.1 update both read and write speeds of the shares slowed down by ~10 times. disk: `dd if=/dev/urandom of=...disk... bs=1M count=1024` finishes within expected time veth: iperf container is on par with my connectio...

Kentzo

*) leds - added "dark-mode" functionality for hAP ax3 and Chateau ax series devices;

What is "dark-mode", is it the "all-leds-off" LEDs setting?

Kentzo

I’m using Avahi in IPv4-only mode as the mDNS repeater in my HomeKit setup. However, my Airplay sources and destinations are in the same VLAN.

Kentzo

After the update to 7.14.1 (and possibly 7.14 as well) my hAP ac lite (RB952Ui-5ac2nD) cannot maintain wireless clients anymore

Appears to be an unrelated error in configuration that manifested only after a reboot.

Kentzo

turns out enabling IGMP snooping on the bridge was key to getting AirPlay to work across VLANs!

This is interesting. If anything, I'd expect this feature to break things not fix them.

Kentzo

And see if anything breaks.

This is of the most annoying things to debug

Kentzo

Great that it works for you!

Was not feasible in my setup where clients want to derive network configuration from the IPsec responder.

Kentzo

Upstream IPv6 router is improperly configured. IIRC RouterOS handles it gracefully but it will be in the logs.

Kentzo

I recommend running a proper IPsec server either elsewhere or in a docker container.

Kentzo

I don't think that's supported by RouterOS's IPsec client.

Kentzo

The 7.13.3 -> 7.13.4 upgrade broke the ARP record, it's "invalid" upon the first boot. Toggling the enabled status fixed the issue.

Kentzo

One option is a combination of [RFC 8598] Split DNS Configuration and HTTPS proxy : IPsec responder tells the client to resolve github.com (INTERNAL_DNS_DOMAIN) via VPN's RDNSS (INTERNAL_IP4_DNS/INTERNAL_IP6_DNS) Client's software uses VPN's RDNSS to resolve github.com onto VPN's HTTPS proxy Client'...

Kentzo

You need to enable Neighbor Discovery (/ipv6/nd) on the interface that receives RA.

Kentzo

The 7.13.2 -> 7.13.3 upgrade broke the ARP record, it's "invalid" upon the first boot. Had to delete the record, reboot, and add then re-add it.

Kentzo

I think an easy way to improve this would be to link to the relevant bug tracker case (MikroTik has one of these, right?) which would hopefully have more tech stuff for people to read over if they want. There is a per-user support tool, but it's not for tracking: they close tickets once they are ac...

Kentzo

No, I'd like the ability to set my own lifetime (lower) and not use the lifetime offered by the ISP, and I don't know if that's possible anymore? Since the changelog is rather vague.

Agree, there must remain a possibility to change these values administratively. Changelog quality is piss-poor.

Kentzo

Apple devices cache information about WiFi access points. If you played with configuration on your router, such as changing SSID or security settings, then you can try "forgetting" the networks and rebooting the problematic devices.

Kentzo

So they advertise the lifetime of the received prefix now? how sad. Do you prefer stale prefixes to linger for 30 days instead? RFC requires valid and lifetime values in advertisements of prefixes derived from PD to not exceed the parent PD. Note that if PD renews to the same value, no renumbering ...

Kentzo

Some time ago I filed a bug report about RA’s advertised prefix “valid” and “lifetime” not respecting corresponding values of DHCPv6 Client PD (it used values from the `default` submenu instead).

Perhaps that’s what they addressed here?

Kentzo

And also helps potential attackers to scan IPv6 address space much more effectively. And why do you consider SOHO differently than DCs and other corporate installations? Only trusted side of the LAN gets the privilege of proper response. I treat it differently with respect to “wasted cpu cycles” co...

Kentzo

Why waste efforts/CPU cycles on ICMPv4/v6 replies for non-existent pathways? I know there's an RFC for ICMPv4/v6 replies on the LAN, but that was written 20 years ago. I think we discussed that previously elsewhere? For DC, SP etc it does make sense. For a SOHO CE router it does not. Indeed, a blac...

Kentzo

The delegated prefix. Client receives /56 PD from upstream, /56 aggregate is blackholed.

Ah I see, the changelog could have worded it better. Hopefully it's configurable, to allow proper ICMP errors via firewall.

Kentzo

I don't think there is an RFC that states this, but it's always good practice to blackhole aggregates to prevent layer 3 loops. Most end-users won't know how to do this, so this auto-feature, will take care of that. Apologies, but I'm not following. What routes will be automatically added as blackh...

Kentzo

Could someone comment on:

dhcpv6-client - install dynamic IPv6 blackhole routes in corresponding routing-table;

What RFC / part of RFC is being implemented here?

