DHCPv6 from cable co. now what

Xymox · December 4, 2013, 1:05am

So I have my DHCPv6 client getting a set of addresses from the cable co. It sets up a pool. The DHVPv6 server is set to the pool… Firewall is all open…

Clients dont get IPv6 addresses.

Im a IPv6 noob. What else do I need to do ? I must need to advertise my cable co provided pool but I dont have that option..

biomesh · December 4, 2013, 4:32am

Try something like

/ipv6 dhcp-client
add add-default-route=yes interface=external pool-name=ipv6_pool 
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=external protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=external
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!external
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=external
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=internal mtu=1480 other-configuration=yes \
    ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

:local ipv6curaddress [/ipv6 address get [/ipv6 address find global =yes] address ]
:local ipv6newaddr {[:pick  [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =external] prefix]] 0 [:find [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =external] prefix]] "/64" ]] . "1/64"}
:if ( $ipv6curaddress = $ipv6newaddr ) do={ :log info "IPv6 prefix not updated."; } else={ :log info "IPv6 prefix updated. Changing IPv6 address."; /ipv6 address set address=$ipv6newaddr numbers=[/ipv6 address find global =yes]; }

This will use a dhcp client, setup some firewall rules, setup prefix delegation inside your network, and will assign an address to your internal interface.

The last few lines can be saved as a script to be run on a regular basis.

You really won’t use the ipv6 dhcp server in most cases and do the pool will not be used either.

Sent from my Nexus 7 using Tapatalk 4

ranpha · December 4, 2013, 5:44am

Advertise it at /ipv6 address’, preferably on the interface where your DHCPv4 server is running. Of and do not forgot the firewall rules in the post above.

janisk · December 4, 2013, 6:53am

biomesh why not use from-pool feature to set up ipv6 address?

biomesh · December 4, 2013, 2:08pm

It was for personal preference, (to use a ::1/64 address as the router address) but I found that if I did use the from-pool option and removed that address, it also removed the pool. This is not good since it was a /60 pool handing out /64 prefixes.

I will stick with my setup for now. I am running ROS version 6.7 also.

Xymox · December 4, 2013, 3:42pm

Biomesh, nice, thanks ! Well at least i dont feel so noob after all.

It might be good to massage this into something for the wiki. Lots of people, home users, now have access to native IPv6 DHCP via thier ISP. Im working at a clents in LA and Time Warner cable is doing DHCPv6.

Thanks again for a well thought out solution.

biomesh · December 4, 2013, 4:09pm

If you have comcast (or another provider that supports prefixes larger than a /64) then you can add the prefix-hint option to the /ipv6 dhcp-client command like

/ipv6 dhcp-client
add add-default-route=yes interface=external pool-name=ipv6_pool prefix-hint=::/60

This option was added in ROS 6.5 and currently is command line only.

Xymox · December 4, 2013, 4:43pm

Hmmmm…

Again I may be missing something here.. I changed the above to be my correct interfaces and pasted in.. All looks OK.. Ran the script. It says “IPv6 prefix updated, ching prefix” and I still doing get anything on the client side. I also noticed that none of the rules got any bytes.

If I put a accept for input/output/forward those see bytes.

It gets a /64 from the ISP. Creates a pool..

Im using os 6.6 and for testing im using a win 7 machine.

/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ipv6_pool
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-gateway
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=bridge-local mtu=1480 other-configuration=yes \
    ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

:local ipv6curaddress [/ipv6 address get [/ipv6 address find global =yes] address ]
:local ipv6newaddr {[:pick  [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =ether1=gateway] prefix]] 0 [:find [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =ether1-gateway] prefix]] "/64" ]] . "1/64"}
:if ( $ipv6curaddress = $ipv6newaddr ) do={ :log info "IPv6 prefix not updated."; } else={ :log info "IPv6 prefix updated. Changing IPv6 address."; /ipv6 address set address=$ipv6newaddr numbers=[/ipv6 address find global =yes]; }

Xymox · December 4, 2013, 4:52pm

A export of ipv6

The first 3 rules in the firewall I just added to allow anything for testing.

dec/04/2013 08:51:00 by RouterOS 6.6

software id = 6ATR-3FLU

/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ipv6_pool
/ipv6 firewall filter
add chain=forward
add chain=input
add chain=output
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp
src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=
ether1-gateway
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=bridge-local mtu=1480 other-configuration=yes
ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

biomesh · December 4, 2013, 5:11pm

Try this first (adjust the interface to match your internal interface name)

/ipv6 address add from-pool=ipv6_pool interface=ether2 advertise=yes

This is using the method Janisk mentioned.

