I am a RB newbie and currently struggling with the setup of my Hex S in order to have IPv6 to work with my FTTH connection. My ISP provides a simple ONU/media converter and a /64 prefix without prefix delegation. The steps I have taken in order to setup IPv6 are:
IPv6 > DHCPv6 client > Add new
Interface ether1 (where my ONU is connected)
Pool name “pool-ipv6”
Pool prefix length: 64
User Peer DNS, Add default route both checked
After step 1, the newly added DHPv6 client is stuck with status “searching”.
No prefix or address is displayed for this client.
After some online search, it looks that some functionality called “RA Proxy” (which afaik does not seem available in RB yet) is needed for the RA to flow to the network. As a workaround to this, some blogs outline the following process:
Tools > Traceroute > Traceroute to 2001:4860:4860::8888
The output would look like this:
The RA prefix is [2409:10:dead:beef::cafe] which would mean that the prefix is likely going to be [2409:10:dead:beef::/64]. From that we can set an IPv6 address like [2409:10:dead:beef::1] to the local interface with the following step:
IPv6 > Addresses > Add
Address 2409:10:dead:beef::1
Interface ether2 (local lan)
Advertise checked
After this step, I still don’t have IPv6 connectivity.
Could someone please help me with having IPv6 to work? Thanks in advance.
It can mean two things, but I guess one is more likely. If you connect PC directly to this device and it gets IPv6 address and everything works, it means that /64 is set directly on ISP’s device, it serves as gateway and it allows you to have only one IPv6 subnet connected directly to it. The other could be static config with /64 subnet routed to you, in that case PC connected to ISP’s device would not get address, and they would provide you with the subnet and at least gateway.
In any case, just a single /64 is very limiting, because it doesn’t allow you to create additional subnets, e.g. if you would want one for yourself and another for guests. And if it’s the first case, it’s not completely wrong, but far from ideal too, because it assumes that all your devices will be connected directly to ISP’s router. There’s no place for your router. RA proxy can solve this problem, but it’s more like a workaround, and as you correctly found out, RouterOS doesn’t have it.
So with current RouterOS, you’d need to have it in bridge mode, which is possible, but it will also affect IPv4 config.
Just tried connecting my PC directly to this ONU device without router. PC gets its IPv6 adress (Native IPv6) and everything seems to work (with the exception of IPv4, for which a PPPoE client is needed).
For my personal use case, I do not need multiple networks so I’m fine with that.
Taking a look at some japanese blogs, looks like there are two workarounds for my case:
Figure out the assigned /64 prefix by running a traceroute to an IPv6 address. The first hop would have info on which IPv6 address is assigned. Assign an address within this prefix to the WAN interface. Did not work…
Use IPv6 PPPoE. I made a new PPPoE client for IPv6 in the same WAN interface where I have my PPPoE IPv4 client, but still did not work…
Sorry, could you please give more info on this?
Does this mean that my only option is bridging this router to another router having IPv6 RA Proxy functionality ?
You can figure out used /64 easily, when you connect a device directly to ISP’s router and see what it got (bot you have not guarantee that it’s static). In fact, even RouterOS can get address from RA, but it won’t help you with getting packets through your router.
With bridge I mean bridging ports connected to ISP’s router and to your LAN. It would make the router transparent and IPv6 for devices in LAN would work as if they were connected directly to ISP’s router. Problem is, it would mess up your IPv4 config, for which you want the router in router mode. I’m sure that it’s possible to do something with either bridge filters or bridge IP firewall, but I rarely use it, so I’m not able to give you the right config from top of my head.
Another router with RA proxy would help you only if you had it as main router and current router would not be doing any routing, otherwise you’d have the same problem. Unfortunately, what your ISP chose is not the best way how to give IPv6 to users.
Thanks. Some japanese blogs state that one alternative to the RA proxy issue could be connecting IPv6 via PPPoE instead of IPoE. Do you think this would work? I attempted it without success (perhaps my sertings were not correct?)
