DDNS Not Registering AAAA Record

Hello,

I am currently experiencing an issue with my hAP ax3 router running firmware version 7.15.2. The problem lies with the DDNS (IP/Cloud) service, which fails to register the AAAA record (IPv6 address) of my router. On the other hand, the IPv4 A record is registered without any issues.

In the past, I have not encountered any problems with IPv6 and Mikrotik’s DDNS service. I haven’t made any changes to the IPv6 settings on my router that I am aware of.

Additionally, IPv6 is functioning correctly within my network.

If needed, I can provide my configuration for further analysis.

Could anyone provide assistance or guidance on how to resolve this issue?

Thank you in advance.

Anyone?

When you run this command in RouterOS Terminal

/tool/fetch url="https://ifconfig.me/ip" address=[:resolve type=ipv6 ifconfig.me] output=user

Does it output the expected IPv6 IP address of your router?

failure: Idle timeout - connecting.

how am I supposed to add an IPv6 address to router itself? I see one under IPv6/dhcp client/status and on the wan interface (ether1) under IPv6/addresses.

I am gonna share my IPv6 config later.

If you now run

:put [:resolve type=ipv6 ifconfig.me]

and it fails, then you have a problem with resolving DNS on the router. If it otherwise works, then try to ping & trace route to the IPv6 address of dns.google:

:ping 2001:4860:4860::8888 count=5
/tool/traceroute  2001:4860:4860::8888 count=5

Does it work then?

:put [:resolve type=ipv6 ifconfig.me]

Returns 2600:1901:0:b2bd::

But both ping and traceroute to google dns fails.

My IPv6 config

# 2024-08-14 18:27:41 by RouterOS 7.16rc2
# software id = 60E1-T3M4
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/ipv6 dhcp-server
add address-pool=test_ipv6 interface=bridge name=server1
/ipv6 address
add address=::1 from-pool=test_ipv6 interface=bridge
add address=::1 from-pool=test_ipv6 interface=wireguard1
add address=::/128 advertise=no disabled=yes from-pool=test_ipv6 interface=\
    ether1
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=test_ipv6 request=\
    address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2400:cb00::/32 list=cloudflare-ips-v6
add address=2606:4700::/32 list=cloudflare-ips-v6
add address=2803:f800::/32 list=cloudflare-ips-v6
add address=2405:b500::/32 list=cloudflare-ips-v6
add address=2405:8100::/32 list=cloudflare-ips-v6
add address=2a06:98c0::/29 list=cloudflare-ips-v6
add address=2c0f:f248::/32 list=cloudflare-ips-v6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=NGINX dst-address=\
    2aXX:XXXX:XXXX:400:42:c0ff:fea8:5802/128 dst-port=443 protocol=tcp \
    src-address-list=cloudflare-ips-v6
add action=accept chain=forward comment=Torrent dst-address=\
    2aXX:XXXX:XXXX:400:2d0:b4ff:fe02:2cf2/128 dst-port=6881 protocol=tcp
add action=accept chain=forward comment="Torrent UDP" dst-address=\
    2aXX:XXXX:XXXX:400:2d0:b4ff:fe02:2cf2/128 dst-port=6881 protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64
add dns="2aXX:XXXX:XXXX:400:2d0c:e12:b65d:2cd5,2aXX:XXXX:XXXX:400:42:c0ff:fea8\
    :58fe" hop-limit=64 interface=bridge managed-address-configuration=yes \
    other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridge
/ipv6 settings
set accept-router-advertisements=yes

On this forum it has been advised by many people that with IPv6 DHCP client you should not turn on “add-default-route” because it has always been a MikroTik hack. DHCPv6 does not have route information. An example of such posts:

http://forum.mikrotik.com/t/ipv6-configuration-under-router-os-7/170929/1

So, you should turn it off, and rely on accept-router-advertisements=yes under IPv6 settings (you already have this setting turned on). Otherwise, there might be a bogus default route in your route table if you keep “add-default-route=yes”.

What does

/ipv6 route print

list as default route (dst-address ::/0) if you keep the current setting?

Add default router option is turned off.

See route table.