Xymox · December 4, 2013, 5:20pm

Yep that worked..

But I liked your method and I like why you decided to use it.

Xymox · December 4, 2013, 5:23pm

Whoops.. No DNS server.. Almost worked..

biomesh · December 4, 2013, 5:39pm

My script should work - it works on a few devices I have here.

As for DNS, you can set the option

use-peer-dns=yes

on the dhcp-client command.

Xymox · December 4, 2013, 6:34pm

Of course thank you for your effort on this

Yea use peer DNS is default on the client. I played with it all again, still not handing out DNS. So does that mean the ISP is not handing out a IPv6 DNS server IP ? The DHCPv6 client does not seem to have a status that shows if it got DNS from the ISP..

But cleints get gateway and a address just no DNS server.

Export of ipv6

# dec/04/2013 10:25:16 by RouterOS 6.6
# software id = 6ATR-3FLU
#
/ipv6 address
add address=2605:e000:1412:15e:: from-pool=ipv6_pool interface=bridge-local
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ipv6_pool
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp \
    src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=\
    ether1-gateway
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=bridge-local mtu=1480 other-configuration=yes \
    ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

biomesh · December 4, 2013, 6:54pm

Most likely the DNS server is not being provided. The only way to tell 100% is to get a packet trace from the IPv6 DHCP request.

Xymox · December 4, 2013, 7:37pm

Hmmm… That sounds annoying to do. Well ok not that hard, but still. There should be a way to see the status of what DHCPv6 is pulling from the ISP.

So I plugged the Win 7 machine into the modem directly..

ipconfig

and then into the router

I also tried just putting in the google IPv6 DNS directly into the network settings on the Win 7 machine. Still no go..

IPv6 is annoying..

So plugging in the WIn 7 machine directly to the modem works great. No issues. Can reach IPv6 site no issues.

Its entirely possible that Time Warner is doing something weird.. Well this is all good tho as im learning IPv6.

biomesh · December 4, 2013, 8:13pm

Have you tried a ping -6 ipv6.Google.com to see if that works?
You don’t have to have a DNS server on ipv6 to actually resolve aaaa records.
Disable your firewall rules temporarily to see if things start to work then.

Sent from my SAMSUNG-SGH-I747 using Tapatalk

Xymox · December 4, 2013, 8:50pm

Have you tried a ping -6 ipv6.Google.com to see if that works?

hehehe.. I do feel like a noob…

It did look it up properly. So thats not the issue apparently. 2607:f8b0:4003:c03::93

But then dest not reachable. With firewall rules in/out/fwd set to accept.

HMmMMmMmmm…

Yea the router shows unreachable gateway.. Well that explains it.. But hmmmm… It should be you would think…

OK well its a test config and its on a temp IP so I created a lonin thats read only if anyone wants to look.. WInbox.. I will of course be discarding the IP shortly but its up for now and can be accessed from outside.

172.251.43.192 user readonly pass readonly..

yes admins I will delete this info after a day or so from this post. Yes I realize its exposing the router, its ok..

biomesh · December 4, 2013, 10:49pm

Looking at your router - the default gateway is unreachable.

Not sure if there is anything you can do - comcast will provide a /60-/64 prefix as well as a /128 for the external wan interface. It could be that your provider is doing something different than comcast.

Xymox · December 4, 2013, 11:24pm

Yea weird.. Weird that a client on Win 7 can get allocated but not the router. They are getting really different addresses you can see from my screen shots from ipconfig.. Weird..

Yea.. I will do some reasearch on Time Warner doing IPv6 and see what I can find out..

I REALLY appreciate you assistance and your taking the time to connect to the router

I will research more..

I suppose I should put in 6.7 just to be on the safe side.