Intermittent Issues with IPv6 SLAAC and/or RA

RouterOS General
1

Hey, hoping someone can point out something that I missed. I am using the hackish VRRP method of getting IPv6 ranges from AT&T for my home network, because I have multiple VLANs. It has been working just fine for quite a while now. This week, I upgraded my hEX to an L009, it seemed to still be working fine. Then yesterday, suddenly, things started being unable to route IPv6 traffic. I have been troubleshooting it ever since and cannot figure out what is going on. Things will occasionally start working for a while, then drop off again without any apparent reason. I even went as far as completely wiping my IPv6 configuration and rebuilding it from scratch, but I’m still having issues. It appears to have something to do with router announcements, as when it is having problems rdisc6 reports timeouts

sudo rdisc6 wlp1s0
Soliciting ff02::2 (ff02::2) on wlp1s0...
Timed out.
Timed out.
Timed out.
No response.

But then it will randomly start working again

sudo rdisc6 wlp1s0
Soliciting ff02::2 (ff02::2) on wlp1s0...

Hop limit                 :    undefined (      0x00)
Stateful address conf.    :           No
Stateful other conf.      :           No
Mobile home agent         :           No
Router preference         :       medium
Neighbor discovery proxy  :           No
Router lifetime           :          900 (0x00000384) seconds
Reachable time            :  unspecified (0x00000000)
Retransmit time           :  unspecified (0x00000000)
 Source link-layer address: D4:01:C3:28:F8:C4
 Prefix                   : 2600:1700:d4f7:601f::/64
  On-link                 :          Yes
  Autonomous address conf.:          Yes
  Valid time              :      2592000 (0x00278d00) seconds
  Pref. time              :       604800 (0x00093a80) seconds
 from fe80::d601:c3ff:fe28:f8c4

It’s driving me up a wall, because I cannot discern any pattern as to what is causing the issues. Here’s my config.

> /interface/vrrp/export 
# 2024-06-09 14:37:15 by RouterOS 7.15
# software id = **ELIDED**
#
# model = L009UiGS
# serial number = **ELIDED**
/interface vrrp
add interface=sfp1 name=DMZ-vrrp v3-protocol=ipv6
add interface=sfp1 name=IoT-vrrp v3-protocol=ipv6 vrid=3
add interface=sfp1 name=Work-vrrp v3-protocol=ipv6 vrid=2

And:

> /ipv6/export verbose 
/ipv6 address
add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=home interface=Home no-dad=no
add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=dmz interface=DMZ no-dad=no
add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=work interface=Work no-dad=no
add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=iot interface=IoT no-dad=no
/ipv6 dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options="" dhcp-options="" disabled=no interface=sfp1 pool-name=home pool-prefix-length=64 prefix-hint=::/0 request=address,prefix use-peer-dns=no
add add-default-route=yes default-route-distance=1 dhcp-options="" dhcp-options="" disabled=no interface=DMZ-vrrp pool-name=dmz pool-prefix-length=64 prefix-hint=::/0 request=address,prefix use-peer-dns=no
add add-default-route=yes default-route-distance=1 dhcp-options="" dhcp-options="" disabled=no interface=Work-vrrp pool-name=work pool-prefix-length=64 prefix-hint=::/0 request=address,prefix use-peer-dns=no
add add-default-route=yes default-route-distance=1 dhcp-options="" dhcp-options="" disabled=no interface=IoT-vrrp pool-name=iot pool-prefix-length=64 prefix-hint=::/0 request=address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop hop-limit=1" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !headers hop-limit=equal:1 !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" \
    !nth !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority protocol=icmpv6 !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Consul UDP" dst-address-list=local dst-port=8600,8301-8302 protocol=udp src-address-list=local
add action=accept chain=forward comment="Consul TCP" dst-address-list=local dst-port=8600,8500,8300-8302 protocol=tcp src-address-list=local
add action=accept chain=forward !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=new !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=no dns="" hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified other-configuration=no pref64="" ra-delay=3s ra-interval=\
    2m30s-7m30s ra-lifetime=15m ra-preference=medium reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes disable-ipv6=no forward=yes max-neighbor-entries=7168

I’m hoping someone here can point me in the direction of what is wrong, or at least give me a place to look next.

