MikroTik

Kentzo

Interesting. Again, what ROS ver#?

7.18.2

Kentzo

I rebooted the router and now it all works. Very strange. Hopefully the support can determine the issue from the supout I sent.

Kentzo

To confirm this, as a test, have you tried changing the ULA address to some fake address from GUA space temporarily, and seeing if the exact same problem still happens or not? I added an additional GUA via `add advertise=no from-pool=global interface=vlan-main eui-64=yes` and the router is reachabl...

Kentzo

It does. I did a bit more testing and hosts on the VLAN link can access the router: via on-link GUA via on-link link-local address via off-link ULA assigned on the bridge interface VLAN is part of via off-link ULA assigned to a veth interface which is not part of any VLAN nor bridge It does look lik...

Kentzo

Lack of responses makes me uneasy

Does no one have both GUA and ULA on the same link?

Kentzo

On my network I have a VLAN with two IPv6 addresses assigned, one GUA and one ULA: > /ipv6/address/export add address=::...:17fe eui-64=yes from-pool=global interface=vlan-main add address=fd6f:...:17fe eui-64=yes interface=vlan-main > /ipv6/address/print detail 0 G address=2601:...:17fe/64 from-poo...

Kentzo

If I understand correctly, your complaint is that RA received by a host on vlan11 contains an additional Prefix Information option (3) with prefix that does not belong to the current link. Per RFC 4861 : A router SHOULD include all its on-link prefixes (except the link-local prefix) so that multihom...

Kentzo

I upgraded my RDS2216 to 7.19rc1 for some disk testing. Built-in SMB is still bad for some reason. It works fine on 7.17, but throughput on 7.18-7.19 are horrifically slow.

Interesting, I saw a major improvement in 7.18.x. I have an m2 ssd in a case attached over usb.

Kentzo

I doubt TCP-MP is involved: the device is a laptop and WiFi was its only path to the internet. I only have one gateway in the network.

Kentzo

Ended up adjusting both IPv4 and IPv6 filters to accept both invalid RST and FIN,ACK regardless of the origin: > /ipv6/firewall/filter/export where chain=invalid add action=accept chain=invalid protocol=tcp tcp-flags=rst add action=accept chain=invalid protocol=tcp tcp-flags=fin,ack add action=rejec...

Kentzo

Not exactly: https://esim.me/

So… a programable SIM card?

Kentzo

thanks, I'll do as you say, but anyway for information, the error: pool6 refused acquire: bad preferred prefix length! (1) what is it due to? As @Kataius said: you misconfigured prefix delegation / address allocation (depending on what you wanted to use DHCPv6 Server for). You really did not give u...

Kentzo

If you believe it's a RouterOS bug: help.mikrotik.com is your best recourse.
If you think it could be a misconfiguration: need to see the config.

Kentzo

Clear the /ipv6/dhcp-server config. Configure SLAAC by advertising a self-allocated ULA address on the interface connected to the link with Open Thread Router. See to that the OTR picks an address from this advertised prefix. Once OTR is properly on link it will start issuing Router Advertisement me...

Kentzo

It should set up its own independent network.

Kentzo

In IP/Services . Is there something special on enterprise devices? My `/ip/service` shows RouterOS's access services (winbox, www, api, etc). I struggle to connect what "all TCP/UDP connections on the system" and "all TCP/UDP ports on system, including ports in containers" have ...

Kentzo

I expect Thread Border Router to act independently. IIRC the only requirement is that it needs to be on the same link (i.e. same ethernet, wifi of VLAN) with devices it wants to control.

Kentzo

*) ip-service - show all TCP/UDP connections on the system (additional fixes);
*) ip-service - show all TCP/UDP ports on system, including ports in containers (additional fixes);

Where do I see these values?

Kentzo

I found it oh so much easier to troubleshoot lan with proper errors

Agreed the state machine for a tcp connections is quite sophisticated and troubleshooting tools are lagging behind.

Kentzo

Typically it’s a job for a Thread Border Router which acts independently from your router. Can you tell more about what you are configuring?

Kentzo

Well, increase "DoH max concurrent queries" setting

It's already 2048 and cache (240KB / 4096KB) is on.

Does RouterOS count stale HTTP connection towards this limit?

Kentzo

Are you using "verify server certificates" option? If you disable it, do the errors go away? That might narrow the problem. Slightly different errors: 22:03:22 echo: dns,warning DoH max concurrent queries reached, ignoring query 22:03:22 echo: dns,warning DoH max concurrent queries reache...

Kentzo

If they don't support DHCPv6 they may still provide you with a static prefix (which you have to enter manually). Do they provide any instructions for IPv6, what did their support say?

If you can, please capture the Router Advertisement ICMPv6 packet.

Kentzo

Is your intention to have a stateful or stateless IPv6 address assignment?

Kentzo

What's your ISP?

Kentzo

Looked a bit more and it seems the host is to blame: it attempts to send data after acknowledging server's FIN,ACK. The RouterOS does the right thing by sending RST and the client acknowledges it. Perhaps it has to do something with power conservation. The only adjustment I think to make is `tcp-fla...

