DHCPv6 Client not working, unable to get and deliver IPv6

fellipeh · March 2, 2022, 4:01pm

My ISP deliver /56 prefix together with IPv4. If I use my TP-Link router, I was able to get IPv6 and deliver it to my network.

I’m using a RouterOS 7.1.3

Since I change my router to one RouterOS, I was NOT be able to get IPv6, even my ISP deliver /56 prefix

I tried to create a DHCPv6 Client, but, still on Searching every-time.. doesn’t change the status.
Here is how is setup up:

[admin@MikroTik] /ipv6/address> print
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
#    ADDRESS                      FROM-POOL  INTERFACE      ADVERTISE
0 DL fe80::a55:31ff:fe6e:dd7c/64             ether1-imicro  no       
1 DL fe80::a55:31ff:fe6e:dd7d/64             bridge         no       
2 DL fe80::6/64                              pppoe-imicro   no       
3  G 2001:470:8832::1/64          pool-ipv6  bridge         yes

Used this code to add the dhcpv6 client:

add add-default-route=yes interface=pppoe-imicro pool-name=pool-ipv6 request=prefix use-peer-dns=no

What I need to do, to get the IPv6 from my ISP?

zandor · March 3, 2022, 3:59am

I just went through some ipv6 setup fun on Comcast/Xfinity last weekend. Thankfully I was able to get it working after a couple of hours. I haven’t used pppoe so I don’t know how it’s supposed to be set up, but you are getting the same DHCP error I had so maybe I can give you a couple things to try.

There’s a rule in the default firewall that accepts DHCP packets but only from a link local address:

;;; defconf: accept DHCPv6-Client prefix delegation.
chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546

My ISP sends DHCP replies from an address that is not on my subnet, so I had to change that rule to accept DHCP from any address. Hopefully my ISP has safeguards in place to prevent rouge DHCP servers from other customers. This also caused a problem when using add-default-route in the DHCPv6 settings. The route gets pointed at the DHCP server, which is on a different subnet and thus does not work. I need DHCP to get a prefix, but Comcast seems to expect me to rely on router advertisements for the default route. This looks really strange when you are used to IPv4 and not IPv6, but my default route looks like this:

As ::/0 ether1 ip6 1 30 10 ether1

No address, just an interface. I added that route (/ipv6 route add disabled=no dst-address=::/0 gateway=ether1).

This won’t break DHCP, but you might also have to have DHCPv6 request an address in addition to a prefix or maybe enable router advertising. Right now you only have a link local address on your WAN interface and router advertising is disabled. That maybe could work if the ISP’s system remembers the link local address it gave a prefix to in response to a DHCP request, but there’s a good chance it won’t. My hunch is that it will either work as is or you will need to request an address via DHCP. Network admins don’t trust end users (especially software engineers like me… we know just enough to be really dangerous), so why would they trust your router advertisement? I have router advertising disabled on the WAN interface and am requesting an address over DHCP. You may also need to set use-peer-dns=yes in the DHCP request.

Another thing to bear in mind is that the DHCPv6 server in RouterOS can only delegate prefixes (see https://help.mikrotik.com/docs/display/ROS/DHCP+Server), not addresses, so you don’t need the DHCPv6 server unless you have more routers downstream and want to give them prefixes.

What kind of TP-Link did you have? I’m just curious because they make both consumer and business models.

Sob · March 3, 2022, 1:44pm

That’s actually correct, that’s how it’s supposed to work, DHCPv6 does not provide default gateway.

proximus · March 3, 2022, 2:41pm

I just went through some ipv6 setup fun on Comcast/Xfinity last weekend. Thankfully I was able to get it working after a couple of hours. I haven’t used pppoe so I don’t know how it’s supposed to be set up, but you are getting the same DHCP error I had so maybe I can give you a couple things to try.

There’s a rule in the default firewall that accepts DHCP packets but only from a link local address:

;;; defconf: accept DHCPv6-Client prefix delegation.
chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546

My ISP sends DHCP replies from an address that is not on my subnet, so I had to change that rule to accept DHCP from any address. Hopefully my ISP has safeguards in place to prevent rouge DHCP servers from other customers. This also caused a problem when using add-default-route in the DHCPv6 settings. The route gets pointed at the DHCP server, which is on a different subnet and thus does not work.