It’s really disappointing that I can’t get IPv6 to work because of the way my ISP provides IPv6. I wish I could change to another ISP but I am stuck in a 2y contract. I wish Mikrotik could inplement RA proxy someday too…
Honestly, I’ve never used IPv6 with PPPoE, so I don’t know if it needs anything special. I’d expect it to just be there as IPv4 is. So far your ISP’s config seems to be a strange mix, IPv6 available directly, but PPPoE required for IPv4…
Anyway, if you want to experiment, my quick test says that the following config works. It bridges two ports and allows only IPv6 traffic between them, everything else is blocked. So for IPv6 it’s as if the router isn’t there at all. Access to IPv4 internet is using PPPoE client and it’s standard config, PPPoE interface is WAN, bridge is LAN.
First there’s the magic WAN-LAN bridge (ether1 is connected to ISP, ether2 is your LAN):
Wow, thank you for letting me know the whole config!
Just set the router following your instructions and voila! works perfectly for both IPv4 and IPv6.
Here is a screenshot of the test result (I seem to have ICMP untested, no idea why…):
Now time for me to understand all the bits of the config.
Many many thanks again for your time and patience!
One last question about the bridged ports: I see that ethernet ports 1 and 2 are bridged. Does that mean that they are switched, i.e. share the same 1Gbps line bandwidth? (Hex S)
Ideally, in order to have symmetrical gigabit wan, I would prefer having ethernet 1 (wan) on one 1Gbps line, and the rest of ports 2-5 in another 1Gbps line.
For this, I guess would I need to bridge ports 2-5 and leave 1 unbridged? How should I connect the bridged ports 2-5 to the port 1?
If you want to add other LAN ports, just add them to bridge. Only special handling required is for the one connected to ISP. You can drop whole “output-lan” chain in bridge filters, it was to prevent PPPoE requests from being sent to LAN, but since you most likely don’t have any PPPoE server there, it shouldn’t matter.
I’m not sure about switching. Generally yes, it does work that way in current RouterOS, but it depends also on other used options and I think it won’t go well together with bridge filters. I don’t have Hex S to test with, but I guess it’s likely that it will use software instead of hardware. I’m not sure if only for the port connected to ISP (referenced by bridge filters) or for all. And whether software bridging would be fast enough for full gigabit, I don’t know that either.
My guess is that you should keep all 5 ports bridged together (otherwise Sob’s magic for separating IPv6 from PPPoE won’t work), but just to be sure set hw=no for WAN ether port (that’s in /interface bridge port) … my non-educated guess is that this should be enough to reconfigure your hEX S according to top block diagram. Set hw=yes on the rest of ether ports if they aren’t already.
As I wrote, I can’t test it, but I’m affraid that playing with bridge filters may ruin hardware switching for all ports.
And yes, the magic depends on bridge. Bridge filter and IP firewall filter are not interchangable like this. If you remove port connected to ISP from bridge, IPv6 will no longer transparently pass through router and you’ll be back where you started.
What can I say, life is sometimes hard for early adopters. Although “early adopter of IPv6” in 2019… … but that’s how it is.
Reading this thread I’d say I’m lucky to have the misery of DSL line … my ISP is delivering both IPv4 and IPv6 over PPPoE, eliminating need for IPv6 on WAN interface. Meaning that I can actually use all 256 /64 subnets that I have, none are wasted
I’d gladly trade one /64 subnet for fibre access (I’m not picky, either FTTH or GPON would do) though.
At home, I have my trusty 6to4, which I got it in 2001 as a temporary way to get IPv6, until ISP brings native connectivity. It still works. I mean, it has to. Fortunately, it’s enough for my needs, but it’s crazy.
Thanks again. Just tried removing ether1 out of the bridge and adding some firewall filters like those of the bridge, but IPv6 stopped working. Better leave the bridge as is.
However, there are a couple of things I am a bit curious about:
Are bridge filters needed? If I remove all bridge filters, IPv4 and IPv6 still seem to work, speed/ipv6 test results do not seem to change at all…
Is there any difference between setting filters for the bridge in chains forward/input vs setting filters in ip firewall for the same chains?
Thanks. Just tried that, I seem to get 300 Mbps download / 160Mbps upload regardless of the hw setting.
Just curious, what is the rationale behind setting hw to false for the wan port? I believe HW offload is something you don’t want to lose…
… but that’s how it is.