Kentzo

NPTv6 still requires an upstream router to route addresses in the prefix you "allocated" for yourself. Currently it expects every device to be on link and routes nothing. RouterOS does not support RFC 4389 ND Proxy (which would be a horrible workaround for your use-case). Are you sure your...

Kentzo

For testing, I modified firewall rules for both IPv4 and IPv6 to accept all outgoing `connection-state=invalid` packets. Now I see this: 2025-04-28 18:48:51 firewall,info accept6-lan invalid: in:vlan-main out:ether1-gateway, connection-state:invalid src-mac 08:87:c7:37:b0:5b, proto TCP (ACK,PSH), [....

Kentzo

I'm doing a yearly review of the firewall and would like to address an issue with dropped outgoing invalid packets. My current firewall setup for IPv4: > /ip/firewall/filter/print where chain=forward chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related chain=...

Kentzo

Hmm, I'm just relaying on volume of posts in forum as metric here.... Are you using "verify server certificates" option? If you disable it, do the errors go away? That might narrow the problem. I mean it does mostly work. For end users this issue appears as a browser / application bug or ...

Kentzo

All other popular DoH services work with MikroTik without issue. You should not judge DoH implementation in MikroTik by just testing the one service that often does not respond. As far as we can say, the only complaints about DoH are with Quad9, not sure why. I gave Cloudflare (https://cloudflare-d...

Kentzo

The benefit of DoH is opaqueness at the expense of much higher complexity.

In absence of this requirement, do you think DoQ would perform better than DoT?

Kentzo

Every now and then I'd try the DoH (quad9) setting on RouterOS only to find it to be unreliable, just dropping DNS requests for one reason or another. Usually it results in my web browser being stuck loading webpages, likely waiting for some long timeout to trigger. Nowadays it does not seem to happ...

Kentzo

The up-to-date version of this guide can be found at https://gist.github.com/Kentzo/36dee5b82ba1b25bec0167a5e07c565f In a Nutshell RouterOS script that uses CoreDNS to: Prevent leaks of queries for domains in Locally-Served DNS zones Set up Comprehensive A/AAAA/PTR resource records for hosts Set up...

Kentzo

I don't see a straightforward solution to allocating an IPv6 address from a prefix dynamically assigned to me by the ISP. NPTv6 / NATv6 seems like the easiest in terms of administration, but feels wrong.

What approach do you use?

Kentzo

I have an internal DNS server that is authoritative for my local zone (home.arpa.) which RouterOS's DNS resolver is configured to forward to. I just noticed that it rewrites NXDOMAIN responses as NODATA. With the following zone file: $ORIGIN home.arpa. @ IN SOA @ nobody.invalid. (1 3600 1200 604800 ...

Kentzo

One approach is for someone on this forum to set up an independent bug tracker for interested users to duplicate their reports. Although it’s an additional burden on the reporter to file twice (and then update once the issue confirmed / resolved). Ultimately it may nudge Mikrotik to open up their sy...

Kentzo

I have noticed a bug in 7.18.2 where `/interface/veth/get value-name=address` returns incorrect value: > /interface/veth > add address=2001:db8:1:1:1:1:1:1/64 gateway="" gateway6=2001:db8::1 name=example > :put [get example value-name=address] 2001:db8:1:1::/64 Note how the result zeroed b...

Kentzo

I beg a pardon but the code snippets are valid syntax. That they don't print anything is the intended behavior. The expression inside [] is a condition: > :put [:len [/ip/address/find]] 8 > :put [:len [/ip/address/find where [(true)]]] 8 > :put [:len [/ip/address/find where [($interface~"bridge...

Kentzo

Regarding OP: this behavior is indeed documented https://help.mikrotik.com/docs/spaces/ROS/pages/47579229/Scripting#Scripting-Reservedvariablenames Regarding my "alas": the [] syntax works but it does not do what I initially expected. It's executed as part of the `where` expression and act...

Kentzo

I got a little bit excited because the script I'm working on is full of code like: :local varItems [/ip/address/print as-value where ...] :foreach varI in=$varItems do={ # process records } When I saw @rextended's snippet I thought to rewrite it as /ip/address/find where ... [ # process records ] Bu...

Kentzo

Ah, so the function argument of find acts as one of filters itself: > /ip/address/find [($address~"192.168.3.1/")] is equivalent to > /ip/address/find address~"192.168.3.1/" Initially I thought the function argument is called only for the elements that matched the where expressio...

Kentzo

Thanks, that makes sense. Do you know if that's documented?

Also that's news that find can take a function as an argument. Didn't see it documented either.

Kentzo

I just noticed that if a variable and parameter of a where expression have the same name, there filter is ignored: > /ip/arp/print proplist=address Flags: H - DHCP, D - DYNAMIC; C - COMPLETE Columns: ADDRESS # ADDRESS 0 C 192.168.99.2 1 HC 192.168.3.6 2 HC 192.168.3.21 3 HC 192.168.3.3 ... > /ip/arp...

