DHCPv6-PD via PPPoE client on RouterOS 5.9

Djelibeybi · December 2, 2011, 12:50am

(I decided to start a new topic on this as not to clutter up the RouterOS 5.9 announcement thread)

I have done further testing. I cannot get packet sniffer on RouterOS to see any DHCPv6-PD packets at all. I have re-tested my connection with Ubuntu Server running a pppoe client and it can happily get DHCPv6-PD using wide-dhcp6-client. I have sent the packet trace for that to Miktotik support.

The tcpdump line that worked on Linux is:

# tcpdump -i ppp0 udp port 546 or udp port 547

I’m trying this Packet Sniffer config on RouterOS:

          interface: Internode-FTTH
       only-headers: no
       memory-limit: 100KiB
      memory-scroll: yes
          file-name: pppoe-connection
         file-limit: 1000KiB
  streaming-enabled: no
   streaming-server: 0.0.0.0
      filter-stream: no
 filter-ip-protocol: udp
        filter-port: 546,547
   filter-direction: any
            running: no

However, while I can see packets leaving RouterOS (the firewall counter for IPv6 udp/547 outbound on the pppoe interface increases), they are not being picked up by packet sniffer at all.

Suggestions welcome!

Djelibeybi · December 2, 2011, 9:01am

Turns out that Packet Sniffer on RouterOS can’t sniff pppoe connections. You have to point it to the ethernet interface that the pppoe-client is running on and set the filter-mac-protocol=pppoe instead. I’ve now sent the packet trace from the (working) wide-dhcpv6-client and (non-working) RouterOS 5.9 to Mikrotik support.

timoid · December 2, 2011, 1:28pm

it definitely works - I've labbed it against a cisco 7200 LNS and I get a prefix fine.

I don't use the same routers as 'node but so it might be an interoperability bug between IOS-XE and MikroTik?

*Dec 2 23:09:05.779: IPv6 DHCP: Received SOLICIT from FE80::5 on Virtual-Access2.1
*Dec 2 23:09:05.783: IPv6 DHCP: Sending ADVERTISE to FE80::5 on Virtual-Access2.1
*Dec 2 23:09:06.843: IPv6 DHCP: Received REQUEST from FE80::5 on Virtual-Access2.1
*Dec 2 23:09:06.847: IPv6 DHCP: Creating binding for FE80::5 in pool ISP-PD
*Dec 2 23:09:06.851: IPv6 DHCP: Allocating IA_PD 00000005 in binding for FE80::5
*Dec 2 23:09:06.851: IPv6 DHCP: Allocating prefix ZZ03:Z000::/62 in binding for FE80::5, IAID 00000005
*Dec 2 23:09:06.859: IPv6 DHCP: Sending REPLY to FE80::5 on Virtual-Access2.1

[admin@rtr2] /ipv6 dhcp-client> print
Flags: D - dynamic, X - disabled, I - invalid

INTERFACE STATUS PREFIX

0 pppoe-out1 bound ZZ03:Z000::/62

Djelibeybi · December 2, 2011, 8:59pm

I’m glad someone got it to work! Can you post the IPv6 firewall rules you used on the Mikrotik as well? Also, Internode presents a /56 prefix. Are you able to configure your Cisco to present that and see if it still works?

This is the configuration I’m using on the Mikrotik side:

/ipv6 dhcp-client
add disabled=no interface=Internode-FTTH pool-name=Internode-IPv6 \
    pool-prefix-length=64

/ipv6 firewall filter
add action=accept chain=output disabled=no dst-port=547 out-interface=\
    Internode-FTTH protocol=udp
add action=accept chain=input disabled=no dst-port=546 in-interface=\
    Internode-FTTH protocol=udp

Looking forward to any tips you can provide!

timoid · December 2, 2011, 9:12pm

Sure - LAB environment so no firewalls

[admin@rtr2] /ipv6 dhcp-client> release 0
[admin@rtr2] /ipv6 dhcp-client> renew 0
[admin@rtr2] /ipv6 dhcp-client> print
Flags: D - dynamic, X - disabled, I - invalid

INTERFACE STATUS PREFIX

0 pppoe-out1 bound zz01:z000::/56

also just for kicks, try NODE-PD instead of Internode-IPv6 for your pool name.

Djelibeybi · December 2, 2011, 9:24pm

Nope, doesn’t work without any firewall or using NODE-PD as the pool name. Just gets stuck on “Searching…”

timoid · December 2, 2011, 9:36pm

Dunno then.

I’d hit up node support, see what they see their end.

Djelibeybi · December 4, 2011, 8:54pm

Yeah, I’ll try that today when Internode’s NetOps team are online.

omega-00 · December 5, 2011, 2:16am

I’ve opened a ticket with em too, sent through a copy of my packet cap showing DHCPv6 solicit request but no advertise response.

omega-00 · December 6, 2011, 4:55pm

I’ve noticed a difference in the debug outputs for connecting with username@ipv6.internode.on.net vs enabling IPv6 from the internode web portal and using your regular username.

Files attached show the @ipv6 way appears to be getting a bad response while the regular just times out.

Username@ipv6.internode.on.net debug -
debug-dhcp6-ipv6.txt (5.64 KB)
Username@internode.on.net debug -
debug-dhcp6.txt (4.83 KB)

Djelibeybi · December 6, 2011, 8:27pm

Testing with the new 5.10rc2 from Mikrotik results in a valid PD coming from Internode:

[admin@MikroTik] /ipv6 dhcp-client> print detail
Flags: D - dynamic, X - disabled, I - invalid 
 0    interface=Internode-FTTH pool-name="Internode-IPv6" pool-prefix-length=64 
      status=bound prefix=2001:44b8:4133:6f00::/56 expires-after=1h53m21s

Now I have to work out how to get radvd to hand out IPv6 addresses.

Djelibeybi · December 6, 2011, 10:09pm

I can’t seem to find the right configuration for /ipv6 nd prefix – everything I try just comes up as Invalid.

Djelibeybi · December 6, 2011, 11:30pm

RouterOS is not configuring the local interface with a proper IPv6 address from the pool received via the DHCPv6-PD request. On Linux, the LAN interface upon which RADVD runs gets an IPv6 address. Anyone know if it’s possible to manually apply an address? All I have now are link-local addresses and the router can’t ping any IPv6 addresses yet.

omega-00 · December 6, 2011, 11:33pm

If you know what the range allocated is then yes you should be able to simply add an IPv6 address to the interface of your choice, seeing as you have the upstream gateway and Internode knows to route back to you for that range.

Djelibeybi · December 6, 2011, 11:35pm

Yeah, but how do I work out what a valid IPv6 address for that interface is?

Djelibeybi · December 7, 2011, 1:13am

Ok, I now have IPv6 working correctly. I’m still not sure I should be setting the IPv6 address on the internal LAN interfaces manually, but otherwise it seems to work OK.

omega-00 · December 7, 2011, 4:40am

Lol, so it looks like the only thing missing now is the “Framed-IPv6-Address” support
Aka: everything but your router can get internet access, unless you manually assign a public address to the router.

timoid · December 7, 2011, 10:53am

the next step is to work out how to tell RouterOS to take a /YY size prefix out of the /XX delegated prefix and use it to generate an IPv6 address on the assigned interface.

so something like: /ipv6 address interface=ether1 address=::1/64 prefix-pool=ISP-PD

as an example:

2001:44b8::/56 allocated to ISP-PD
the above would take a /64 from the pool ISP-PD (obtained via DHCP client) and assign the first ipv6 address on the interface specified.

mrz · December 7, 2011, 11:01am

Adding address from pool to interface is in our TODO list.