Kentzo

Smooth upgrade from 7.13.1 to 7.13.2: the static ARP record was not marked as invalid. Fixed?

Kentzo

Can you see the disconnection reason in the RouterOS logs?

Kentzo

What's the output of `/ipv6/route/print` and `/ipv6/settings/print` on RouterOS?

Kentzo

atm, your best recourse is to submit a feature request at help.mikrotik.com

Kentzo

I do not understand neither what you're trying to set up, nor the question / problem. Could you unfold it in more details?

Kentzo

Yes, but SLAAC won't work and addresses will have to be assigned administratively.

Kentzo

Same on 7.13.1

Except this time the ARP record remains invalid even after a reboot. To get this fixed I had to remove and re-add the entry. Rebooted after each action, for good measure.

Kentzo

Unless you specifically configured the router to do that, then it unlikely initiates these connections. That was just a wild guess.

Have you complained about a port scan initiated by your router on your local / ISP forum?

Kentzo

@nonolk You'd do God's work if you could troubleshoot on iPad and collect the logs. I'd do it myself, but have no device to reproduce it.

Kentzo

I remotely remember having an issue with iPad (Pro, gen. 2, os ver. 17.x) connecting to WiFi after I replaced my AP (RB952Ui -> C53UiG) and changed authentication to WPA3-PSK while keeping SSID. It displayed the same silly error about the wrong password. Had to delete the WiFi config on the iPad and...

Kentzo

If I activate IPv6 -> DHCP Client -> "Use Peer DNS" in ROS, the Linux clients probably prefer to use the IPv6 DNS server transmitted by the ISP. As a result, local host names are no longer resolved. You can provide your own DNS server within your LAN via /ipv6/nd's dns property and /ipv6/...

Kentzo

I rely on RouterOS to do the filtering of incoming RA broadcasts and DHCPv6 replies. Assuming both RouterOS is flawed and Comcast fails DHCP filtering on their bridge, your rule won’t help against malicious server on the same link. Additionally it is not required by the RFC 8415 for client to initia...

Kentzo

Could be a built-in "security" feature on the modem? But who knows. Tell your ISP support if you're concerned. Nothing Mikrotik-specific here.

Kentzo

I think what you see is due to the bridge and poor modem firmware. ISP wants to access your modem for whatever reason, they use your WAN IP to reach it. But your router also sees the packets because it is in the bridge. Although it is strange to see src address being that of an internal, LAN-side IP...

Kentzo

Before RouterOS can assign an address it needs to allocate a pool. This pool is allocated with prefix-length set to whatever value you set in the pool-prefix-length property. You configured it to allocate pool of size 56 and then to take the ::1/64 address from it. What you probably want is `pool-pr...

Kentzo

You misconfigured it, `pool-prefix-length` is used as the value for /ipv6/pool's prefix-length of the dynamically created pool. I.e. it's the size of the chunks.

Kentzo

Have you tried changing /ipv6/dhcp-client to `request=address,prefix` ?

Kentzo

What is your ISP and what is the make and model of the router? If that's common for their devices to do that, I'm sure there are discussions.

Kentzo

but from technical point of view it doesn't matter at all.

If the DHCPv6 server upstream is under your control then it may be desirable to put routers into a separate prefix from clients.

Kentzo

Any with the public prefix is good. They all represent the same device just on different internal interfaces. Some ISPs can allocate an address alongside the prefix, you can ask for it via `/ipv6/dhcp-client/set request=address,prefix`. Note that this is optional and may not be available. Alternativ...

Kentzo

16MB flash is a bit tight for ROS 7.13

The upgrade of my ancient RB952Ui went smoothly (7.12.1, 16MB flash, 64MB RAM), I have 3176.0KiB remaining. Before the upgrade I made sure that no extra packages were installed and /files/print was empty.

Kentzo

You will have to dissect logs. If I recall correctly, identifier of each SA is logged.

Kentzo

What version of RouterOS do you run? There was (?) a bug where RouterOS incorrectly recognized suffix addresses as duplicates and removed all but one.

Kentzo

Had the similar problem with 7.12.1 on RB952Ui (MIPSBE) but not C53UiG (arm64). The reboot fixed invalid static entries, as they became valid.

SUP-137777 (cool number)

Kentzo

The suspicious detail is that packets originate from modem's IP and standard http (80) and httos (443) ports. I was thinking about a web server that servers the Modem itself, e.g. a javascript-heavy web admin. On LAN side there is a Raspberry Pi that has Unifi Controller Server for managing Unifi A...

Kentzo

If it were the FORWARD chain (i.e. some other device in your LAN accessed the Modem) I'd guess that web server on the Modem simply maintains connection longer than your /ip/firewall/connection/tracking/ settings. However, it suspicious that the Modem accesses the Router directly. Do you run somethin...