Kentzo

It looks like /ip/dns's servers, /ip/dns/static's forward-to and /ip/dns/forwarders's dns-servers/doh-servers do not support custom ports. Is NAT still the only solution?

Kentzo

Need to see ` /ipv6/nd/print detail`.

Kentzo

Resurrecting an old thread, but did you ever get to the bottom of this? I suppose it has to do with the MAC address RouterOS uses for its side of the veth link.

Kentzo

When "IPv6 stops working", can you ping the default route gateway from the router?

Kentzo

You're right, it's still not up to RFC.

Kentzo

I think it was resolved in one of the recent versions of RouterOS.

Kentzo

Major downgrade in wireless performance on hAP ac lite / RB952Ui-5ac2nD (7.18.1) over 2.4Ghz link as a station of hAP ax3 AP (7.17.2): x10 latency and frequent packet drops. Downgrade to 7.18 resolves the issue.

Kentzo

Make sure that the nameserver authoritative for the parent zone has an appropriate referral that points to the public IP of your RouterOS
On RouterOS configure a forwarder for your zone to use your internal nameserver

Kentzo

Windows 10's builtin IKEv2 supports EAP-MSCHAPv2: https://docs.strongswan.org/docs/latest ... pConf.html

Could it be an administrative / licensing restriction in your case?

Kentzo

In the post above you mentioned that bridge filter set-priority rules are needed because, supposedly, RouterOS’ ip firewall won’t work on these packets. Did you verify that?

Kentzo

But Windows does not support IKEv2, only L2TP/IPsec. That is not true, Windows supports IKEv2. In my use case I use ikev2 ipsec as back to home in my soho as it requires no client software. And I wanted to support all common platforms out of the box. I went with strongswan as the responder. It supp...

Kentzo

I never had to deal with such issues, but did you confirm that RouterOS's DHCP client indeed bypasses firewall mangle rules?

Kentzo

Exactly. The concept of "default" / "unset" being equal to all supported by the radio is not great. To that extent I mostly dislike how "default" is implemented in RouterOS. `print` needs to display concrete values and use graphics / color / formatting to disambiguate u...

Kentzo

Any particular reason you don’t want to run a better ipsec responder inside a container? After all ipsec is done in the kernel and you shouldn’t suffer too much performance drop, although my use cases are very modest.

Kentzo

On reflection I’m not sure this solution will work for me as I need the address to be public facing so that the remote site can connect to the Wireguard endpoint.

You are confusing the concepts here. The whole prefix is public and is routed to you regardless of which interface uses it.

Kentzo

This is wise.

Nevertheless troubleshoot was difficult. Likely insurmountable to normal users. A SoHo AP needs to be friendlier.

Kentzo

An attachment of `/ipv6/export`, `/ipv6/route/print`, `/ipv6/address/print` and `/ipv6/dhcp-client/print detail` would be a good start.

Kentzo

Thanks I’ve come across a couple of guides that do this and suspected it to be poor practice.

AFAIK there are exceptions, such as RFC6603 Prefix Exclude Option for DHCPv6-based Prefix Delegation. This document gives a good explanation why it's a bad idea and when it might be necessary.

Kentzo

6,000+ views. No ones tested AMT? Only testing patience for diatribes.

Could you describe the specific problem you would like to solve with AMT?

Kentzo

Assigning an address from the prefix on your WAN is a misconfiguration. Prefix is for your downstream use.

I would add a bridge interface with zero members and assigned an address from the prefix to it.

Kentzo

I think I understand how and what I accidentally broke. As I mentioned in the linked post, I disabled the DFS channels and set `reselect-interval` on the channel profile. This allowed AP to pick frequencies that are not supported by my devices (U-NII-4). For a day I was lucky as the AP avoided these...

Kentzo

That'd be the last resort.

Confirmed with Wireshark in monitoring mode that the AP is not sending beacon frames using the mac address of the affected interface.

The `frequency-scan` and `spectral-scan` tools to work. I suppose the interface is not bricked.

Kentzo

A peculiar thing is that under "/interface" the interface is designated as "SLAVE" while under "/interface/wifi" it's "MASTER".

Kentzo

I was playing with the config per my other thread ( hAP ax3 / MBP: intermittent packet loss ) and it appears I broke something and cannot quite figure out what exactly. As can be seen in the linked post, I had `disable-pmkid=yes` on the WiFi interface which I set in hopes it would improve connectivi...

Kentzo

I will report once I test it more.

Kentzo

Adjusted the config to disable DFS channels (out of assumption that there were conflicts but RouterOS failed to log them) and set reselect-interval. No disconnections so far.

Kentzo

I'm certain that this particular problem that I experience is due to AP and not the ISP / GFN. Mainly because my OS (macOS 15.3) reports WiFi connectivity issues and that RouterOS reports disconnection of _all_ clients that belong to the affected WiFi network. The AP my MBP is connected to is hAP ax...

Kentzo

I recently started using a service called GeForce NOW and noticed a problem that I was not aware of previously: periodically my MBP would experience connectivity with ping to the AP ranging from high ping (>100ms) to packet loss. The connection will remain spotty for 10-30 seconds before recovering ...

