IPv6 basic setup help

Pea · September 25, 2015, 9:53pm

I would like to ask you to revise my setting for IPv6 because this is new for me.
I have very simple setup:
ISP <=PPPoE=> VDSL modem (bridge) <=PPPoE client=> Mikrotik RB951G-2HnD <==> LAN+WiFi

I got from my ISP this information for native IPv6:
LAN: 2a00:xxxx:yyyy:aaa::/64
WAN: 2a00:xxxx:yyyy:aa8::/64

I started with DHCPv6 Client:

/ipv6 dhcp-client
add add-default-route=yes interface="PPPoE" pool-name=IPv6-pool use-peer-dns=no

And I got pool with correct prefix 2a00:xxxx:yyyy:aaa::/64

I add DHCPv6 and address from pool to bridge-local:

/ipv6 dhcp-server
add address-pool=IPv6-pool disabled=no interface=bridge-local name=DHCPv6
/ipv6 address
add address=::/64 advertise=yes disabled=no eui-64=no from-pool=IPv6-pool interface=bridge-local

Some firewall rules:

/ipv6 firewall filter
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add chain=forward comment="Accept established & related" connection-state=established,related
add chain=forward comment="Accept all from LAN" in-interface=bridge-local
add chain=forward comment="Accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="Drop everything else"
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add chain=input comment="Accept established & related" connection-state=established,related
add chain=input comment="Accept all from LAN" in-interface=bridge-local
add chain=input comment="Accept ICMPv6" protocol=icmpv6
add chain=input comment="Accept DHCPv6" dst-address=fe80::/16 dst-port=546 protocol=udp src-address=fe80::/16 src-port=547
add action=drop chain=input comment="Drop everything else"

And it is working, all my devices get addresses and are connecting by IPv6 now.

But there were created dynamic routes and one is unreachable (#3), why?
When I delete #3 it appears again after reboot - unreachable.

 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 ADS  ::/0                     PPPoE                           1
 1  DS  ::/0                     fe80::230:88ff:fe04:9...        1
 2 ADC  2a00:xxxx:yyyy:aaa::/64  bridge-local                    0
 3  DSU 2a00:xxxx:yyyy:aaa::/64                                  1

But for what I got WAN: 2a00:xxxx:yyyy:aa8::/64 ?

Sob · September 25, 2015, 10:46pm

Unreachable route is added by DHCPv6 client to prevent packets destined to your prefix going back to ISP. It would be more clear if you received more than just /64. Let’s say you’d get /60, but only used two /64s. If you tried to reach the rest, packets would go back to ISP, but it would be wrong, because the whole prefix is yours. ISP would send them back to you and you’d have routers playing packet ping-pong until TTL expired.

I don’t know about the WAN IP.

Pea · September 28, 2015, 6:59pm

Thank you.
But the #3 route is similar to #2 route which gets connected. So why there is another dynamic route created?

2 ADC  2a00:xxxx:yyyy:aaa::/64  bridge-local                    0
3  DSU 2a00:xxxx:yyyy:aaa::/64                                  1

I have still no idea why they gave me second (WAN) IPv6/64 prefix, everything is working well only with LAN prefix /64…

Sob · September 28, 2015, 11:14pm

I was trying to explain that in previous post, so the same thing in slightly different words:

The dynamic unreachable route is for the whole prefix you get from ISP (note that is has distance 1, i.e. lower priority than route for directly connected subnet with distance 0). If you got 2001:db8::/60, that would be your unreachable route. Such prefix would allow you to use 16 subnets from 2001:db8:0:0::/64 to 2001:db8:0:f::/64. If you used only one, e.g. 2001:db8:0:0::/64 and tried to reach an address from some other, e.g. 2001:db8:0:f::/64, the unreachable route prevents packets from going back to ISP. And that’s a good thing, because ISP does not have 2001:db8:0:f::/64 (it’s routed to you). I know that your prefix is just /64, but this is to understand, why the unreachable route exists at all.

In your case, the unreachable route is mostly unnecessary (under normal circumstances), but router simply applies the same rules, no matter what the prefix size is. It could still possibly serve some purpose, e.g. if you set up DHCPv6 client and receive prefix, but do not assign it to LAN. Your hosts in LAN could already have some other addresses, e.g. 6to4. And if they tried to reach your new prefix, packets would again go back to ISP and it would be wrong. Unreachable route prevents that.

Better?

Pea · September 30, 2015, 9:26pm

Hi Sob, now I got it, thank you for explanation.
I was confused by the same /64 prefix and unreachable route seemed to me unnecessary.
So I will ignore it and let it there