IPv6 Advertising all ranges on one interface

Dzanar · August 28, 2022, 7:08pm

Hi,

More IPV6 woes I’m afraid.

I have an RB2011. I don’t have IPv6 support from my provider. I use HE Tunnel Broker. I have configured 3 VLANs (port 2 is hybrid port) - untagged vlan 20 and tagged 10 and 30. When i connected a device to port 2 i obtain correctly IPv4 Adress but ND advertise all three IPv6 range. Why?

[dzanar@Router] > /export
# aug/28/2022 21:06:56 by RouterOS 7.4.1
# software id = KXSX-EMZV
#
# model = RB2011UiAS
# serial number = 
/interface bridge
add comment=bridge-VLAN name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WAN rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] tx-flow-control=auto
set [ find default-name=ether8 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether9 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] poe-out=off rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp1 ] disabled=yes rx-flow-control=auto tx-flow-control=auto
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=xxxxxx mtu=1280 name=sit1 remote-address=xxxxxxx
/interface vlan
add comment="MGMT VLAN" interface=bridge1 name=vlan10 vlan-id=10
add comment="LAN VLAN" interface=bridge1 name=vlan20 vlan-id=20
add comment="IOT VLAN" interface=bridge1 name=vlan30 vlan-id=30
/interface pppoe-client
add add-default-route=yes comment=Internet disabled=no interface=ether1 name=pppoe-out1 user=xxxxxxxxx
/interface ethernet switch port
set 2 default-vlan-id=20 vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add comment="LAN interfaces list" name=LAN
add comment="WAN interfaces list" name=WAN
add comment="Mangament ONT" name="MGMT ONT"
add comment="WAN IPv6 interfaces list" name="WAN IPv6"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=MGMT ranges=192.168.10.2-192.168.10.254
add name=LAN ranges=192.168.20.2-192.168.20.99
add name=IOT ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add add-arp=yes address-pool=MGMT bootp-support=none comment="MGMT VLAN DHCP Server" interface=vlan10 lease-time=1d name=MGMT
add add-arp=yes address-pool=LAN bootp-support=none comment="LAN VLAN DHCP Server" interface=vlan20 lease-time=1d name=LAN
add add-arp=yes address-pool=IOT bootp-support=none comment="IOT VLAN DHCP Server" interface=vlan30 lease-time=1d name=IOT
/ipv6 pool
add name=LAN prefix=2001:470:6071:2::/64 prefix-length=64
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add comment="LAN bridge" interface=bridge1 list=LAN
add comment="Mangament ONT" interface=ether1 list="MGMT ONT"
add comment="IOT VLAN" interface=vlan10 list=LAN
add comment="LAN VLAN" interface=vlan20 list=LAN
add comment="IOT VLAN" interface=vlan30 list=LAN
add comment=Internet interface=pppoe-out1 list=WAN
add interface=sit1 list="WAN IPv6"
/ip address
add address=192.168.10.1/24 comment="MGMT VLAN" interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 comment="LAN VLAN" interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 comment="IOT VLAN" interface=vlan30 network=192.168.30.0
/ip dhcp-client
add add-default-route=no comment="MGMT ONT" interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 comment="MGMT VLAN DHCP Network" dns-server=192.168.10.1 domain=mgmt gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 comment="LAN VLAN DHCP Network" dns-server=192.168.20.1 domain=lan gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 comment="IOT VLAN DHCP Network" dns-server=192.168.30.1 domain=iot gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment="RFC6890 documentation" list=no_forward_ipv4
add address=169.254.0.0/16 comment="RFC6890 documentation" list=no_forward_ipv4
add address=224.0.0.0/4 comment=multicast list=no_forward_ipv4
add address=255.255.255.255 comment="RFC6890 documentation" list=no_forward_ipv4
add address=127.0.0.0/8 comment="RFC6890 documentation" list=bad_ipv4
add address=192.0.0.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=192.0.2.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="RFC6890 documentation reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="RFC6890 documentation" list=not_global_ipv4
add address=10.0.0.0/8 comment="RFC6890 documentation" list=not_global_ipv4
add address=100.64.0.0/10 comment="RFC6890 documentation" list=not_global_ipv4
add address=169.254.0.0/16 comment="RFC6890 documentation" list=not_global_ipv4
add address=172.16.0.0/12 comment="RFC6890 documentation" list=not_global_ipv4
add address=192.0.0.0/29 comment="RFC6890 documentation" list=not_global_ipv4
add address=192.168.0.0/16 comment="RFC6890 documentation" list=not_global_ipv4
add address=198.18.0.0/15 comment="RFC6890 documentation benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="RFC6890 documentation" list=not_global_ipv4
add address=224.0.0.0/4 comment=multicast list=bad_src_ipv4
add address=255.255.255.255 comment="RFC6890 documentation" list=bad_src_ipv4
add address=0.0.0.0/8 comment="RFC6890 documentation" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="RFC6890 documentation" list=bad_dst_ipv4
add address=192.168.18.0/24 comment="LAN Address List MGMT VLAN" list=LAN
add address=192.168.20.0/24 comment="LAN Address List LAN VLAN" list=LAN
add address=192.168.30.0/24 comment="LAN Address List IOT VLAN" list=LAN
/ip firewall filter
add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="Hurricane Electric IPv6 Tunnel Broker" src-address=216.66.80.162
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=output comment="Hurricane Electric IPv6 Tunnel Broker" protocol=ipv6-encap