Kentzo

*) smb - fixed connection issues with clients using older SMB versions (introduced in v7.17);

Still seeing the same problem here.

Kentzo

I got an impression that their SWAP implementation is only for containers and otherwise unused (and isolated) from network functionality.

Kentzo

I think it makes a great SoHo router though. A couple of SMB shares and SWAP for memory heavy containers is all I need. Finally can retire an rpi and run Homebridge directly on my AX3.

Kentzo

What's new in 7.17.1 (2025-Jan-30 12:29):

The SMB server still suffers from compatibility issues with certain clients.

Kentzo

If it returns, please sniff the packet.

Kentzo

What is the firewall rule?

Kentzo

I'm not aware of Application-level support for any of AMT, so I guess currently it relies on gateway equipment to support this? Would love to read about any deployments of this technology, sounds interesting in the context of roadwarrior VPN clients, as Amm0 suggested.

Kentzo

Just a guess, but perhaps ISP's DHCPv6 server misinterprets the Prefix-Length option. Try setting `prefix-hint=::/64`, and if that works gradually increase the pool by setting `prefix-hint=::/63` then `prefix-hint=::/62` etc until it breaks. This error is definitely something I'd confront the ISP wi...

Kentzo

*) smb - stability improvements for client/server; The SMB client run by Infuse player app on Apple TV stopped working. macOS native SMB client connects without problems. Below are dissections from Wireshark. Infuse: --Request by Infuse--> SMB (Server Message Block Protocol) SMB Header Server Compo...

Kentzo

During the capture, I requested a prefix, changed my firewall rules, and then requested a single IP.

Nothing in the capture suggests any of these actions. Please try to capture at least 10 minutes worth of traffic. At the very least we need to see ICMPv6 Router Advertisement packet there.

Kentzo

In that case I would try to sniff ICMPv6 and DHCPv6 traffic on ether1. That does not seem right.

Kentzo

Is it feasible to disable all IPv6 firewall rules, reboot the router and then attach the output of `/ipv6/pool/print`?

Kentzo

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 The `src-address=fe80::/10` may be the culprit. Either remove it or replace with `in-interface=ether1` instead. Please post the update config after you ...

Kentzo

We need to see the current IPv6 config: `/ipv6/export`

Kentzo

RFC4291 - IP Version 6 Addressing Architecture is a good start to learn standard terminology, makes googling much easier. With respect to Subnet ID: RouterOS currently does not allow administrative control over this part of an IPv6 address. Please contact Mikrotik support and let them know that you...

Kentzo

I vaguely remember this problem when I tried to get IKEv2 responder on RouterOS to work with all of my devices.

I think to troubleshoot this definitively you need all three of the following:

1. Logs from RouterOS
2. Logs from macOS
3. A capture Phase 1 and Phase 2 packets, decrypted

Kentzo

Try to collect logs on macOS , it will tell you what its IKEv2 initiator does not like.

Also see the note about re-authentication issues.

Kentzo

Check this out too https://github.com/Kentzo/routeros-scripts-custom

Has some changes and bugfixed

Kentzo

7.17 will have "Address Delegation", but it's not clear whether it is what I think it is.

Kentzo

Perhaps the daemon / routine responsible for configuration of network interfaces overrides these kernel parameters. Have you followed https://wiki.alpinelinux.org/wiki/Configure_Networking?

Kentzo

In that case refer to the corresponding doc from Alpine…

Kentzo

Could you attach the dissection (e.g. via Wireshark) of the RA packet as received by the Mikrotik router interface connected to the upstream Cisco router?

Kentzo

IIRC it's based on Debian and uses systemd-networkd, in which case you want to read up on [IPv6AcceptRA] Section Options.

Kentzo

I think if you want to debug issues with wireless connection specifically, you need to sniff wireless packets. For Wireshark take a look at WLAN (IEEE 802.11) capture setup.

FWIW try to set a static channel for ecobee AP and adjust the DHCP server to give long leases (e.g. 1 week).

Kentzo

If you think that using /32 route adds to security, then please explain how ... and please, include some example which will illustrate your claims. I'm not saying that your way isn't possible, I just don't see how. It’s not about security, I fully agree that it is still WAN and don’t offer any chan...

Kentzo

*) dhcpv6-server - added IPv6 address delegation support; Do I understand it correctly that it's for RFC 8415 Section 6.2 DHCP for Non-temporary Address Assignment ? Because if it is, then I agree with @RavenWing71 in that it should not have assigned the reserved anycast address ( RFC 5453 ) nor re...

Kentzo

This would only happen if there was statically set IP address along with enabled DHCP client. This is exactly the argument as it's a very common setup to have a DHCP client running on the physical interface that connects to the ISP. More than one IPv4 address on an interface is not standard. So why...

Kentzo

It’s definitely not more secure, as you say. For all intents and purposes the modem needs to be treated as hostile WAN. But for simplicity, I think it is better to use a route as a universal approach. By setting an IP address on the WAN interface you negatively affect setups where upstream uses DHCP...

