I have a problem with the recent update to 7.23 / 7.23.1.
After the update all Prefixes, ULA and global that I receive from ISP (::/56, only DSlite, so router only has access if it gets ipv6 address), are shown as invalid and the RB5009 does not sent any RA anymore.
I've tried setting the lifetime to infinity/longer/shorter, but that doesn't work. I also tried deleting an address in /ipv6 addresses and create new ones for ULA and to get a new ipV6 from ISP, change RA route distance from 0 to 1 or 2, but nothing seems to work.
In the version 7.23 RouterOS changes the condition for when RA messages are sent on an interface. It no longer depends on the advertise flag in the /ipv6 address entries anymore.
The router now sends out RA message on an interface if there is a suitable not-disabled entry for it (the interface) under /ipv6 nd. The entry can either explicitly specifies the interface, or can be the entry with the all interface.
The problem with your configuration is that under /ipv6 nd you only have one active entry, and that entry is only for the interface bridge1. That's why all the /ipv6 nd prefix entries for the other interface are marked as invalid with the I flag.
What you need to do is to create individual /ipv6 nd entries for each of your VLAN interfaces, as well as for the wireguard1 interface. In theory, you could also only create one single entry with the all interface, but with the recent changes in 7.23 this is no advisable anymore, because the router will also send out RA messages on WAN interfaces and might cause problems (see multiple threads about this issue in the past few days).
So, for now, go to /ipv6 nd and create entries for vlan10, vlan20, vlan30 and wireguard1 and the will remove the Invalid flag from the IPv6 -> ND -> Prefix entries.
My only remaining question would be why the advertise option is still there in /ipv6 address? Do I actually need the entries in /ipv6 nd in case the advertise flag is set to yes and can I now, with the entries in /ipv6 nd disable it? Or did I misunderstood something about /ipv6 address advertise=yes?
Under both 7.23 and previous RouterOS versions, when you create an /ipv6 address entry with the advertise flag enabled, a dynamic entry with the matching prefix will be created under /ipv6 nd prefix with that address for the specified interface. But:
Under previous versions older than 7.23, RA messages will be sent on that interface if you have a /ipv6 nd entry with that interface set, or if the default entry (with *) is enabled, regardless of the interface set! That's why it worked for you under 7.22.3 even when you set the * entry to interface=bridge1.
Under 7.23 the RA messages are only sent for an interface if there is really an entry under /ipv6 nd that matches that interface, either by listing that interface explicitly, or by listing the all interface. Having the * entry enabled but misconfigured with another interface (like bridge1) is no longer enough.
We can say that your configuration (with interface=bridge1) was wrong and only worked due to a buggy behavior (router ignored the interface value in the * entry) in the previous versions.
Version 7.23 also made another important change with regard to Router Advertisements:
Under versions older than 7.23, RA messages are only sent for an interface if there exists an entry for the interface under /ipv6 nd prefix. If no such entry exists, no RA messages are sent for the interface, even if the interface has an entry for it under /ipv6 nd.
Under 7.23 the RA messages will always be sent out if there exists an active entry for the interface (specifiying the interface explicitly or the interface=all entry) under /ipv6 nd. An entry for the interface under /ipv6 nd prefixis not needed at all! The RA message is sent without prefix information if no matching /ipv6 nd prefix entry exists.
TL,DR:
Older version had a bug that ignored the interface parameter on the * entry under /ipv6 nd, and also required an /ipv6 nd prefix entry to send RA messages.
7.23-7.23.1 properly check for the interface value under /ipv6 nd, but also no longer require the presence of an /ipv6 nd prefix entry.
Due to multiple complaints from people experiencing broken IPv6 after the upgrade to 7.23, MikroTik might change the behavior again in a future upgrade!
Thank you again for the very helpful explanation and correcting my buggy configuration!
So if I understand you correctly, with 7.23 RA messages will be send, if there is a valid entry in /ipv6 ND, but only with e.g., DNS, Mac address and MTU, and not with a prefix when there is no entry in /ipv6 ND prefix and there will be only entries there, if the advertise flag is set to yes for entries in /ipv6 address. Sounds logical and more flexible in regard of what one can do with RA messages.
Thank you for your time and effort again. I only want to write this so that others might find answers if they have a similar problem, because I personally find it difficult when I find a solution in a forum to a problem, but no feedback if and how it actually worked.
This is correct, and unfortunately, that was the change in 7.23:
That is causing a lot of problem in the past weeks since 7.23 was released. Because by default there is an /ipv6 nd entry enabled with the interface set to all (in your config that was changed to bridge1). Previously the device did not send RA if the interface has no /ipv6 nd prefix entry. But with 7.23, suddenly the router sends RA on all interfaces (due to the default interface=all entry), even for WAN interfaces or for the case where the device should only act as a switch and should not announce itself as a router. As a result people had these problems since 7.23:
Switches and access points that suddenly advertise themselves as gateway, causing IPv6 to break in networks due to the presence of multiple gateways.
People's internet connections are broken because the MikroTik router sends RA on the WAN interface towards the ISP devices, and many ISPs shutdown the connection when they receive rogue RA.
This, however is not true. Enabling the advertise flag does create a dynamicipv6 nd prefix automatically, but that is not the only way to have such entries.
You could always manually add /ipv6 nd prefix entries with interfaces and prefixes, without the need for adding /ipv6 address entries.
Since 7.21 you can manually add /ipv6 nd prefix entries with prefix=none already:
And with that 7.21 change, the use case you mentioned of only advertising gateway, DNS, MTU, MAC address was already possible, without needing the problematic change in 7.23. This worked already I had that configured on my test installation with only DHCPv6 and no SLAAC since 7.21.
So with many recently reported problems, my guess is that MikroTik will undo the change (but not the bug fix for the interface=bridge1 issue) and will only send RA when there is also a matching /ipv6 nd prefix entry (that can have prefix=none if needed).