Kentzo

Enable debug logging for the ipsec via `/system/logging/add action=memory topics=ipsec,debug`

Kentzo

Indeed I'm aware that an implementation is available for the CPU used by AX3. But does "it just works"?

Kentzo

Does anyone know if linux kernel run by RouterOS exposes necessary interfaces for apps to use hadrware accelerated encryption?
I'm planning to run an alpine container with strongSwan on AX3 (arm64) and would like to avoid obvious misconfiguration in that regard.

Kentzo

This AP is the router at my place. Its locations is fixed due to cable modem and all entertainment boxes that it supplies with ethernet.

Fantastic video, by the way. I find EM visualizations mesmerizing

Kentzo

RA in RouterOS 7.12 is broken! You need to upgrade it to 7.12.1

Hmm, was it broken though? IIRC it only caused unnecessary renumbering, but otherwise it continue to work because the router continued sending periodic RAs after depreciation.

Kentzo

I don't recomend any of devices with only 16MB of flash (hAP ac2 and cAP ac are both such devices), it's uncomfortably tight for v7 and new wifi drivers. Then I'll wait till they release something cheap with more storage. Spending $100 for 3 feet of extra coverage is a bit too much. Perhaps I shoul...

Kentzo

Can you guys confirm that a WDS is out if I need to keep 2.4Ghz on an AP for clients? Can I set up a WDS with a virtual AP on C53UiG (so another virtual AP could serve clients)?

If I can, would that work better than EoIP (better multicast-helper, lesser overhead)?

Kentzo

So it seems that you need two APs. And proper roaming will only work if both are running wave2/wifi drivers and capsman is in the mix.

What would be the cheapest dual band AP that supports the upcoming wifi driver? RBD52G?

Kentzo

Why use crossover, when Wine works perfectly on macs?

IIRC there is no maintainer for macOS in the Wine project.

Kentzo

Regardless of band, channel and width the client cannot reach the C53UiG AP from that spot. I literally make 3 steps into the room and iperf drops from 150Mbit/s to 1Mbit/s. Which is still an improvement because old RB952Ui got 0Mbit/s :) Even if not Apple, their advice is mostly generic. And most a...

Kentzo

Now, after L2MTU of the offending bridge port is increased, all others (i.e. bridge) have to be increased manually as well In my case MTU of VLANs got re-adjusted after a reboot. How does the bridge derive which interface is going to carry EoIP? In principal, underlying interface can be switched on...

Kentzo

Back to the "mesh" of 2 devices: one of my old hAP ac lite (one that still has somewhat white case) and the new and shiny hAP ax^3. Idea: The station-bridge and WDS cannot be used between wifiwave2 and wireless drivers. Instead the link between the APs is established via the 2.4Ghz network...

Kentzo

FWIW, the current stable RouterOS allows MTU of 2290 with wifiwave2.

Hmm, I get the out-of-range error on AX3 with 7.12.1 when I attempt to set a value greater than 1560.

Kentzo

I'm planning a workaround to bridge interfaces of a legacy wireless station with interfaces of wifiwave2 AP. Since station-bridge is out, the plan is to use an EoIP tunnel as a VLAN trunk. The wireless station has L2 MTU of 2290 and the wifiwave2 AP has L2 MTU of 1560 (see the 7.12 changelog). What ...

Kentzo

Maybe run a quick sniffer on the VLAN to see if the packets are actually getting a reduced MTU (e.g. is a bug in /interface/print OR actually reducing MTU). Funny thing: Pings (ping -D -s 1472 1.1.1.1) from the host on one of these VLANs to Internet behaved as if MTU was 1500. BUT Pings (:ping 192....

Kentzo

There was an EoIP slave interface as a bridge port that had MTU of 1458, but it's now gone. The reboot fixed Actual MTU back to 1500.

Kentzo

Cannot quite wrap my head about both Winbox and Terminal showing Actual MTU of VLAN interfaces (on a bridge) less than MTU: 1458 vs 1500. Smallest L2 MTU is 1560 for a WiFi interface. Disregarding that, I don't even understand what can possible add that much overhead as there no IP tunnels. > /inter...

Kentzo

I join this question.

That's in release notes for 7.12:

*) wifiwave2 - limit L2MTU to 1560 until a fix is available for a bug causing interfaces to fail transmitting larger frames than that;

Kentzo

Not compatible with new CAPsMAN either?

I wonder how it's going to work if I have the same SSID and Security settings on two 5Ghz APs: one with wifiwave2 and another with wireless. Would it be prudent to disable 802.11k/r/v on the wifiwave2 device?