Kentzo

So I added IP address (from modem's "LAN" IP subnet) to my ether port linking with modem.

Any particular reason you chose this approach rather than adding <IP>/32 route? The latter should work for both PPPoE and bridged

Kentzo

You can try the following setup to experiment locally using one RouterOS device: Assign 2 IP addresses at /ip/address to the `lo` interface Set up a EoIP tunnel using [1] addresses, set MTU to something absurdly high, e.g. 65000; this tunnel will simulate Internet Assign 2 more IP address at /ip/add...

Kentzo

In this case please report it at https://mikrotik.com/support/

Kentzo

A DHCPv6 Client is not necessarily required by a host for a functioning IPv6 connection as information supplied by the upstream router via ICMPv6 is often sufficient. TBH don't see yet how is that an IPv6 or RouterOS problem. Get it to work on your laptop, then we can see what RouterOS config can ma...

Kentzo

I recommend administratively limit access to TikTok via Parental Control and similar mechanisms. Pretty much every OS has it one way or another.

Kentzo

IIRC it is currently not possible to manually control Subnet ID. Please contact mikrotik at https://help.mikrotik.com/servicedesk/servicedesk and let them know that you need this functionality.

Kentzo

If that test won't show Router Solicitation then I suggest to report this as a bug at https://help.mikrotik.com/servicedesk/servicedesk explaining the flow and attaching the captured packets.

Kentzo

Did you see RouterOS to send Router Solicitation shortly after you unplugged / plugged the router cable? Did you see Router Advertisement sent back in response? Normally hosts (and your mikrotik router is a host in the link with the gateway) don't send Router Solicitations unless needed. From RFC 48...

Kentzo

For this scenario it doesn't matter what your local hosts see as the link we're interested in is between the upstream and your mikrotik router.

Kentzo

After you connected the network cable back, did you try waiting for the route to re-appear, if so for how long? To capture the packets on the gateway (or any RouterOS interface, really) use its builtin packet sniffer: https://help.mikrotik.com/docs/display/ROS/Packet+Sniffer Points of interest: - Do...

Kentzo

How long does it take for the default route to "drop off" after you apply this configuration? Did you try a reboot after applying it? It would be interesting to capture the Router Advertisement packets on the WAN interface (e.g. with Wireshark), if you're willing to diagnose this issue fur...

Kentzo

I would try to add an /ipv6/nd record for the gateway interface (as in my example above) and change `add-default-route` to `no` on /ipv6/dhcp-client. Then see whether it would work after router's reboot.

Kentzo

In CPE scenario when upstream serves IPv6 properly you most definitely want `add-default-route= no ` on /ipv6/dhcp-client. Enabling /ipv6/nd on the gateway interface should be sufficient to set up the default route. > So I made the changes to (I think) mimic yours Can you post /ipv6/export and /ipv6...

Kentzo

I assume disabling my dhcp-server from ipv6 is the same as not having it. Chances are that you don't need it: DHCPv6 server on RouterOS can only (1) delegate prefixes to routers downstream and (2) distribute DHCPv6 options to hosts (that's what you enable via other-configuration=yes). It cannot han...

Kentzo

Also note that in the config I posted I set up /ipv6/nd on the gateway interface in addition to the bridge: that should help RouterOS to discover default route. I say help , because the exact behavior of RouterOS's IPv6 ND is not well documented. Would be interesting to see and compare states of /ip...

Kentzo

What cable boxes (vendor?), what's your internet and TV service providers? Did they provide instructions regarding setting up IPv6 with them? I see that it's Rogers Canada. Could you describe your network layout in more detail, is the gateway modem bridged into your LAN? It's better to understood h...

Kentzo

If your only router is RouterOS and you don't run any additional services elsewhere on the link, then you want `managed-address-configuration=no` (which is the default IIRC). That should be enough for hosts to obtain addresses via SLAAC. This is the core of my IPv6 working config: /ipv6 dhcp-client ...

Kentzo

Why do you have `managed-address-configuration=yes`, do you have a DHCPv6 server in the network that hands out addresses?

Kentzo

Do you even have IPv6 mDNS traffic? You should be able to verify this with /interface/bridge/filter.

Kentzo

No, that is not true. The DNS resolver processes the entries from top to bottom (like the firewall) so you can have that config. I checked with the support: regexes are indeed processed first. Therefore the *\.home\.arpa$ regex of type NXDOMAIN will override non-regex entries regardless of its rela...

Kentzo

But I don't know why you'd get NXDOMAIN back if there was /ip/dns/static using it.... If the DNS server run by RouterOS has two /ip/dns/static records (in that order): nas.home.arpa A 192.168.1.101 *.home.arpa$ NXDOMAIN Then, per my understanding of the docs, client’s request for nas.home.arpa is g...

Kentzo

You can have a couple of .home.arpa records in the DNS and at the end a *.home.arpa$ record with NXDOMAIN. From the docs : The server is also capable of resolving DNS requests based on POSIX basic regular expressions so that multiple requests can be matched with the same entry. In case an entry doe...

