Help Needed: IPv6 Configuration Issues with Fritzbox and Mikrotik Switch

sebastiankreiscc · September 23, 2024, 12:17pm

Hello everyone,

I’m having trouble with my IPv6 configuration and would appreciate some assistance.

Setup:

My network setup consists of a Fritzbox connected to a Mikrotik switch.
The Mikrotik switch then distributes the connection across multiple VLANs (4 in total).

Issues:

IPv4 works flawlessly across the entire network without any problems.

IPv6 is where I’m facing issues:

IPv6 only works intermittently or sometimes not at all.
Sometimes IPv6 websites and services work perfectly, and I can ping IPv6 addresses successfully. At other times, these connections fail without any apparent reason, and I’m unable to access IPv6 resources or perform successful pings. This inconsistent behavior is confusing and makes troubleshooting difficult.
In the Mikrotik interface under IPv6 → Neighbors, I see that each VLAN has four entries with the same IPv6 address. Out of 16 listed neighbors, only a few show as “reachable,” while the rest have a status of “failed” and display a MAC address of 00:00:00:00:00:00. This seems to indicate a routing or configuration issue, but I’m not sure how to resolve it.

What I’ve Tried:

I have reviewed the IPv6 settings on both the Fritzbox and the Mikrotik switch multiple times to ensure they are correct.
I’ve tested different VLANs and devices to isolate the issue, but I haven’t been able to identify the root cause.

Questions:

Has anyone experienced similar issues with multiple VLANs on a Mikrotik switch, particularly with incorrect IPv6 neighbor entries?
Are there any specific settings or configurations on the Mikrotik switch that could prevent these failed neighbor entries from appearing?
Could there be an issue with how the Fritzbox is handling IPv6 distribution across the VLANs, causing these conflicts?

Any guidance or suggestions would be greatly appreciated!

Thank you in advance for your help!

mkx · September 23, 2024, 6:04pm

Check IGMP related settings on mikrotik’s bridge. IGMP snooping can be quite flakey and if it’s enabled, it can break IPv6 …

sebastiankreiscc · September 24, 2024, 5:31am

I checked it, IGMP snooping is not enabled.

sebastiankreiscc · September 24, 2024, 6:34am

Here’s our config (only ipv6 related settings):

# 2024-09-24 05:57:06 by RouterOS 7.15.3
# software id = F9KU-4HTK
#
# model = CRS310-8G+2S+
# serial number = ********
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-lan port-cost-mode=short \
    vlan-filtering=yes
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf disabled=yes \
    name=bridge-wan port-cost-mode=short
add name=bridge2-save port-cost-mode=short

/interface vlan
add interface=bridge-lan name=VLANMGMT vlan-id=99
add interface=bridge-lan name=VLANOFFICE vlan-id=1
add interface=bridge-lan name=VLANPRINT vlan-id=2
add interface=bridge-lan name=VLANCUSTOMER vlan-id=3
add interface=bridge-lan name=VLANGAST vlan-id=4
add interface=bridge-lan name=VLANTEST vlan-id=5

/interface bridge port
add bridge=bridge-lan comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge2-save comment="save connection" interface=ether8 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge-wan comment=defconf disabled=yes interface=sfp-sfpplus2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-lan frame-types=admit-only-vlan-tagged ingress-filtering=no \
    interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-lan frame-types=admit-only-vlan-tagged ingress-filtering=no \
    interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 internal-path-cost=10 path-cost=10 pvid=4
add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 internal-path-cost=10 path-cost=10 pvid=99

/ipv6 settings
set accept-router-advertisements=yes

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2,ether3 vlan-ids=2,3,5
add bridge=bridge-lan untagged=ether4 vlan-ids=4
add bridge=bridge-lan tagged=ether2,ether3,bridge-lan untagged=ether5 \
    vlan-ids=99
add bridge=bridge-lan tagged=bridge-lan,ether2,ether3 vlan-ids=1
/interface wireguard peers

/ipv6 address
add address=::1400:0:0:0 from-pool=DHCP-v6-POOL4 interface=VLANCUSTOMER
add address=::2000:0:0:0 from-pool=DHCP-v6-POOL4 interface=VLANOFFICE
add address=::2800:0:0:0 from-pool=DHCP-v6-POOL4 interface=VLANTEST

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=DHCP-v6-POOL4 \
    pool-prefix-length=56 rapid-commit=no request=prefix

/ipv6 firewall filter
add action=accept chain=input comment="input dhcp reply" connection-state="" \
    dst-port=546 in-interface=ether1 protocol=udp src-port=547
add action=accept chain=input comment="input icmpv6" protocol=icmpv6
add action=accept chain=forward comment="forward icmpv6" protocol=icmpv6
add action=accept chain=output comment="out icmp6" protocol=icmpv6
add action=accept chain=forward comment="related established" \
    connection-state=established,related
add action=accept chain=input comment=related,established connection-state=\
    established,related
add action=accept chain=output comment="related, established" \
    connection-state=established,related
add action=accept chain=forward disabled=yes dst-port=22 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=25 protocol=tcp
add action=drop chain=input comment="DROP NEW CONNECTIONS" connection-state=\
    new disabled=yes in-interface=ether1
add action=drop chain=input comment="drop all" disabled=yes in-interface=\
    ether1
add action=drop chain=forward comment="drop forward Interface: ether1" \
    disabled=yes in-interface=ether1
add action=accept chain=output comment="allow out all" disabled=yes
add action=accept chain=output disabled=yes out-interface=ether1
add action=accept chain=input disabled=yes in-interface=ether1
add action=accept chain=output disabled=yes out-interface=ether1
add action=accept chain=forward disabled=yes out-interface=ether1