.
Not related to the OP’s issue, but there are problems with what has been stated and I’m concerned that others may make configurations based on it.

The default rule is 100% correct, as is, and works just fine with Comcast. DHCPv6 uses link-local (fe80::/10) IPv6 addresses when communicating between client and relay/server.
“ISP sends DHCP replies from an address that is not on my subnet” … Typical, but there is no need to add a rule to for specific DHCPv6 servers, whatsoever.
“The route gets pointed at the DHCP server which is on a different subnet and thus does not work.” … Uh, DHCP servers are not a default route target. DHCPv6 does not provide the IPv6 address of the default gateway to the client, this is provided by the ICMPv6 RA message. DHCP for IPv4 provides the default gateway IP address to the client.

mozerd · March 3, 2022, 3:14pm

Following is my ipv6 config that using a /56 ,,,
perhaps you can extract only the parts you want that may help you ...
this config works really well for me and all my VLAN's plus their hosts and has for a very long time.

This configuration is based on SLAAC so no dhcpv6 server is involved and IMO no DHCPv6 server is required because SLAAC makes it not necessary.

SLAAC = StateLess Address Auto Configuration ... which is

The preferred method of assigning IP addresses in an IPv6 network. SLAAC devices send the router a request for the network prefix, and the device uses the prefix and its own MAC address to create an IP address.

# mar/03/2022 10:00:36 by RouterOS 7.2rc4
# software id = 1TLQ-B555
#
# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXXXXXXXXX
/ipv6 address
add from-pool=rogers-ipv6 interface=vlan20
add from-pool=rogers-ipv6 interface=vlan40
add from-pool=rogers-ipv6 interface=vlan100
/ipv6 dhcp-client
add add-default-route=yes comment="delgate ISP-assigned prefix" interface=\
    ether2 pool-name=rogers-ipv6 prefix-hint=::/56 request=address,prefix \
    use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=2001:4ca0:108:42::15/128 list=bad_ipv6
add address=2001:4ca0:108:42:0:443:17:9/128 list=bad_ipv6
add address=2001:4ca0:108:42:0:443:6:9/128 list=bad_ipv6
add address=2001:4ca0:108:42:0:53:17:9/128 list=bad_ipv6
add address=2001:4ca0:108:42:0:80:6:9/128 list=bad_ipv6
add address=2001:4ca0:108:42:1:443:6:9/128 list=bad_ipv6
add address=2001:4ca0:108:42:1:80:6:9/128 list=bad_ipv6
add address=240e:f7:4f01:c::3/128 list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from VLANs" in-interface-list=\
    !VLANs
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLANs" in-interface-list=\
    !VLANs
/ipv6 nd
set [ find default=yes ] interface=ether2 mtu=1500 ra-lifetime=none \
    reachable-time=5m
add hop-limit=64 interface=vlan10 reachable-time=5m
add hop-limit=64 interface=vlan20 reachable-time=5m
add hop-limit=64 interface=vlan40 reachable-time=5m
add hop-limit=64 interface=vlan100 reachable-time=5m
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192

================================================

EDIT ... for some reason the code tags are not working in this post ... I have no idea why ....

fellipeh · March 7, 2022, 4:19pm

Yeah.. no luck.. tried everything from this post, and still “Searching”…

weird is, I didn’t get any log, if I get some log, I’ll be easy to try to fix..

bandit1200 · March 10, 2022, 2:33pm

Perhaps something in this post helpful…

http://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/5

bandit1200 · March 10, 2022, 2:53pm

@proximus

The default rule is 100% correct, as is, and works just fine with Comcast. DHCPv6 uses link-local (fe80::/10) IPv6 addresses when communicating between client and relay/server.

No doubt it has worked in the past and still works for some. Did for me, too.
However, it seems Comcast is rolling out SDN across parts of its WAN network, maybe all eventually. (Arista networks equipment it looks like in my area).

One byproduct does seem that the DHCPv6 PD servers (or relays perhaps) use global addressing, not local.

As far as I can tell, no RFC for DHCPv6 requires this be a local address. Happy to hear otherwise if you know of some RFC requirement. As much as I hate Comcast customer service, they usually are top notch at network config stuff.

-bandit