Kentzo

To clarify, what loses IPv6 connectivity: only the hosts connected to the Mikrotik router or both Mikrotik router and its hosts? If it's the former, what's the use of DHCPv6 Server? FYI RouterOS's DHCPv6 Server cannot assigned addresses to individual hosts, it can only distribute prefixes to other d...

Kentzo

@pe1chl I think they should keep the automatic behavior but add the dynamic record with an appropriate comment to the routing rules for both IPv4 and IPv6. Similar to how they do it for VLANs. @luckybuilding Please send a bug / feature request to Mikrotik, you have a legit case. Let's make sure it c...

Kentzo

DHCPv6 server can serve options when SLAACs other-configuration is enabled.

Kentzo

Might be worth a bug report.

Have you tried routing look up rules under /routing/rule as an alternative?

Kentzo

What rules do work on IPv4 but not IPv6?

Kentzo

So if you want to force client's traffic through IPv4 tunnel, disable IPv6 on that site altogether.

...or make your tunnel dual-stack.

Kentzo

AFAIK It should not be necessary to assign an address to the WAN interface: RouterOS should be able to use a global IPv6 address assigned to any of its LAN interfaces. I don't immediately see any problems with the firewall. However, it would be interesting to enable logging for all drop rules and se...

Kentzo

See section 2.6.1 of RFC 4291 - IP Version 6 Addressing Architecture An address where Interface ID ends with 0s is a reserved anycast address for any router on the network. Once delivered to a router, it replies using the most appropriate address. In your case the Subnet Prefix is 0000:0000:0000:000...

Kentzo

AFAIK in principle it should work. I think the issue might be a mismatch of traffic policies: they are expresses via IPv4 masks in RouterOS config, but actual addresses in SA are IPv6. Or it might be limitations of the legacy mode-config configuration (iOS really wants proper IKEv2 and RouterOS does...

Kentzo

It's normal and preferred for your WAN interface to receive an IPv6 address that is not part of the PD. Overlapping them is possible, but AFAIK, is an edge case. See RFC 6603 Prefix Exclude Option for DHCPv6-based Prefix Delegation . Since your router receives an IPv6, can it ping its next hop and/o...

Kentzo

IIRC at the moment RouterOS doesn't let you administratively override how it uses received Router Advertisements. Please contact Mikrotik support and make a feature request at https://help.mikrotik.com/servicedesk/servicedesk

Kentzo

The support explained that this is as intended, the router used `lo` as the next hop to the subnet it had an address in.

Kentzo

Yeah, I'm of little help here as I do not work with PPPoE. Try Mikrotik support, perhaps they can give you a solution without disabling `accept-router-advertisements`.

Kentzo

IMHO the default value is wrong (at least for home networks) and is still set as such solely for backwards compatibility.

I recommend the following for further reading:

Kentzo

I’d keep the RA on in the setting and instead worked with the raw rules of the IPv6 firewall to drop all ICMPv6 (which includes RAs) coming via interfaces where IPv6 is not desirable. One notable use case for having RAs in home network is IoT and the Thread protocol, it uses RAs. Apple TV does that ...

Kentzo

I cannot give you a solution, but it seems strange that you have 3 default routes of equal distance in the routing table of RouterOS. Have a critical look at your LAN / VLAN / bridge layout, something is amiss there. It is possible that the issue is not related to IPv6 at all.

Kentzo

Try sniffing all interfaces to see what happens to the lost ping packets when there are not seen on the WAN interface.

Kentzo

What physical interface is VDSL? Can you show a diagram of your VLANs?

Kentzo

Post the routing tables on macOS (via netstat) and the router.

Kentzo

Sniff traffic off the PPPoE interface, your goal is to verify that the packets are dropped within your LAN.

Kentzo

Ouch

Kentzo

In general is there a way to locate all records that reference a deleted entity, such as a deleted interface?

Kentzo

[deleted]

Kentzo

Did you try RFC 7078 Distributing Address Selection Policy Using DHCPv6?

Kentzo

It didn't crash before 7.14.3 and yet my machine with uptime of a few months does not exhibit this issue. However, I changed /ipv6/nd/prefix/default: /ipv6/nd/prefix/default/print autonomous: yes valid-lifetime: 16h preferred-lifetime: 8h Which is shorter than lifetime of my DHCPv6 delegated prefix ...

Kentzo

Interesting point. Assuming you advertise multiple prefixes via RA to the downstream hosts (i.e. your hosts are multi-homed), you can encourage their address selection via the ra-preference property in /ipv6/nd. However, will RouterOS actually prefer the gateway that corresponds to the location of t...

Kentzo

Hmm, I don’t think I noticed this behavior. Then again I only ever have up to 2 prefixes simultaneously, so my hosts cannot get 1000 address. OTOH I’m with xfinity and my delegated prefix changes time to time. What are your default settings for nd? Did you try the 7.16 beta release, as its notes men...

Kentzo

Then how would you expect the client OS to select source address among multiple prefixes in standard compliant way? It’d seem to me that misbehaving clients should rather have a static LUA with a translator in front of them. Not great and not standard but a better workaround IMO. I never checked, bu...