/ipv6 nd
set [ find default=yes ] disabled=yes
add hop-limit=64 interface=VLANCUSTOMER other-configuration=yes
add hop-limit=64 interface=VLANGAST other-configuration=yes
add hop-limit=64 interface=VLANOFFICE other-configuration=yes
add hop-limit=64 interface=VLANTEST other-configuration=yes

Here’s what our “Neighbors” look like

[admin@MikroTik] > /ipv6 neighbor 
[admin@MikroTik] /ipv6/neighbor> print 
Flags: R - router 
 0 R address=fe80::7eff:4dff:fe92:1849 interface=ether1 mac-address=7C:FF:4D:92:18:49 status="reachable" 

 1   address=2a02:***:****:bdfc:1735:c7a9:161d:8328 interface=VLANOFFICE status="failed" 

 2   address=2a02:***:****:bdfc:1735:c7a9:161d:8328 interface=VLANTEST status="failed" 

 3   address=2a02:***:****:bdfc:1735:c7a9:161d:8328 interface=VLANGAST status="failed" 

 4   address=2a02:***:****:bdfc:dcc6:f491:cff7:e72a interface=VLANOFFICE mac-address=80:6D:97:4A:DF:D8 status="stale" 

 5   address=2a02:***:****:bdfc:1735:c7a9:161d:8328 interface=VLANCUSTOMER status="failed" 

 6   address=2a02:***:****:bdfc:dcc6:f491:cff7:e72a interface=VLANTEST status="failed" 

 7   address=2a02:***:****:bdfc:6e52:f711:c1ab:ba4 interface=VLANOFFICE mac-address=C8:4B:D6:BE:E5:4D status="stale" 

 8   address=fe80::acf4:33b5:a9a7:5f6b interface=VLANOFFICE mac-address=C8:4B:D6:BE:E4:F7 status="stale" 

 9   address=2a02:***:****:bdfc:6e52:f711:c1ab:ba4 interface=VLANCUSTOMER status="failed" 

10   address=2a02:***:****:bdfc:6e52:f711:c1ab:ba4 interface=VLANGAST status="failed" 

11   address=2a02:***:****:bdfc:dcc6:f491:cff7:e72a interface=VLANGAST status="failed" 

12   address=2a02:***:****:bdfc:dcc6:f491:cff7:e72a interface=VLANCUSTOMER status="failed" 

13   address=2a02:***:****:bdfc:6e52:f711:c1ab:ba4 interface=VLANTEST status="failed" 

14   address=fe80::a28f:ee6a:fa6e:7b6 interface=VLANCUSTOMER mac-address=84:A9:38:6C:0A:E8 status="stale" 

15   address=fe80::b9c5:781f:aeb7:854a interface=VLANOFFICE mac-address=C8:4B:D6:BE:E5:4D status="reachable" 

16   address=fe80::e7e0:413c:1d5c:dd90 interface=VLANOFFICE mac-address=80:6D:97:4A:DF:D8 status="stale" 

17   address=2a02:***:****:bdfc:307c:d225:40ea:ba37 interface=VLANOFFICE mac-address=C8:4B:D6:BE:E5:4D status="stale" 

18   address=2a02:***:****:bdfc:307c:d225:40ea:ba37 interface=VLANCUSTOMER status="failed" 

19   address=2a02:***:****:bdfc:92db:1999:6771:168d interface=VLANOFFICE mac-address=C8:4B:D6:BE:E5:4D status="stale" 

20   address=2a02:***:****:bdfc:338:abe5:ae27:ed1 interface=VLANOFFICE mac-address=C8:4B:D6:BE:E5:4D status="stale" 

21   address=2a02:***:****:bdfc:338:abe5:ae27:ed1 interface=VLANCUSTOMER status="failed" 

22   address=2a02:***:****:bdfc:338:abe5:ae27:ed1 interface=VLANTEST status="failed" 

23   address=fe80::caa9:bd05:9ccf:d279 interface=VLANOFFICE mac-address=80:6D:97:30:60:8A status="stale" 

24   address=2a02:***:****:bdfc:2d8e:68b7:fe18:fceb interface=VLANOFFICE mac-address=80:6D:97:30:60:8A status="stale" 

25   address=2a02:***:****:bdfc:7020:780:6bd8:e097 interface=VLANOFFICE mac-address=80:6D:97:30:60:8A status="reachable" 

26   address=2a02:***:****:bdfc:7020:780:6bd8:e097 interface=VLANTEST status="failed"

It looks suspicious to me that the same adresses are listed in different VLANs.

sebastiankreiscc · September 26, 2024, 12:08pm

Hello everyone,

I wanted to update you all and let you know that the issue has been resolved.

The root cause was that the Mikrotik was assigned an IPv6 prefix that was too small from the Fritzbox. As a result, it wasn’t able to properly distribute separate networks for each VLAN, which caused routing conflicts and led to the intermittent IPv6 connectivity issues I was experiencing.

Once I ensured that the Mikrotik received a larger IPv6 prefix from the Fritzbox, everything started working correctly, and IPv6 is now stable across all VLANs.

Best regards.