DHCP IPv6 over pppoe "Deutsche Telekom" not working

4920441 · May 3, 2020, 3:11pm

Hi,

after finding a rather comprehensive and good blog entry how to handle the annoying IPv6 prefix changes from the Deutsche Telekom (security by obscurity)

https://blog.chanoa.de/mikrotik-ipv6

I tried again (after a couple of years) to establish IPv6 over pppoe with a Telekom aka T-Online account. But it does not work, again…
Pool

/ipv6 pool
add name=telekom.ipv6 prefix=::/56 prefix-length=64

Settings

/ipv6 settings
set accept-router-advertisements=yes

Adresses

/ipv6 address
add from-pool=telekom.ipv6 interface=vlan101
add from-pool=telekom.ipv6 interface=vlan102
add from-pool=telekom.ipv6 interface=vlan103

DHCP6-Client

/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1-dsl1 pool-name=telekom.ipv6 request=address,prefix

Firewall Filter for mandatory stuff

/ipv6 firewall filter
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10

Firewall Neighbour discovery (not really important in this context)

/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes interface=pppoe-out1-dsl1 managed-address-configuration=yes other-configuration=yes
add interface=vlan101 ra-lifetime=10m
add interface=vlan102 ra-lifetime=10m
add interface=vlan103 ra-lifetime=10m

After that, I neither get an IPv6 Address, nor a prefix - for testing, I adjusted the prefix hint to “none” or /60 /62 /64 but nothing changes…

When I try to release/renew the prefix I get the following log entry:

14:56:30 firewall,info ipv6-telekom-fe80 input: in:pppoe-out1-dsl1 out:(unknown 0), src-mac 1c:fc:83:cc:f2:75, proto UDP, [fe80::9ecc:83ff:fecc:1275]:547->[fe80::e]:546, prio 6->0, len 168 
14:56:31 firewall,info ipv6-telekom-fe80 input: in:pppoe-out1-dsl1 out:(unknown 0), src-mac 1c:fc:83:cc:f2:75, proto UDP, [fe80::9ecc:83ff:fecc:1275]:547->[fe80::e]:546, prio 6->0, len 168 
14:56:34 firewall,info ipv6-telekom-fe80 input: in:pppoe-out1-dsl1 out:(unknown 0), src-mac 1c:fc:83:cc:f2:75, proto UDP, [fe80::9ecc:83ff:fecc:1275]:547->[fe80::e]:546, prio 6->0, len 168 
14:56:38 firewall,info ipv6-telekom-fe80 input: in:pppoe-out1-dsl1 out:(unknown 0), src-mac 1c:fc:83:cc:f2:75, proto UDP, [fe80::9ecc:83ff:fecc:1275]:547->[fe80::e]:546, prio 6->0, len 168

Which is only the router himself talking.

The funny thing is, in the “neighbour” List I found (only for a short period of time) some 2003:: Telekom IPv6 Adresses which tried to access the router on its IPv6 fe80:: Adress on Port 53… It was only very short though, don’t know whats that all about.

Could anyone give me some hints how to debug this behaviour further?

What i did (with a second, RB750 device, which i had laying around) testing the same configuration not with PPPoE but with straigth DHCPv6 and prefix delegation confiured in my pfsense box which worked out of the box and all defined pools got filled with /64 networks - so in theorie, the config is working - but there is some special things for dhcpclientv6 over pppoe mandatory, I think…

Thanks a lot for your time.

Cheers

4920441

mkx · May 3, 2020, 7:39pm

Different telekom, but using PPPoE as well … here are my settings:

/ipv6 dhcp-client
# requesting only prefix ... address not needed, link-local is used for pppoe-out1 interface
add add-default-route=yes interface=pppoe-out1 pool-name=pool.iov6 request=prefix use-peer-dns=no
# IPv6 address pool not created a-priori, it gets created by dhcp-client and shows "D" flag (for dynamic)

Setup for LAN interfaces is similar to yours …

4920441 · May 3, 2020, 9:58pm

Hi,

That’s the only thing I didn’t try out on my own yet, it seems - because, it works! now i get my /56 nets delgated as planned:-)

I guess, if I’d like an IPv6 Address for my Mikrotik I have to assign it to a link lokal interface or something?

Thanks a lot for the hint!

Cheers

4920441

mkx · May 4, 2020, 5:39pm

Your router will have a few IPv6 addresses, one per LAN interface. They get assigned from pool. In theory one could have control over which address out of prefix is actually assigned, but sadly this part is buggy. My solution is to assign IPv6 address to main LAN interface manually (I’m getting static prefix from my ISP).

Anyway, router is accessible using any of its LAN addresses from internet as well (if you don’t block it using firewall) so it doesn’t need a dedicated routable WAN IPv6 address.

Buster2 · January 2, 2021, 3:30am

Hello,

if you want to have your MikroTik router have a static public ip on your lan interface, but your provider assigns a dynamic prefix, you can do this:

/ipv6 address add address=::1 from-pool=telekom-ipv6pool interface=bridge_lan

it will automatically change to a valid address as soon as the prefix is fetched by dhcpv6-client:

/ipv6/address/print detail 
Flags: X - disabled, I - invalid, D - dynamic; G - global, L - link-local 
 0  G address=<valid dynamic prefix>::1/64 from-pool=telekom-ipv6pool interface=bridge_lan actual-interface=bridge_lan eui-64=no advertise=yes no-dad=no

This works in RouterOS 6.48 and 7.1beta2.
I’ll recommend to have some firewall rules in place. http://forum.mikrotik.com/t/ipv6-firewall-and-prefix-delegation/104239/1 or http://forum.mikrotik.com/t/updating-the-firewall-when-a-dynamic-ipv6-prefix-delegation-changes/144361/1 fixes the issue to write rules with unpredictable prefixes.

Regards