Kentzo

IKEv1 and IKEv2 differ in how configuration can be supplied with IKEv2 being backward compatible. RouterOS only supports backward compatible configuration, “new” configuration payload is not (fully?) supported. What user may or may not want is orthogonal to want the implementation must support. And ...

Kentzo

Thanks to the SMB bug my ax3 crashes and gets rebooted a few times a day :) I think the deprecation in my case is working properly: when prefix gets reassigned to another interface it seems correct to mark as deprecates on the old one. But it is wrong that Subnet ID is neither stable nor under admin...

Kentzo

As a responder it still requires deprecated mode-config where more appropriate IKEv2 attributes exist. IIRC split-include can only be used via mode-config, IKEv2 traffic selectors are not supported.

Kentzo

In general add-default-route via DHCPv6 client is wrong, that is why it is off by default. In IPv6 proper default route should be learned from RA.

There are examples on this forum where add-default-route=yes in DHCPv6 backfired.

Kentzo

For RouterOS <-> RouterOS? I don't think it matters. Otherwise you're probably better with Wireguard as RouterOS's implementation of IPsec (especially "modern" IKEv2) is incomplete.

Kentzo

Another idea: put each interface into a separate VRFs and add appropriate routes / routing rules to prioritize one default route over another. However you will have to adjust the IPv4 configuration as well.

Kentzo

If you're doing RA, you most likely want `add-default-route=no` on the DHCPv6 client. RouterOS will add the proper default route based on the RA. Not sure how to deal with PPPoE, the config does not seem to allow to selectively disable `add-default-route` for IPv6. RouterOS does not seem to support ...

Kentzo

[deleted]

Kentzo

I now understand the issue a little bit better. In my deployment I implement NPTv6 to let IPsec clients with ULA addresses to access internet using a GUA derived from an upstream delegated IPv6 prefix: I "reserve" and IPv6 prefix by allocating a non-advertising address on the `lo` loopback...

Kentzo

Regardless of the packet flow, I'd expect `out:lo` to be in the input chain and never in the forward chain.

Kentzo

This behavior (bug?) in IPv6 Firewall Filter seems to be new: lo -> lo in the IPv6 firewall filter forward chain

Kentzo

A little bit of context: AAAA is my laptop and BBBB is my phone which is currently sleeping. BBBB is not pingable nor it appears /ipv6/neighbors. An app on AAAA cached BBBB-IPv6 and continuously tries to reach BBBB. This is what I see in the IPv6 firewall filter: ... firewall,info ... forward: in:vl...

Kentzo

Have you tried https://wiki.mikrotik.com/wiki/Manual:C ... ic_Shaping ?

Kentzo

*) smb - added logs for share connection requests

Please revert this change. 99% of my info logs is now `... connect request user:GUEST ...` :/

Kentzo

It looks like there is a mismatch in phase 1 configuration. Can you share the diagnostic logs from Azure's VPN? Capturing the packets might on the router by sniffing may also be helpful to see what you send vs what Azure's responder expects.

Kentzo

I think builtin SMB server causes kernel panic and reboot after certain amount of data is being transferred (it appears in the direction from the Router).

Kentzo

IIRC if you add addresses like this: add address=::1 eui-64=yes from-pool=local-pool add address=::1 eui-64=yes from-pool=guest-pool then one of them will get deleted upon a reboot. This is a known problem but please report to https://help.mikrotik.com/servicedesk/servicedesk/customer/portal/1, more...

Kentzo

Where is the authentication material in `/ip ipsec identity`?

Kentzo

If you run `dns-sd -Z _airplay._tcp` in the Terminal app on macOS, does it show any devices at all?

Kentzo

Reading from the builtin SMB server seems to cause kernel panic.

Kentzo

What is not working specifically? The devices do not appear on the Share list in iOS / macOS / tvOS or they do but the connection fails? If so then what is the error message?

Kentzo

As a SOHO user for almost a decade all deviations I saw were almost exclusively to circumvent RouterOS's mishaps. To that extent it's great that the OS allows for that. However, I personally want it to be easily configure to follow the RFC specs and best practices as precisely as possible. For whist...

Kentzo

IMHO Application-level problems need application-level solutions. I did not look into the mDNS spec sufficiently, but I would not take for granted that reflection does not involve some alteration of the packet under certain circumstances.

Kentzo

I recommend taking a look with wireshark to see what goes through and what’s not.

If ping works but nothing else then it could be an MTU issue. Can you find the maximum payload size that works for the ping tool? This thread may be useful: viewtopic.php?t=189192

Kentzo

Right now your router is not properly configured to learn upstream IPv6 route. You likely need: /ipv6/dhcp-client ... add-default-route=no ... /ipv6/nd/add advertise-dns=no interface=ether1 ra-lifetime=none ra-preference=low reachable-time=5m Also note that the dns option in /ipv6/nd does not work f...

Kentzo

Please report it as a bug at https://help.mikrotik.com/servicedesk/servicedesk

Kentzo

This description is a bit of a hodgepodge.

