I have CCR1036 with OS 6.47.10 in production which was configured with separate bridges for the WAN uplink and LAN site, For IPv4 it works now, but I have been asked to add support for IPv6, but I have issues with routing IPv6 between LAN and WAN bridges.
From br_wan I can reach the ISP router via IPv6 LL
From br_wan I can reach the ISP router if set the GUA address on br_wan (via GUA addresses)
From br_lan I can not reach br_wan via IPv6 LL, but I expect this as LL is link-local(bridge limited), and if bridges as separated then would not reach it.
From br_lan I can not reach br_wan via GUA if both bridges are configured with the GUA address
IPv6 is enabled (as LL is generated by Mikrotik)
IPv6 firewall is cleaned
IGMP Snooping / Proxy disabled
Ping from Server to link-local address of br_wan interface is as follows (looks like multicast neighbour solicitations is not forwarded from br_lan to br_wan)
link local addresses, as the name suggests, are only valid within a layer2 broadcast domain.
You say “From br_lan I can not reach br_wan via GUA if both bridges are configured with the GUA address” - you should assign different GUA addresses to each otherwise routing will not work. Typically you would be assigned or use an autoconfigured (SLAAC) or DHCP address (/64) on the WAN and use routed static or DHCP delegated prefix addresses for any other interfaces.
/ipv6/address> /ping 2a02:XXXX:A::2 interface=br_lan
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
2 no route to host
3 no route to host
sent=4 received=0 packet-loss=100%
ICMP via GUA from br_wan works to ISP but does not work from br_lan
The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address.
The br_lan address should again be /64 and also a different subnet.
/ping 2a02:a3XX:8:1::1 interface=br_lan
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
2 no route to host
Ping from br_lan to ISP router does not work (as it can not reach br_wan so also can not reach uplink to ISP interface which is a member of br_wan)
/ping 2a02:a3XX:8::1 interface=br_lan
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
2 no route to host
br_wan can reach ISP router as uplink to ISP router is member of this bridge and default GW set to LL of ISP router ( ::/0 fe80::36ed:1bff:fe4b:c444%br_wan)
You have configured br_wan to be in a different subnet, for the same subnet as the ISP router it would be 2a02:a3XX:8::2/64
If the ISP just presents 2a02:a3XX:8::/48 on their router interface you will not be able to make it work. Some vendors implement NDproxy, equivalent to proxy-arp in IPv4, but Mikrotik don’t.
A typical setup would be the ISP provides a /64 just for the WAN link and a /48 routed to your address on that link. Using part of the /48 is also possible, for example:
ISP router - IP 2a02:a3XX:8::1/64, route 2a02:a3XX:8::/48 via 2a02:a3XX:8::2
Your router - IP 2a02:a3XX:8::2/64, blackhole route 2a02:a3XX:8::/48 (this prevents routing loops), other /64s assigned to interfaces as required.
With the command quoted you told ROS to “ping said address, but use br_lan as egress interface” … which is overriding routing decission. And IPv6 address of br_wan is not accessible via br_lan.
In short: you can not test routing between different IPv6 subnets by using router alone.
Another option is for ISP to provide /48 (or /56) via DHCPv6 prefix delegation and routing (etc.) via RAs. It can be a “statically assigned” prefix, just like “static IPv4 address” (usually bound to MAC address of CPE’s WAN interface which also determines IPv6 ULA).
I guess that ISP’s DHCPv6 server configures ISP’s router to route delegated prefix via DHCPv6 client’s ULA. So no need for GUA on CPE’s WAN interface (but if CPE does have GUA on WAN interface, it’s result of SLAAC).
If I configure 2a02:a3XX:8::2 for br_wan, it does not help. I have already tried this.
For example
br_wan - 2a02:a3XX:8::2/64
br_lan - 2a02:a3XX:8::3/64
Mikrotik in my opinion should be able to route between those GUA addresses as those are internally assigned and GUA must be routed, but it does not.
I can not ping br_wan using GUA from br_lan, and can not reach ISP router (from br_lan)
I think it is a little bit around what ISP expects, as they probably would like to reach them via LL
ISP Router LL is reachable from br_wan
Default route added (::/) using LL to ISP
At this point, I believed that if I configured the default route on the Server to br_lan LL, Mikrotik would internally route it to default GW (GUA) but it does not.
From their point of view, we should reach them via LL and set the default route on them that’s it. They just forwarded to us /48 prefix. Golden solution would be to use ONLY LL but as I see it is not possible to use while having multiple bridges (I did not configure them some else did for some reason)
But the default route is not working, I still can only reach IPv6 GUA address on 2a02:aXXX:8::/64 prefix (br_wan) but for some reason other GUA addresses which are not member of routing are not forwarded to default
You should set gateway IPv6 address to address of upstream (i.e. ISP’s) router. Not IPv6 address of your WAN interface. If you don’t know GUA of ISP’s router, then it may be possible to use it’s ULA in route definition.
Again: how exactly are you pinging “from br_lan”? I pointed out in post #7 why it is generally flawed due to misunderstanding the meaning of interface property. You did not ack that you’ve seen it so far … so you may still be doing the wrong thing.
The ISP should be routing the /48 to you via a /64 (can be part of the /48 or a completely separate subnet), not just attaching the entire /48 to the interface on their router.