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, g - SLAAC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS              GATEWAY                           DISTANCE
DAg ::/0                     fe80::a6e1:1aff:fe5a:50b4%ether1         1
DAc ::1/128                  lo                                       0
DAc 2aXX:XXXX:XXXX::400/128  ether1                                   0
DAd 2aXX:XXXX:XXXX:400::/56                                           1
DAc 2aXX:XXXX:XXXX:400::/64  bridge                                   0
DAc 2aXX:XXXX:XXXX:401::/64  wireguard1                               0
DAd 2aXX:XXXX:XXXX:402::/64  fe80::835:a4f0:cf8b:da0e%bridge          1
DAc fe80::%ether1/64         ether1                                   0
DAc fe80::%bridge/64         bridge                                   0
DAc fe80::%wireguard1/64     wireguard1                               0

If I manually add this address 2aXX:XXXX:XXXX:400::1/128 to wan interface (ether1). Both ping and cloud ddns start working.

AFAIK It should not be necessary to assign an address to the WAN interface: RouterOS should be able to use a global IPv6 address assigned to any of its LAN interfaces.

I don’t immediately see any problems with the firewall. However, it would be interesting to enable logging for all drop rules and see whether any of them end up handling /tool/fetch url="https://ifconfig.me/ip" address=[:resolve type=ipv6 ifconfig.me] output=user which is failing for you.

Like @Kentzo wrote, it’s not necessary to have a GUA address on ether1. Can you do a

/ipv6 address print

and check what global addresses are currently associated with ether1? In your DHCPv6 client setting you are requesting address & prefix. So normally DHCPv6 would also assign an IPv6 address from the ISP to ether1. Could it be that this address is not correctly routed by your ISP? Without additional configuration, the router will use that address (on ether1) to go to the internet and it didn’t work. When you manually assign 2aXX:XXXX:XXXX:400::1/128 to ether1, ether1 now has two addresses and the router uses the later one, and the prefix is correctly routed by your ISP, so it now works (it also worked for LAN devices because they have addresses in the allocated prefix range).

So, the solution might be to change the DHCPv6 client entry and only request prefix, no addresses. The router will then use one of its addresses from bridge or wireguard1 to go online and it should work.

The manual from my ISP included both address and prefix request to setup DHCPv6 client. This is how the address 2aXX:XXXX:XXXX::400 (which fails ping and to resolve ifconfig.me) is assigned to the wan interface but my prefix is 2aXX:XXXX:XXXX:400::/56.

So I tried just to request only a prefix. Now

/tool/fetch url="https://ifconfig.me/ip" address=[:resolve type=ipv6 ifconfig.me] output=user

returns 2aXX:XXXX:XXXX:401::1 (an address from wireguard interface instead of bridge interface).

All I want is to be able to access my local network via ddns, ipv6 and wireguard (which runs on my router) and not to worry if the prefix changes.

Yeah, it’s unimportant whether the router pick the prefix of the wireguard interface or the bridge interface to go on the Internet. It will work normally if it picks the one of wireguard1. FYI on all of my routers that’s also the case, when I have multiple vlan and wireguard interfaces, the router seems to prefer the prefix of one of the WG interfaces (always the same 1st WG interface so it’s predictable).

So, I guess for your problem, only requesting prefix from DHCPv6, not the address, is the way to go?

Yes, it solved the problem with the IP/Cloud not registering the AAAA record and the router’s IPv6 is pingable from the WAN. However, I’m pretty sure that IP/Cloud AAAA record registration worked in the past with the previous configuration when I first setup IPv6 on the Mikrotik. Maybe something changed with the firmware update. I’m not an IPv6 expert, but I don’t really understand why the router got the IPv6 address 2aXX:XXXX::400 and not for example 2aXX:XXXX:XXXX:400::1 when I have the prefix 2aXX:XXXX:XXXX:400::/56 assigned.

I think the problem is caused by your ISP, because they give your router an address (when being requested with DHCPv6) but don’t have the correct route to that address, so that the address can be reachable from the internet. The router is not to be blamed.

The practice of giving out one single address along with a separate prefix (not overlapping!) when being requested with DHCPv6 is pretty common. The single address is usually for the case when you plug your PC directly to the ISP’s modem, because that’s all that PC needs, and the DHCPv6 client running on the PC normally only request an address. But if you have a router in front of many LAN devices, then a single address is not enough, and the router normally requests a prefix range. Because the router can do whatever it wants with the full range, the single address assigned by DHCPv6 will not be within this prefix range, to avoid conflict. There is also no need for the router to also request the single address.

It’s the duty of the ISP to properly route traffic to both the single address, as well as to the assigned prefix range, to your router. In this case it looks like your ISP failed to do the 1st half.