Internode and IPV6 Prefix and addresses

RouterOS General
1

Hi Everyone,
I have managed to get my Mikrotik working with internode but am unable to get both the IPV6 address and prefix both working the way they should according to most examples and the documentation. My config is:

ipv6 export

jan/20/2020 19:00:22 by RouterOS 6.45.7

software id = NJXX-WVVI

model = RB750Gr3

serial number = 8B010BCBB0AA

/ipv6 address
add address=2001:44b8:2159:cf01::1 interface=ether2
add address=2001:44b8:2159:cf00::1 advertise=no interface=ether1
add address=2001:44b8:2159:cfff::1 advertise=no interface=pppoe-out1
/ipv6 dhcp-client
add add-default-route=yes comment=Internode interface=pppoe-out1 pool-name=samford request=prefix
/ipv6 firewall address-list
add address=::255.0.0.0/104 comment=“defconf: other” list=bad_ipv6
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::/104 comment=“defconf: other” list=bad_ipv6
add address=::224.0.0.0/100 comment=“defconf: other” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=100::/64 comment=“defconf: discard only " list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defcon:accept established, related, untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“Drop invalid” connection-state=invalid connection-type=”"
add action=accept chain=input protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=3343-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input dst-port=546 log=yes log-prefix=RA protocol=udp
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=" defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input in-interface=DMZ
add action=accept chain=input dst-port=547 in-interface=pppoe-out1 log=yes log-prefix=RA protocol=udp
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward dst-address=2001:44b8:2159:cf01::4/128 dst-port=25 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-address=2001:44b8:2159:cf01::4/128 dst-port=143 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-address=2001:44b8:2159:cf01::4/128 dst-port=465 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-address=2001:44b8:2159:cf01::4/128 dst-port=993 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward comment=“Seive port” dst-address=2001:44b8:2159:cf01::4/128 dst-port=4190 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-address=2001:44b8:2159:cf01::4/128 dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=accept chain=forward disabled=yes dst-address=2001:44b8:2159:cf01::4/128 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward connection-state=established,related,new dst-address=2001:44b8:2159:cf01::6/128 dst-port=80 in-interface=pppoe-out1 log=yes log-prefix=v6web protocol=tcp
add action=accept chain=forward connection-state=established,related,new dst-address=2001:44b8:2159:cf01::6/128 dst-port=443 in-interface=pppoe-out1 log=yes log-prefix=v6web protocol=tcp
add action=accept chain=forward comment="letsencrypt - " connection-state=established,related,new dst-address=2001:44b8:2159:cf01::4/128 dst-port=80 in-interface=pppoe-out1 log=yes log-prefix=v6web
protocol=tcp
add action=accept chain=forward comment=Letsencrypt connection-state=established,related,new dst-address=2001:44b8:2159:cf01::4/128 dst-port=443 in-interface=pppoe-out1 log=yes log-prefix=v6web
protocol=tcp
add action=accept chain=forward connection-state=established,related,new,untracked in-interface-list=LAN
add action=accept chain=output
add action=drop chain=forward in-interface=pppoe-out1 log=yes log-prefix=v6fwddrop
add action=drop chain=input
/ipv6 nd
set [ find default=yes ] advertise-dns=yes hop-limit=64 interface=DMZ managed-address-configuration=yes other-configuration=yes
add advertise-dns=yes disabled=yes hop-limit=64 interface=ether1
add hop-limit=64 interface=pppoe-out1 managed-address-configuration=yes
/ipv6 route
add distance=2 dst-address=2001:44b8:2159:cf02::/64 gateway=2001:44b8:2159:cf01::30
/ipv6 settings
set accept-router-advertisements=yes

The issues I am having are:

  1. When I set my dhcp-v6 client ot obtain the address and prefix, the router wont connect. Is anyone else who uses internode having the same problem? Have you fixed it?

  2. I would like to configure a DHCP server to delegate prefixes to my internal subnets. Can I do this on the same router? Every example I have tried errors when either trying to create the pool or allocates out a /56 subnet. As the /56 prefix is dynamically allocated by internode and the creates the pool, I haven’t figured out how to configure this for prefix allocation.

Unfortunately, most of the examples on prefix delegation I have found don’t match what I am trying to achieve. I would like to use two /64 subnets for the networks connected to my gateway router and then allocate otherd /64 to my internal, IOT and guest subnets.

Thanks in advance.

AUsquirrel

2

Are these all supposed to be /128? I don’t see a mask assigned.

I wrote a brief primer for designing and deploying IPv6 on MikroTik for ISPs with /56 prefix delegation…might be helpful for you.

https://stubarea51.net/2018/09/14/wisp-design-an-overview-of-adding-ipv6-to-your-wisp/

3

Hi IPANetEngineer,

Thank you for replying and I enjoyed reading your WISP design.

To answer your question, they are netmasked as /64.

ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local

ADDRESS FROM-POOL INTERFACE ADVERTISE

0 G 2001:44b8:2159:cf01::1/64 ether2 yes
1 G 2001:44b8:2159:cf00::1/64 ether1 no
2 G 2001:44b8:2159:cfff::1/64 pppoe-out1 no
3 DL fe80::c6ad:34ff:fe13:c9df/64 ether1 no
4 DL fe80::c6ad:34ff:fe13:c9e0/64 DMZ no
5 DL fe80::8/64 pppoe-out1 no

I used the export to generate the previous config. When I do a print, they are different as it shows the netmask. I have different network segments on each interface.

In your WISP design it was nice to see how an ISP would be handing out the prefixs, down to your subscribers.

I am using my subnets for network segmentation as part of my security design. All the examples I have viewed, like yours, either;

  • don’t have end point devices located on the intermediate links


  • or use dedicated links between routers.

My Network design is more like this

I am using my Mikrotik as router/firewalls and have multiple internal networks. I hope that describes more about my network.

Regards

AU Squirrel

4

Hi AUsquirrel.

How did you configure the dhcpv6 client to request both address and prefix?

I can see at https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client that:
“request (prefix, address; Default: ) to choose if the DHCPv6 request will ask for the address or the IPv6 prefix, or both.”

And this is applicable to “RouterOS: v5.9 +”. However, I am running 6.43.4 and I do not have the option for “both”:

[admin@MikroTik] > /ipv6 dhcp-client add request=  
address  info  prefix
5

Ok, I have now seen how to request both, just posting here to answer my own question, in case someone else comes across this.

The syntax for requesting both address and prefix is:

[admin@MikroTik] > /ipv6 dhcp-client add request=address,prefix