Kentzo

Is it feasible to connect the legacy RB952 with the wireless package as station-bridge to a wifiwave2/wifi AP?

Kentzo

These APs no longer exist, they were replaced by new AX3.

@mkx I fear that for some reason outgoing radio signal gets trapped. My area is not that busy per frequency scan / history. I think it is the layout and materials used in my house.

Kentzo

Yes, both APs can reach the internet, it’s just 2.4Ghz (20Mhz) is quite a bit slower than 5Ghz (20/40Mhz) even when a client has the perfect signal. Perhaps I should try 20/40 on both, maybe it will improve client’s behavior. So I did some more testing by assigning separate SSIDs for 2.4Ghz and 5Gh...

Kentzo

That's what I usually do.

What is your reasoning? My understanding is that 802.11k (Steering RNM), 802.11r (FT) and 802.11v (Steering WNM) are supposed to work among virtual and master APs on the same device without CAPsMAN. Is it not the case?

Kentzo

Is it meaningful to use CAPsMAN to manage APs (2.4 and 5) on the same and only device? I assume that 802.11r's ft-over-ds won't work otherwise.

Kentzo

Well ... it's not ROS kicking device, it's device which doesn't want to stick to MT (it's device which does disconnect). It might be that MT sends some roaming info which device doesn't like. Hard to tell. Are you 100% sure that both radios provide actual network connectivity? If device roams to 2....

Kentzo

Still no definitive success with that zone: 2.4: `security.connect-priority=1 .ft=yes .ft-over-ds=no steering.neighbor-group=foobar .rrm=yes .wnm=yes` 5: `configuration.tx-power=16 security.connect-priority=0/1 .ft=yes .ft-over-ds=no steering.neighbor-group=foobar .rrm=yes .wnm=yes` In the logs I se...

Kentzo

dst-address=0.0.0.0/24

?

Kentzo

The support confirmed:

The 'ram-high' value in the '/container/config' is set for all containers collectively.

Kentzo

Try setting `ft=yes`.

Kentzo

What do you see in the logs? Do you see good signal under the Registration tab (/interface/wifiwave2/registration-table/print stats)? What about /tool/profile, do you see high CPU usage there?

Kentzo

Thank you for clarifying the Tx Power selection. I see now that the idea of "a negative difference from the auto selection" is not viable as Tx Power reflects a transmission rate and the transmission rate is reflected in the auto selection. Perhaps I'm pushing my luck, but I have more ques...

Kentzo

I don't think this will solve the ping-pong problem ... 802.11r/k/v should help with this problem, but only for stations fully supporting these standard. I have a place in my home where overall signal drops sharply, with about 10dBm difference between 5Ghz and 2.4Ghz. Apparently for this very speci...

Kentzo

How does the antenna-gain property work on AX3 and wifiwave2? The spec says the antenna gain is 5.5dBm, but I don't see any reduction of the tx power in `/interface/wifiwave2 monitor` until I set configuration.antenna-gain to 11dBm (-1dBm in tx power). My goal is to reduce power for 5Ghz roaming, so...

Kentzo

I see that there is an undocumented parameter in /container/config: layer-dir.

I wonder whether it's for the container extraction algorithm used by RouterOS to share common layers and works even on ext4. Has anyone tried it?

Kentzo

Since containers consist of layers, multiple containers based on the same image will share the same layer. I see that /disk (at least with ROSE installed) supports the btrfs format which, under the hood, supports copy-on-write making deduplication possible on the file system level. Thus the kernel c...

Kentzo

I'm also interested to learn what exactly is controlled by the "ram-high" parameter.

SUP-136073

Kentzo

For the love god, where do I see the channel my radios are roaming in wifiwave2?

/interface/wifiwave2/monitor

Kentzo

Does it work correctly with smaller files?

IDK, I put an alpine linux container with samba, it works well.

Kentzo

I tried SMB with ROSE today and while I was able to mount the share on macOS 14.1.1, it did not work properly. While transferring a 6.5GB file from macOS to RouterOS, I got an error after about 1GB. Surprisingly the /disk/monitor-traffic still reported writes at disk speed, although no data was bein...

Kentzo

You have to sniff the traffic (likely HTTP) and see if there is anything that distinguishes updates. Hopefully it is just an URL. You can do it on RouterOS or via software like Pi-hole (for an example see https://discourse.pi-hole.net/t/block-specific-websites/55573). IIRC Pi-hole can be run in a co...

Kentzo

You can block the update on the router, e.g. by serving it an invalid IP for the domain it uses, or blocking in the firewall by IP or L7.

Kentzo

Please bear with me, because I do struggle to get a coherent picture of the wifiwave2 (and very wifi, which is very similar) configuration.

