Can't get ND working on IPv6

ilium007 · May 5, 2025, 12:14am

I am getting a /56 address from the ISP which I am assigning to /64 prefixes via the rOS IPv6 DHCP client. I have ND turned on for the bridge and accept RA to yes. I have multiple VLANs on my network and nothing is getting a /64 address. I only see link local addresses in Neighbours. I have had this workman in the past but this time around can’t get it to work. Neither my iOS or MacOS devices getting a 2001:8003:6200:8a00::/64 address as I would expect. I have tried wired and wireless connection without success.

rOS 7.18.2

/ipv6 address
add address=::4aa9:8aff:fee5:6dd8 eui-64=yes from-pool=telstra interface=bridge
/ipv6 dhcp-client
add interface=ether1 pool-name=telstra request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ipv6 settings
set accept-router-advertisements=yes
[xxxx@hapAX3] > /ipv6/address/print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
#    ADDRESS                                     FROM-POOL  INTERFACE      ADVERTISE
0  G 2001:8003:6200:8a00:4aa9:8aff:fee5:6dd8/64  telstra    bridge         yes
1 DL fe80::1b94:d023:2976:c776/64                           wireguard0     no
2 DL fe80::74ea:d611:bf52:ec78/64                           wireguard1     no
3 D  ::1/128                                                lo             no
4 DL fe80::4aa9:8aff:fee5:6dd8/64                           vlan30::KIDS   no
5 DL fe80::4aa9:8aff:fee5:6dd8/64                           vlan10::MGMT   no
6 DL fe80::4aa9:8aff:fee5:6dd8/64                           vlan20::DATA   no
7 DL fe80::4aa9:8aff:fee5:6dd8/64                           vlan40::GUEST  no
8 DL fe80::4aa9:8aff:fee5:6dd8/64                           bridge         no
9 DL fe80::4aa9:8aff:fee5:6dd7/64                           ether1         no
[xxxx@hapAX3] > /ipv6/dhcp-client/print
Columns: INTERFACE, STATUS, REQUEST, PREFIX
# INTERFACE  STATUS  REQUEST  PREFIX
0 ether1     bound   prefix   2001:8003:6200:8a00::/56, 23h47m56s
[xxxx@hapAX3] >

and my bridge / vlan config:

/interface bridge
add admin-mac=48:A9:8A:E5:6D:D8 auto-mac=no comment=defconf name=bridge protocol-mode=none pvid=99 vlan-filtering=yes
/interface bridge port
add bridge=bridge comment="CAP Trunk" frame-types=admit-only-vlan-tagged interface=ether2 pvid=99
add bridge=bridge comment=DATA interface=ether3 pvid=20
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether5 pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=10,30,40
add bridge=bridge tagged=bridge,ether2 untagged=ether3 vlan-ids=20

CGGXANNX · May 5, 2025, 9:45am

Did you add interfaces under /interface vlan for the relevant VLANs (except for VLAN 99 which is already associated with the bridge interface)? Then add those interfaces to the interface list LAN? And afterwards create entries for each of those interfaces under /ipv6 address with from-pool=telstra advertise=yes?

Ullinator · May 5, 2025, 11:46am

Here´s my working config.

First: create VLAN aware bridge interfaces for the different VLANs

/interface vlan
add interface=bridge1-Hausnetz name=bridge1-Hausnetz-vlan97-DMZ vlan-id=97
add interface=bridge1-Hausnetz name=bridge1-Hausnetz-vlan98-IoT vlan-id=98
add interface=bridge1-Hausnetz name=bridge1-Hausnetz-vlan99-Gast vlan-id=99

Second: request the prefix from the ISP and put it into a pool

/ipv6 dhcp-client
add add-default-route=yes interface=Internet-TK-vlan7 pool-name=Pool1-Internet-TK prefix-hint=::/52

Third: advice IP´s from the pool to the bridge interfaces

/ipv6 address
add address=::192:168:10:1 from-pool=Pool1-Internet-TK interface=bridge1-Hausnetz
add address=::192:168:97:1 from-pool=Pool1-Internet-TK interface=bridge1-Hausnetz-vlan97-DMZ
add address=::192:168:98:1 from-pool=Pool1-Internet-TK interface=bridge1-Hausnetz-vlan98-IoT
add address=::192:168:99:1 from-pool=Pool1-Internet-TK interface=bridge1-Hausnetz-vlan99-Gast

Fourth: for each VLAN create a interface in the ND settings:

/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1-Hausnetz ra-delay=0s ra-interval=10s-30s ra-lifetime=5m ra-preference=high retransmit-interval=30s
add interface=bridge1-Hausnetz-vlan99-Gast ra-delay=0s ra-interval=10s-30s ra-lifetime=5m ra-preference=high retransmit-interval=30s
add interface=bridge1-Hausnetz-vlan98-IoT ra-delay=0s ra-interval=10s-30s ra-lifetime=5m ra-preference=high retransmit-interval=30s
add interface=bridge1-Hausnetz-vlan97-DMZ ra-delay=0s ra-interval=10s-30s ra-lifetime=5m ra-preference=high retransmit-interval=30s

That´s all, every device in my network gets a unique IPv6 from the pool and from a different /64-prefix.

ilium007 · May 5, 2025, 11:50am

I set up each VLAN interface individually in the ND config and now is so working.