We had a problem with our cable modem today, and in the process of troubleshooting it, I noticed that my laptop was able to get an IPv6 address. This meshes well with what Comcast has announced so far - single hosts can perform a prefix solicitation and so on, but for networks, they will support DHCPv6 “later.”
I have turned on the DHCPv6 client on my routerboard, and it’s searching.
But what confuses me is that it seems to want to assign the prefix to a prefix pool. The Mikrotik wiki page talks about using prefix pools for PPP clients and the like. I have, in fact, used a /48 prefix pool to assign /64s to my VPN client, but that’s another kettle of fish.
I assume (perhaps naively) that the prefix I’m going to get from DHCPv6 is going to be a /64. What I want to do is simply assign that prefix directly to the “inside” interface (in my case, it’s a bridge that encompasses all of the Ethernet ports).
How is this sort of thing going to work? Does anyone have a similar configuration working presently?
You won’t need a dhcpv6 server for this - just a dhcpv6 client(the pool option is there in case you do get a larger allocation like a /48 and need to handle your own delegation). Your wan interface will get the /64 allocation then you will advertise that /64 using (RAs/ND) on your internal network. Autoconfig will do the rest.
I have to do some testing, but there might be a bug. You should be able to allocate addresses from the pool that is assigned via the dhcpv6 client, but the pool is not accessible via the cli via preliminary testing. It is accessible via the gui.
You can assign the default prefix to the wan address but set to not advertise. The internal address could then be set to $PREFIX::1/64 and also be set to advertise the prefix on the internal interface.
Without access to the pool via the cli, you cannot script the address and route assignment though.
Scripting it implies that you’ll have to trigger a script on a DHCPv6 event (that is, make the script perform the prefix assignment whenever the DHCPv6 client obtains a new prefix. Is that correct?
The dhcpv6 client that is included with ROS only requests a prefix from a specific interface but does not do anything with the prefix automatically (other than create a pool with the prefix). In my lab I configured an external interface with the client to pull a prefix (/64). I then added an IPv6 address on the internal interface (/64) from the pool and set it to advertise. You will also need an IPv6 address on the external interface to handle routing(along with the default route/s being set - ::/0 and 2000::/3). I don’t know how most ISPs will be using IPv6 PD so it is really hard to setup your device ahead of time to get everything working correctly.
If someone is a part of the comcast IPv6 deployment it would be great to hear how things are going to work.
I did some testing and the linksys/cisco consumer level device will request a prefix and an address. The address is assigned on the external interface and the prefix is assigned and advertises on the local network (with $PREFIX:: being the default lan gateway).
Right now the routeros dhcpv6 client implementation is fairly limited in that the external address will have to be manually assigned. Hopefully there will be an update to the dhcpv6 client to support obtaining an address and a prefix on an interface.
I have opened a ticket with support with basically the same information as this post to get some feedback on when/if the functionality will be added.
If you want to delegate the pool to the inside, there is not necessary the need to assign a IPv6 to the outside interface - the link local address would do.
So if using DHCPv6 you should set it up with a pool name without initializing the pool…
/ipv6 dhcp-client add interface=ext-if pool-name=ipv6test
Then assign an address to the internal interface from that pool, but stating the address “::/64”
/ipv6 address
add address=::/64 advertise=yes disabled=no eui-64=no interface=int-if from-pool=ipv6test
and set up ND to advertise it on the internal interface (only /64 works with RA))
/ipv6 nd
add advertise-dns=yes advertise-mac-address=yes hop-limit=64 interface=int-if
Set the default ipv6 route to the ext-if interface
/ipv6 route
add dst-address=::/0 gateway=ext-if
Make sure to accept UDP port 546 and ICMPv6 on input chain for DHCPv6 to work and a forward rule to the internal network.
/ipv6 firewall filter
add action=accept chain=input comment=ICMPv6 protocol=icmpv6
add action=accept chain=input comment=“DHCPv6 client” dst-port=546 in-interface=ext-if protocol=udp
add action=drop chain=input comment=“Drop the rest”
add action=accept chain=forward comment=“Accept forward” in-interface=int-if
add action=accept chain=forward comment=“Accept forward” out-interface=int-if
add action=drop chain=forward comment=“Accept forward”
add action=accept chain=output comment=“Accept output”
Sorry for possible wrong console commands here but i’m not familiar with them and i use WinBox and got them from exports.
AFAIK, you cannot route across networks using Link Local addressing, so you need a global unicast address on your external interface. (This is how it worked in my testing)
In the above configuration, i don’t use the local link address, i just forward traffic from assigned pool addresses on the inside network to the gateway via the outside interface, which does not have an assigned unicast address. Since there is no NAT in IPv6 this works (at least in my setup). But it probably also depends on the ISPs network setup.
@jadu: if RCS/RDS would manage to assign the same pool on every PPPoE connect for a specific client, maybe we could also do some real firewalling and server setup
But this seems to have to wait. Still using tunnels for servers with native ipv6 available.
The above setting tells your router the default gateway for IPv6 packets and states the next hop for packet routing.
So in the above line, if there is no other route in place, the packet will be sent via the ext-if interface to your uplink provider using the settings of that particular interface, more exactly using link-local addresses predefined for local routing (fe80::1 if i remember correctly).
Your line applies only to 2000::/3 addresses and specifies an exact routing path overriding any interface defaults, so that your next hop is fe80::[EUI-64 of ISP router].
You could also try a more generic statement (default route which covers all destinations, not only 2000::/3):
/ipv6 route add dst-address=::/0 gateway=fe80::[EUI-64 of ISP router]%ext-if
AFAIK, fe80::1 is usual the default routers link local address.
Now if your provider decides to use something else…
But it is not hardcoded to a specific MAC. Just a link local address.
They probably use more than 1 router for user access so they have to set it up that way.
What i don’t get is why the dhcp client does not set a gateway address (I’m still digging on ipv6) or how to get that gateway to use it.
Shouldn’t it provide a GW address also (like in IPv4)? Haven’t found anything on that.
Maybe there is a missing “set default gateway” in the DVCPv6 setup like in v4 or something?
I see I did not have that turned on. I’ve turned it on, but the behavior is unchanged. With the gateway simply set to ext-if, it fails. With it set explicitly to the ISP router’s LL, it works.
(0 is the static route I’ve added to make it work. 1 is disabled. Both are omitted to save clutter).
2601:9:4980:52::/64 is the prefix obtained via DHCPv6. Route #2 looks sensible. Route #3… If the destination were ::/0, then it would be correct, but why is it the 2601 prefix?