Are you saying that VLAN-related settings do not work at all, they do work but only under CAPsMAN or it's a mix of that?

Kentzo

The same settings exist for wifiwave2.

Kentzo

I saw elsewhere, that VLAN needs to be configured via /interface/bridge/port, i.e. the wifi interfaces deal with untagged traffic. At the same time I do see that both Access List and Datapath allows some VLAN configuration. How do these options coexist?

Kentzo

I contacted the support (requesting to improve the online doc) and got the following reply: Band setting specifies what band/wireless standard should be used, "Supported frequency band and wireless standard. Defaults to newest supported standard.". Wireless standards are made to be backwar...

Kentzo

It can be beneficial to have an additional device with a spare WiFi card to sniff raw Wireless traffic between the AP and clients as it may help to determine the culprit and capture evidence for warranty and service requests. Practical wise, it makes more sense to disable all automatic updates and o...

Kentzo

Could it be that the thermostat got an over-the-air update which failed to apply cleanly?

Kentzo

Newbie question #2:

When setting `band` in the channel profile of wifiwave2 / WiFi, do I set the minimum required or maximum allowed standard? I.e. when configuring a 2.4Ghz chain to accommodate both 802.11n and 802.11ax, what value must I use?

Kentzo

See the "process:airportd" in the Console.app and /var/log/wifi/log. Might give you some hints with respect to disconnects.

Kentzo

If you disable every and all drop and reject rule in the firewall, does it still not work?

Kentzo

Got myself an early Christmas present and currently planning the transition. I have a few modern (ax-capable) laptops, mobile devices and a bunch of low-power (n) IoT devices. There is no need for much bandwidth and I'm happy to trade it to reduce lag, such as when low-powered devices join and force...

Kentzo

To my best knowledge the only approach is to split them into dedicated broadcast domains and then proxy broadcasts when necessary (e.g. mDNS repeater for mDNS).

Please report back if you find a solution to keep the WiFi clients in the same broadcasta domain while being able to filter traffic.

Kentzo

I thought I needed that config to pass the prefix from the ISP to my LANs - is that not the case? Unless there is a very new change I’m not aware of, DHCPv6 server on RouterOS does not support address assignment and only allows prefix delegation (and only a subset of capabilities at that) and confi...

Kentzo

Not sure what you mean by WiFi drivers

wifiwave2 (new) and wireless (legacy) in Mikrotik’s terminology. Each has its own submenu for configuration and, iirc, are mutually exclusive.

Kentzo

What about separate VLANs for the main and virtual APs, does the new driver support that?

Kentzo

I recently asked a similar question on reddit . I judge by the answers that this feature is not very common. --- Well, yes. Say you want to have all your LED lamps with their controller in a network where they can talk to eachother and to internet, but not to your PC or TV or whatever, then you put ...

Kentzo

I wonder what underlying ICMPv6 packets looked like when RouterOS advertised itself to each vlan. Perhaps it's reasonable to file a bug request at help.mikrotik.com? --- By the way, what is the goal of /ipv6 dhcp-server add address-pool=lan-ipv6 interface=vlan-lan lease-time=12h name=\ lan-ipv6-pool...

Kentzo

Dunno about "code 5" (src addr policy), but code 6 is action= "reject" action already. Mmm... do you mean that "action=reject" aka "action=reject reject-with=icmp-network-unreachable" sends ICMPv6 Type 1 Code 6 and not ICMPv6 Type 1 Code 0? Either way, there ...

Kentzo

*) firewall - added new IPv6 filter arguments "icmp-err-src-routing-header" and "icmp-headers-too-long" for "reject-with" setting; What are the corresponding ICMPv6 Type 1 codes , is it now like this? 0: icmp-address-unreachable 1: icmp-admin-prohibited 2: icmp-not-nei...

Kentzo

Do the hosts that cannot “browse” have a DNS server listed in their system settings? Can they resolve AAAA records via that DNS?

Kentzo

This is not an excuse for mistreating LAN hosts. Keep blackholes to outsiders if you cannot invest in appropriate hardware layout and engineering.

I think it is a mistake to apply techniques developed for business-on-budget applications to prosumer cases which my firewall is for.

Kentzo

The reason for the trap interface is that it is used for rules that are site-specific and were omitted. Among other things it was necessary to reject packets sent to unallocated subnets of the delegated prefix with appropriate ICMP. These rules perform sufficiently on my CPE that runs on somewhat ol...

Kentzo

IIRC as long as it's a valid IPv6 address of an actual RDNS server then it should work.

Kentzo

You do not have to , as RDNS servers can be set up on hosts administratively. Having them advertised via DHCPv6 and/or Neighbor Discovery is solely at your discretion based on your situation. The DNS parameter in Neighbor Discovery is, in general, useful in simple setups where there is no DHCPv6 at ...