Please read up on IPv6 first to better understand your situation, specifically address distribution (SLAAC), Prefix Delegation (DHCPv6-PD) and classification of IPv6 addresses in general.

Kentzo

i connect using my phone as hotspot

What gets establishes IPsec connection, your phone or another device that uses your phone as a hotspot? If it's the latter could be some traffic shaping done by your MNO specifically for the hotspot clients.

Kentzo

RouterOS really needs an mDNS solution out of the box (both as multicast and Wide Area Bonjour). These hacks that pop time to time are ridiculous, traps and troubles for novices that tarnish Mikrotik's reputation…

Kentzo

I would still like to see a binary dump of the problematic packet. It's feasible that RouterOS's parser / validation is broken in some other way.

Kentzo

The 7.14.3 update fixed this issue in the builtin SMB server, but the containerized one is still affected.

Kentzo

Have you tried setting the src-address?

Kentzo

RouterOS only allows to customize Interface ID, but it will pick Subnet ID for you.

Please create a feature request at https://help.mikrotik.com/servicedesk/servicedesk

Kentzo

Something in your network multicasts a packet to all nodes (ff02::1) using the 10001 port. "All nodes" also includes the router itself. You have a firewall rule that blocks such packets on the router. Everything seem to work as configured. FYI mDNSv6 uses the ff02::fb. See https://www.iana...

Kentzo

If you don't need IPv6 on the TV, you can still bridge the mikrotik router but exclude the ethernet interface that connects the TV from the bridge.

Kentzo

Are you sure it’s the forward chain and not the input chain? Link-local addresses are not supposed to be forwarded. My opinion is that with very few exceptions you should not firewall input (multicast or otherwise) from LAN on the router. Please make sure to report all problems you encountered using...

Kentzo

Instead of disabling the rules, can you change it to passthrough with log and then attach here the packets whose dropping breaks your network, exactly as it appears in the log? The rule that only allows ICMPv6 Type 134 from LAN is plain wrong for an edge router: it is supposed to receive RAs from th...

Kentzo

In both cases you need to log to see what packets are being matched.

Kentzo

On the one hand I agree with your reasoning… on the other hand I'd prefer IPv6 to negotiate its configuration as intended by the protocol rather than relying on this ad-hoc knowledge of underlying connection and RouterOS "hacks".

Kentzo

I cannot point to a specific thread, but if you search this forum for "ipv6" you will find a few viable configs and useful discussions.

Kentzo

Did you identify the exact link where IPv6 routing breaks?

Kentzo

Why do you have VodafoneIPv6 both as a dynamic IPv6 pool (via the DHCPv6 Client) and a manually added pool? That might confuse RouterOS. Also, remember that RouterOS's DHCPv6 Server cannot hang out addresses as its DHCPv4 Server. It only works for prefix delegation to downstream Routers . Downstream...

Kentzo

I don't know if this is necessary for PPPoE connections, but I would recommend to at least try the following: Set `accept-router-advertisements=yes` in /ipv6/settings Set `add-default-route=no` in /ipv6/dhcp-client: route, normally, should be learned via RAs (but it might be a peculiarity of PPPoE I...

Kentzo

Noticed that I still had the rose-storage package enabled. Disabled it and rebooted. Now the reading speed over SMB does not progressively degrade and is stable. However, it seems to be slower than it used to be. It's definitely slower than both the `dd` and `iperf` speeds. This issue is still prese...

Kentzo

Pulled the disk and connected to my linux box: `e2fsck -fcck`: no bad sectors `dd if=... of=/dev/null bs=4K` on every file: no problems, healthy reading speed Connected back RouterOS, run the "samba" container: `dd if=... of=/dev/null bs=4K` on every file: no problems, healthy reading spee...

Kentzo

I'm hesitant to trust RouterOS's undocumented defaults regarding IPv6 just yet

Kentzo

It seems wrong to me to have an interface set on the "default" record. It also appears that you do not have ND on LAN interfaces, did you omit the output? For the reference, mine looks like this: /ipv6 nd set [ find default=yes ] disabled=yes add advertise-dns=no interface=ether1-gateway r...

Kentzo

This results in an failure of the ipv6 tests, and modifying it one by one found that setting ra-lifetime=none to be the culprit. I’m pretty sure that your ISP does not care for RAs sent by your router upstream , it should not break anything in itself. Perhaps this change forced a reconfiguration th...

Kentzo

Most of the settings in /ipv6/nd are for the case when RouterOS is the Advertising Router, i.e. when it sends a configuration. However, in case of the PPPoE interface it's acting as a Host because it receives a configuration. You, most likely, want the following settings on pppoe-out1: add advertise...

Kentzo

You want `/ipv6/settings/set accept-redirects=no` and `/ipv6/settings/set accept-router-advertisements=yes` as well as `/ipv6/nd/enable` on the pppoe-out1 interface. As @mkx mentioned, there are some IPv6-specific timeouts in RouterOS that are intrinsic to how the protocol works. A reboot might be a...

Search found 736 matches