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall nat
add action=accept chain=srcnat comment="accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.18.1 out-interface=ether1 to-addresses=192.168.18.2
/ip firewall raw
add action=accept chain=prerouting comment="enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="drop forward to local lan from WAN" dst-address-list=LAN in-interface-list=WAN
add action=drop chain=prerouting comment="drop local if not from default IP range" in-interface-list=LAN src-address-list=!LAN
add action=drop chain=prerouting comment="drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="Access MGMT to ONT" dst-address=192.168.18.0/24
add action=accept chain=prerouting comment="accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="drop the rest"
add action=drop chain=bad_tcp comment="TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment=echo icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ipv6 route
add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:70:11b::1 routing-table=main scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2001:470:70:11b::2 advertise=no comment="Hurricane Electric IPv6 Tunnel Broker" interface=sit1
add address=2001:470:6071:1::1 comment="Hurricane Electric IPv6 VLAN MGMT" interface=vlan10
add address=2001:470:6071:2::1 comment="Hurricane Electric IPv6 VLAN LAN" interface=vlan20
add address=2001:470:6071:3::1 comment="Hurricane Electric IPv6 VLAN IOT" interface=vlan30
/ipv6 firewall address-list
add address=fe80::/10 comment="RFC6890 documentation Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment=multicast list=no_forward_ipv6
add address=::1/128 comment="RFC6890 documentation lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="RFC6890 documentation IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="RFC6890 documentation" list=bad_ipv6
add address=2001:db8::/32 comment="RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="RFC6890 documentation orchid" list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="RFC6890 documentation Discard-only" list=not_global_ipv6
add address=2001::/32 comment="RFC6890 documentation TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="RFC6890 documentation Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="RFC6890 documentation Unique-Local" list=not_global_ipv6
add address=::/128 comment=unspecified list=bad_dst_ipv6
add address=::/128 comment=unspecified list=bad_src_ipv6
add address=ff00::/8 comment=multicast list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="accept AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ESP" protocol=ipsec-esp
add action=accept chain=forward comment="accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="RFC4291 documentation, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135:0-255 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="drop non global from WAN" in-interface-list="WAN IPv6" src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="accept everything else from WAN" in-interface-list="WAN IPv6"
add action=accept chain=prerouting comment="accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="drop the rest"
add action=accept chain=icmp6 comment="rfc4890 documentation drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="f: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="rfc4890 documentation router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="rfc4890 documentation router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="rfc4890 documentation neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="rfc4890 documentation neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="rfc4890 documentation inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="rfc4890 documentation inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="drop other icmp" protocol=icmpv6
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes mtu=1280
add interface=vlan10 mtu=1280
add interface=vlan20 mtu=1280
add interface=vlan30 mtu=1280
/lcd
set backlight-timeout=never default-screen=stat-slideshow
/lcd pin
set hide-pin-number=yes pin-number=2910
/lcd interface
set sfp1 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
add interface=bridge1
add interface=vlan10
add interface=vlan20
add interface=vlan30
add interface=pppoe-out1
add interface=sit1
/ppp aaa
set accounting=no
/system clock
set time-zone-name=Europe/Warsaw
/system console
set [ find ] disabled=yes
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
/tr069-client
set periodic-inform-enabled=no
[dzanar@Router] >

Dzanar · August 28, 2022, 10:17pm

It was proboly issue with hybrid port configuration. If I set port 2 as access port now it works fine. I deleted port 2 from vlan table 10 and 30. So why it not work with hybrid port? Somebady can explain me this behavior?

mkx · August 29, 2022, 12:54pm

It could be it has something to do with the fact that your RB2011 has two switch chips and that these are different types. You’re configuring VLANs via switch chip configuration:

/interface ethernet switch port
set 2 default-vlan-id=20 vlan-mode=secure
set 11 vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=30

Beware that each switch chip has its own CPU interface, interface #11 is on switch chip #2 but you need to take care about VLANs on interface #5 (switch chip #1 CPU interface) as well.
Similarly you have to add switch2-cpu interface as member of needed VLANs.