Kentzo

Is there a base ruleset I should be using? This is what I use based on RFC 4890 and RFC 7084 . Some site-specific and script-based rules are omitted, but if you follow RFC recommendations you can implement them. /interface bridge add comment="Trap to block routes with firewall" name=trap ...

Kentzo

`/ipv6/settings/set accept-router-advertisements=yes` and disable all your drop ICMPv6 firewall rules, you can work on them after you get it all to work.

Kentzo

Your routing or firewall is probably incorrect. Add logging to your NAT and drop rules. Sniff traffic to make sure packets go where you expect them to go.

Kentzo

Your understanding is correct, see RFC 8106 for details.

Note, that not all hosts can extract DNS information from Router Advertisement messages. You likely want both DHCPv6 server options and ND option.

Kentzo

Do I need to request a prefix and an IP address? Do you mean `/ipv6/dhcp-client/renew`? No, that should not be necessary. You can try a reboot though. See if you can sniff incoming ICMPv6 traffic on sfp-sfpplus1 to see the contents of the Router Advertisement message (ICMPv6 type 134). Could it be ...

Kentzo

Might need to wait a little bit for the next RA to arrive before it takes effect.

What is your ISP, did they give you any instructions regarding configuring IPv6?

Kentzo

Try

/ipv6/nd/add advertise-dns=no interface=sfp-sfpplus1 ra-lifetime=none ra-preference=low reachable-time=5m

to see if it gets you a default route (::/0) in /ipv6/route/print

Kentzo

Consider leaving a comment on Xfinity's forum. Let's keep pushing

Kentzo

You cannot fix this, the error is on their side and they refuse to fix it. Best you can do is to configure logging to suppress this warning.

Kentzo

See the thread I linked, and also https://forums.xfinity.com/conversation ... 32576d7911

Kentzo

DHCPv6 cannot provide a default route by protocol design. The "Add Default Route" setting in RouterOS is an unfortunately named hack and needs to be disabled unless you are told otherwise by the upstream administrator. Contact mikrotik support and tell them that this naming is extremely mi...

Kentzo

You might have a misconception of how SLAAC operates. I recommend reading up the RFC about it. It will clear a lot of questions, specifically how address is formed and the connection to MAC.

Kentzo

Everything appears as expected. At this point I'd start probing with /tool/sniffer and Wireshark to see where the traffic gets dropped. Are you positive that the Windows machine indeed routes traffic to ping.eu via IPsec connection? It might be possible that it fails just like macOS / iOS, but then ...

Kentzo

Best is not avoid parsing /ipv6/neighbor/, as recommended by @mkx. Note that a SLAAC IPv6 address will consist, generally speaking, of 3 parts: Global ID that is given to you by the ISP Subnet ID that you can optionally provide Interface ID that is derived (in your case) from machine's MAC address [...

Kentzo

It's difficult to guess without seeing RouterOS configuration. You say that incoming (from RouterOS perspective) traffic works, but forwarding doesn't. Except you somehow managed to access your local 192.168.13.8:80 over the IPsec tunnel from remote 192.168.16.0/24. It appears to me that IPsec is co...

Kentzo

From your description it appears to me that the very same route works for the Windows machine. I also don't immediately see in the config that RouterOS would treat Windows traffic any different from macOS traffic. To rule out the firewall, set identity's `notrack-chain` to `prerouting`. With this se...

Kentzo

On iOS 17 devices, established IKE2 peers will disconnect after 24 minutes of being connected.

It might be helpful to analyze iOS perspective. Search device's logs for the "NEIKEv2Provider" process.

Kentzo

i'm sure

The screenshot doesn't show how the Router and Windows machine resolve ping.eu…

What is the IPv4 address that macOS machine obtains from its LAN, can you confirm its network configuration (DHCP?) doesn't overlap with the IPsec network?

Kentzo

Interesting. I'm having the same issue here. It's not a UI bug since even if I enable DDNS the AAAA doesn't get created either.

Did you contact support?

Kentzo

I'm wondering if it is possible?

Yes, that should work. Search the forum for "NAT-T" and "NAT traversal".

Kentzo

I have a feeling that IKE2 in Mikrotik is not fully finished. Or it was done in some strange way, using a piece of IKEv1. This is my experience as well: RouterOS's implementation relies on mode config with IKEv2 even where IKEv2 has a "native" solution. Please send a feature request at he...

Kentzo

I did not manage to make this:
add dst-network=10.1.202.0/24 gateway=172.16.1.2

it looked like wrong command so I used this:
add dst-address=10.1.202.0/24 gateway=172.16.1.2

Both lines look identical to me.