2

Are you sure that your ISP only provides you with individual /64 prefixes? Did you try to put “::/56” instead of “::/0” for the prefix-hint field of the DHCPv6 client entry? Try to do that with “home”, and also don’t request address, only prefix:


/ipv6 dhcp-client
add add-default-route=yes default-route-distance=1 interface=sfp1 pool-name=home pool-prefix-length=64 prefix-hint=::/56 request=prefix use-peer-dns=no

And see whether you get a /60 or /56 prefix from the ISP. In that case you don’t need the VRRP hack anymore (one DHCPv6 client instance on sfp1 is enough) and can just use the “home” pool to assign multiple /64 prefixes for all your VLAN interfaces.

If they really only give out a /64 prefix, then you can use MACVLAN instead of VRRP for your hack-interfaces, I think it’s more lightweight.

You did not include your full configuration export, so just to be sure, did you add the interfaces “Home”, “DMZ”, “Work” and “IoT” to the LAN interface list?

Anyway, I don’t think the L009 is really an “upgrade” from the hEX, CPU-wise. It only has more ports. The routing capability might even be worst.

3

Yes, sadly, I’m sure. It’s a known and well documented annoyance with AT&T home fiber. They assign a /56 to their combo GPON/Router, then will only assign a /64 from that range per MAC address regardless of requested size (hence the VRRP hack). Even with IP Passthrough turned on, so that the public IPv4 gets assigned directly to my router, it still does that with the IPv6 range. There have been a number of threads both on here and Reddit about it. There were workarounds for certain older AT&T devices, but their current generation of devices don’t allow you to do it any other way.

If they really only give out a /64 prefix, then you can use MACVLAN instead of VRRP for your hack-interfaces, I think it’s more lightweight.

You did not include your full configuration export, so just to be sure, did you add the interfaces “Home”, “DMZ”, “Work” and “IoT” to the LAN interface list?

Anyway, I don’t think the L009 is really an “upgrade” from the hEX, CPU-wise. It only has more ports. The routing capability might even be worst.

Thanks for the MACVLAN tip, I’ll have to check it out. I had really been following prior art from other people who had already figured out how to work around AT&Ts flawed IPv6 implementation and never saw any mention of MACVLAN.

Not sure why you wouldn’t consider it an upgrade, the L009UiGS has more memory, more storage, and a similar CPU (different architecture though, hard to compare directly) than the hEX RB750Gr3 that I was running. I’m also getting better throughput than I was, or so it seems at least, may just be luck or confirmation bias of course.

Another big part of the reason I replaced it though was because I was able to consolidate my router and one of my other home network switches into a single device. Trying to simplify (somewhat) my home network.


Also, shortly after posting this I went and reset the WiFi settings on my Unifi APs to default (I’m working on replacing all my Unifi gear but haven’t gotten to them yet), and it seems to have stabilized since then. Which is odd, because I hadn’t changed settings on those recently, so I don’t know why it would have suddenly started interfering with RA and/or SLAAC.

4

Yes, that’s why I wrote “CPU wise” in my previous post :blush:. But I would, for example, add $20 and get the hAP ax³, which will really perform much better. A hAP ax² will also be nearly 3x faster and even $20 cheaper than the L009, but unfortunately lacks the USB port. Both also have double the RAM and IPsec HW acceleration. Of course, if you want to consolidate your devices into one then those won’t suit your needs.

5

Fair enough. Yeah, consolidating my core switch and router was one of my larger goals with this. Plus I wanted it to be actually mounted in my network rack, and my network rack is not in a particularly good location for wireless. My dedicated APs are placed in better locations for coverage in my house.

Anyway, I redid my IPv6 config using MACVLAN interfaces, and it is working just fine, thanks for pointing that out to me, it’s much less hacky than the VRRP interfaces. I also haven’t had any IPv6 issues since resetting my AP configs. I guess I’ll chalk this all up to some sort of Unifi screw-up. Just don’t understand how it suddenly started happening when I haven’t changed any settings on them in a long time. I’m really fed up with their software, I guess I should fast track replacing it. At this point, I’m mostly waiting on Mikrotik to release an AX version of the wAP (or maybe the wsAP). I already installed a 1-gang wall box for one of my current APs and I’d rather replace it with one that can also mount on it.

6

Pretty sure I am seeing this same issue. I thought at first it was something to do with me putting a ULA address as my RA dns server (pihole) but that didn’t seem to be the case. Things just work for a while then eventually stop. Modifying the config seems to jump-start it again and it continues to work for a while. Rebooting the router would probably work too. I don’t need any hacky configs, my ISP has pretty good IPV6 support out of the box so things are as simple as possible for me. I was blaming Windows for a while but then it happened on my android phone too.

7

I’m having the same issue with an RB5009, so I don’t think it’s related to an underpowered MikroTik device. I’ll give the MACVLAN a shot and see if that fixes it.