Banging my head against ipv6

Finally getting around to setting up ipv6 because I’m tired of paying for ipv4 in various clouds. I’ve been using Mikrotik for over 10 years, generally know my way around, but I can’t for the life of me get ping working on the router. I run this command:

/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=ipv6 request=address,prefix

and it creates a prefix pool + address and set the gateway. /ipv6/dhcp-client/print shows STATUS=bound. I can ping the router's ipv6 address, but not the gateway or any external address.

already tried:

• firewall empty and accept rules for both input and output
• clearing out the neighbors and adding:

address=<gateway> interface=ether1 mac-address=<eth1 MAC> status="permanent"

I've searched the docs, the internet, and reddit. any help would be greatly appreciated!

UPDATE: solved!!

The good news -- it's working.

The bad news -- I have no idea why was working my way through or around Comcast's automated "agent" which tried to reboot my modem repeatedly, but I didn't notice it actually rebooting? I had already power cycled the modem several times before trying to contact them. Also sent them an angry tweet.. maybe that was it?

In any case, when I ran the ping command just now it worked, https://test-ipv6.com confirms it. I haven't changed the config for several hours at least. Thanks everyone for your help, I wish I had some learning to share with others here. Seems like the automated agent actually might have done something useful (??!@)

If that's the only command you ran then it's not enough. Did you also add an /ipv6 address entry on each of the LAN/VLAN interfaces (that have devices that need IPv6), using the ipv6 pool created by DHCPv6 client, with the Advertise flag on?

Post the content of /ipv6 export if possible.

sure, here it is:

/ipv6 address
add address=fdXX::XXXX:XXXX:1:1 advertise=no interface=bridge
add address=::1 from-pool=ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ipv6 request=address,prefix
/ipv6 neighbor
add mac-address=<laptop MAC>
add address=<ISP gateway from route/print> interface=ether1 mac-address=<eth1 MAC>

I added that first address because the first guide I found said I needed a "ULA" for the bridge:
https://tangentsoft.com/mikrotik/wiki?name=IPv6+with+Xfinity#def-route

I didn't add the laptop MAC address manually, that happened on its own.

The 1st /ipv6 address line is not necessary (it's only needed if your ISP only give you a /64 prefix and you have many LAN/VLAN interfaces that need IPv6, thus there is not address space from the ISP to provide one /64 to each of them). But that line also has no negative effects. Only the 2nd /ipv6 address entry is really needed, and in your case is currently correct.

You don't need to manually add the /ipv6 neighbor entries. The table will be automatically populated by neighbor discovery (ND).

Your export shows nothing under /ipv6 nd which means you are using the default entry (with the all interface), that's ok for now too.

When you run in the WinBox Terminal:

/ping count=5 2404:6800:4005:80b::200e

does it works? If not, then:

• Edit your DHCPv6 client entry and turn off Add Default Route.

  /ipv6 dhcp-client set [find interface=ether1] add-default-route=no
  

• Change your IPv6 -> Settings, and set Accept Router Advertisements to yes.

  /ipv6 settings
  set accept-router-advertisements=yes
  

To be sure, reboot the router after this, and try the above ping command again.

If the ping command works, but your client on the bridge interface still have no IPv6 access to the internet, check your firewall configuration. If you are using the defconf firewall rules then you have to make sure bridge is in the LAN interface list.

my laptop now has two IPv6 addresses, even though I have not configured an ipv6 dhcp-server yet. from the laptop, I can ping its own v6 addresses, and both the router's addresses

• the ::1 address from the prefix pool
• the one assigned by the dhcp-client (on the router)

but not the ISP gateway or any external address.

ping6 -g [router address] [ISP gateway]
returns
ping6: setsockopt(IPV6_NEXTHOP): Operation not permitted
for both of the router's addresses.

still not working, ping returns 'no route to host'

ipv6 export:

/ipv6 address
add address=fd91::XXXX:XXXX:1:1 advertise=no interface=bridge
add address=::1 from-pool=ipv6 interface=bridge
/ipv6 dhcp-client
add interface=ether1 pool-name=ipv6 request=address,prefix
/ipv6 neighbor
add mac-address=<laptop MAC>
/ipv6 settings
set accept-router-advertisements=yes

my firewall rules were taken from here:

bridge is in the LAN list. appreciate your help, not sure what to do at this point..

About the "no route to host" error. If you go to the IPv6 -> Routes table (or run /ipv6 route print), is there a route with destination ::/0 that is active?

Another thing that can be tried, is that for the DHCPv6 client, you only turn on Request prefix, not address. Normally you don't need the address assigned by DHCPv6 if you get a prefix and assign that prefix to at least one of the interfaces already.

I'm starting to think the problem is with my ISP, or the modem somehow? Nothing else makes sense at this point.

ipv6 works on my internal network, but I can't get to anything on the WAN side. I've reviewed this configuration a dozen times

Do you get any documentation from the ISP about how it is to be configured?

Some ISPs have very strange ideas about how IPv6 is to work. But the fact that they offer prefix delegation via DHCPv6 is a positive sign.

my ISP is Comcast / Xfinity in USA.

Started out following this guide, unclear if it's currently accurate, or if there's variation in how they do this in different areas.

I'm in the process of investigating this further, if you (or anybody) knows of other resources pls share!

That guide works for my connection. There are/were 2 ways comcast provisioned IPv6, this guide works for the newer way.

thanks. More evidence that there's something wrong with my specific setup. do you mind sharing what modem you have?

Mine:
https://www.motorola.com/us/en/p/motoaccessories/motohome/modems---routers/mb8611

do you happen to have a link to anything that talks about the other/older way?

there is, but the gateway is a link-local address. It was a different address before:
2001:558:XXXX:a::10 not sure why it changed.

Output of route print is below. The 2601 addresses are the Comcast Xfinity prefix pool, the last one is the "ULA" I added from the guide I've linked to already.

route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
     DST-ADDRESS              GATEWAY                        ROUTING-TABLE  DISTANCE
DAg  ::/0                     fe80::21c:XXXX:XXXX:99%ether1  main                  1
DAc  ::1/128                  lo                             main                  0
D d  2601:600:XXXX:XXXX::/64                                 main                  1
DAc  2601:600:XXXX:XXXX::/64  bridge                           main                  0
DAc+ fd91::/64                bridge                           main                  0

Also updated the dhcp-client command to only request a prefix

I have an Arris, but that shouldn’t really affect anything as long as it connects and youve registered its MAC address with comcast.

The only config I needed was:

Correct /ipv6/firewall/filter

/ipv6 dhcp-client
add interface=ether1 pool-name=general-pool6 prefix-hint=::/60 request=prefix use-peer-dns=no

/ipv6 address
add address=::1 from-pool=general-pool6 interface=VLAN99

/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=ether1 ra-interval=20s-1m
add advertise-dns=no interface=VLAN99 ra-interval=20s-1m

It's working, more details in the main post. I didn't change anything recently, must've been some weirdness with the ISP. Anyway THANKS for your help!

It's working, but I don't know why. Haven't touched my setup for hours, must've been some weirdness on the Comcast side. Anyway thanks for your help!