Kentzo

IIRC, should be /interface vlan add interface=bridge name=vlan10 vlan-id=10 /interface wifiwave2 set [ find default-name=wifi1 ] channel.skip-dfs-channels=all \ configuration.country=US .mode=ap .ssid=AP5 datapath.vlan-id=10 datapath.bridge=bridge \ disabled=no name="WIFI 5G" security.auth...

Kentzo

Are you sure the address of ping.eu as resolved by the macOS machine matches the address as resolved by the Windows machine and router?

Kentzo

I cannot say whether iOS / macOS supports `INTERNAL_IP4_DNS` / `INTERNAL_IP6_DNS` alone, but it does work for me when used together with `INTERNAL_DNS_DOMAIN` via a strongSwan responder. I suggest to run an IKEv2 responder elsewhere (or containerize) using other software as RouterOS's implementation...

Kentzo

About 20-40 networking and 10-20 firewall with max on 130 mbps

And when you do the same test with UDP?

Kentzo

Using `eui64=yes` triggers this bug, because it assigns the same (eui64-based) `address=` to both /ipv6/address entries, causing one of them to get lost during reboot. So setting `address=` explicitly is the only work-around I know at the moment.

Interesting. I was pretty sure it worked before.

Kentzo

Or is this a bug in RouterOS? AFAIK, it's an acknowledged bug. I reported it back in June (SUP-118219) and was told by Sergejs B. : Thank you for the report, we are aware of the particular problem, hopefully it will be fixed shortly. Please report this again at https://help.mikrotik.com. That being...

Kentzo

What does the /tool/profile show during the benchmark, what hogs the CPU?

Kentzo

I saw a few issues that seemed to be related to config transition. IMO worth a try to reset everything to default after upgrading to 7.11, and then manually apply the config.

Kentzo

Need config exports.

Kentzo

Could it be a config transition issue? Try exporting config while on 6.49 and compare it with whatever you have on 7.11.

Kentzo

Under what circumstances do you expect additional equipment in the PPP link? One possible scenario is that if another router is also a Mikrotik. But in this case PPP negotiation will either correct identifiers or reject the connection. In general, there is Duplicate Address Detection mechanism built...

Kentzo

Perhaps your firewall drops the packet?

Kentzo

Perhaps there could be a potential conflict of Interface Identifiers, IAIDs and/or DUIDs? My understanding is that: PPP's initial Interface Identifier you observe is a tentative one and is only unique within the PPP link between these two peers DHCPv6's IAID is only used within DHCPv6 client to dif...

Kentzo

For IKEv2 you should be able to ditch the split-include extension and configure proper traffic selectors.

IIRC on macOS IKEv2 client respects only the first network in the split. Didn't test this in a while though, because see above.

Kentzo

See viewtopic.php?f=23&t=169273&p=841093&hi ... pn#p841093, specifically search for MTU and MSS

Kentzo

I can indicate to .2.3 to use gateway .2.2, it can address it packets, but with OVPN this is not possible. I think I was pretty clear that with OpenVPN you have to go through the server. There is no way around it as you're essentially dealing with two separate links, as you have noticed. I suggeste...

Kentzo

@llamajaja has good wisdon… but if this is your personal device then go hack it.

Although consider something like GNS3 (it can virtualize RouterOS). It's better because you won't "brick" your LAN and can always reset to a clean slate.

Kentzo

Try adding the rules one by one to find the one that leads to ejection.

Kentzo

You want Policy Routing : - 2.3 needs to select packets of the client (/32 source address) and send them via the 2.1 gateway - 2.1 needs to select packets of the client (/32 source address) and send them via the 2.2 gateway - 2.2, presumably, needs to NAT the packets and send them out via default ga...

Kentzo

So you have: - 2.1 on the OVPN server - 2.2 on one OVPN client - 2.3 on another OVPN client Both 2.2 and 2.3 use 2.1 as default gateway, presumably via the "add-default-route=yes" parameter of /ip/ovpn-client. Now you want 2.3 to use 2.2 as a default gateway instead. You need custom routin...

Kentzo

I do not see anything obviously wrong in your config, with respect to this issue. Have you considered that Fritzbox doing something shady? I have never handled this device, but some googling landed: - https://discourse.pi-hole.net/t/bogus-nsec-3-missing-since-fritzbox-update/63772/3 - https://commun...

Kentzo

This is a bug. And the problem is not solved. Why did you say it was solved in the title?

I'm running 7.10.2 and don't have an issue of reappearing deleted pools or addresses after a reboot.

Kentzo

Consider altering your firewall to REJECT (with appropriate ICMP codes), rather than DROP, packets that originate from you LAN. Should ease further debugging.

Kentzo

I also recommend multiple APs. As alternatives to Ethernet consider Mesh systems (more expansive) and Powerline adapters (depends on how electric lines are wired).

Kentzo

I'm using

/system logging
set 2 topics=warning,!radvd

to tame /log print.

Kentzo

Did ISP give single GUA IPv6 and you use NAT to forward traffic ULA hosts?

If not, it’s likely a misconfiguration.

Kentzo

You should send your request directly to Mikrotik: https://help.mikrotik.com/servicedesk/servicedesk/

Kentzo

This filter rules look ok to me.

Is forwarding enabled in /ipv6/settings? Are you sure IPv6 addresses are the correct ones?

Show the export of the whole /ipv6/firewall, not just /ipv6/firewall/filter.

Kentzo

RFC 8415 is pretty clear that DUIDs are opaque and thus RouterOS should not attempt any interpretation. I'd suggest to capture packets and contact Miktorik's technical support.

Kentzo

Would it be possible to capture DHCPv6 exchange via packet tracer such as Wireshark? I wonder why RouterOS thinks server's DUID is bad.

Kentzo

If the rules of the State change, it is not MikroTik's job to inform customers, it is assumed that they already know the law, which does not admit ignorance. I remember reading in change logs that this-or-that regulatory domain was updated up to standards. Sounds more likely that they pushed newer ...

Kentzo

Access to login and services can be controlled by IP though.

What behavior is recommended by RFCs? Perhaps there is a requirement for router to behave like this by default.

Kentzo

I think a LAN host can request a non on-link IPv4 of the router via ARP (maliciously, due to misconfiguration or by being transitioned from one LAN to another) and get a reply.

Kentzo

Are you sure it’d not a firewall rule then?

Might be a too restrictive input filter for packets coming from WAN. If so, use the ipsec-policy property.

Kentzo

Have you tried to manually specify the src-address property on /tool/ping? Needs to match traffic selectors in the policy.

Kentzo

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

IPv6 is disabled. I suspect that's why addresses you self-assigned are marked as Invalid.

Kentzo

Check it's Android version and see if anyone else encountered IPsec problems with it. Can be a bug, a misconfiguration or just some IKEv2 functionality is not implemented by the client and/or RouterOS.

Kentzo

Enable verbose logging of the ipsec subsystem on RouterOS via "/system/logging/add topics=ipsec,debug action=memory". It will give you much more info regarding the mismatches that lead to the destruction of the security association.

Kentzo

Have you tried the "ipsec-policy" property of firewall rules?

Kentzo

I asked the support whether no-dad affects the overriding flag and just received an answer that no it does not. The documentation was edited to reflect that no-dad=yes does not make address a proper anycast. So it appears within RouterOS you cannot assign an anycast address. Thus Scenario 2 in RFC 7...

Kentzo

It's Sonos that sends mDNS for iPhone (and other devices to see), not the other way around.

Must be a misconfiguration somewhere. What is the IP of the Sonos device? Try to sniff all traffic between your iPhone and Sonos to see what ports are being used, see if you recognize any from the list.

Kentzo

I'd start by running /ip/ipsec/export before and after the upgrade to make sure that the configuration was preserved.

Kentzo

AirPlay only uses mDNS for device discovery, not for actual streaming. If you see "TV Room" in the list then mDNS is working and the issue is not related to multicast. The streaming itself is a unicast. Apple lists the following ports for Airplay: 554 UDP and 3689 TCP. Have you checked the...

Kentzo

trying to get multicast to route between subnets. First step is to understand nature of your multicast. If it's routable, then your need IGMP Proxy or PIM (as well as a careful look into IGMP Snooping, Multicast helpers etc). If it's non-routable than you need a repeater of some sort. E.g. mDNS's m...

Kentzo

Drop your config here.

Kentzo

You want to take a look at RFC 3513, section 2.5 to get an understanding of IPv6 addressing. Is there any harm in leaving it at /56? The "pool-prefix-length" property is a configuration property used by RouterOS when it subnets delegated prefix, i.e. it will create subnets with prefixes of...

Kentzo

Basics are covered in Mikrotik's IPv4 and IPv6 Fundamentals (and subsections). For in depth see RFC 4861 and RFC 8415.

I can help with specific questions, but otherwise it's hard to elaborate in few words.

Kentzo

/ipv6 dhcp-client add interface=sfp1 pool-name=pool6 pool-prefix-length=56 request=prefix Unless you do know that you need /56, I'd change "pool-prefix-length=56" to "pool-prefix-length=64 prefix-hint=::/48" /ipv6 dhcp-server add address-pool=pool6 interface=bridge name=DHCPv6-l...

Search found 549 matches