Hello everybody! I have a question regarding IPv6 configuration:
Does anyone know a way to configure permanent IPv6 neighbor cache entries on a Mikrotik router?
The reason why I am asking this question is explained in detail afterwards:
We want to use IPv6 with our Mikrotik router (x86). Our ISP assigned us a /48 subnet (I will use 2001:db8::/48 here as an example). The ISP told me that our transfernet is 2001:db8::/64 and the address of the ISPs’ gateway is 2001:db8::dead. The external interface of our Mikrotik router is an ethernet interface and I assigned static IPv6 address 2001:db8::babe/64. On RouterOS I set the default route to 2001:db8::dead. On the internal interfaces i use the static address 2001:db8:0:1::beef/64 and send router advertisements from this interface. Autoconfiguration of nodes connected to this interface is working fine.
Now I have the following problem: when i do a ping from the Mikrotik device to the ISPs’ router (2001:db8::dead) I get echo replies. If I do the same from a node connected to the internal interface of the Mikrotik router, I get icmp type 1 code 3. With tcpdump I found out that the reason for that is IPv6 neighbor discovery, which takes place on the external interface. If I ping from the Mikrotik device a neighbor solicitation packet with source address 2001:db8::babe is sent to the solicited-node multicast address. After that the Mikrotik device gets a router advertisement from the ISPs’ router and knows it’s link layer address and ping packets can be sent. If I ping from a node on the internal interface the Mikrotik router also sends a neighbor solicitation packet, but this time with the link local address of the external interface of the Mikrotik device as source address. This packet is not anwered from the ISPs’ router and therefore no connection is beeing established. After three unsuccessful attempts Mikrotik sends an icmp type 1 code 3 to the node.
I called my ISP and told him what I found out and he said to me that his routers are configured not to answer neighbor solicitations orginating from link local addresses. He told me that they do not like to use link local addresses in WAN networks. The above described behaviour is the default behaviour of the linux kernel. I verified this with a Debian Wheezy installation, which behaves exactly the same. BSD seems not to behave that way. I made a short test using pfSense (based on FreeBSD) and ping from internal nodes worked fine. I didn’t verified this using tcpdump. According to RFC 4861 which says under ‘7.2.2. Sending Neighbor Solicitations’:
‘If the source address of the packet prompting the solicitation is the same as one of the addresses assigned to the outgoing interface, that address SHOULD be placed in the IP Source Address of the outgoing solicitation. Otherwise, any one of the addresses assigned to the interface should be used.’
it is legal to use ‘any one of the addresses assigned to the interface’ as the packets source address which should also include the interfaces link local address. So I think the ISPs’ opinion is wrong. But if he does not change his opinion, I’am not able to use IPv6 with my Mikrotik device. On my Debian Wheezy system I was able to do:
ip -6 neigh add 2001:db8::dead lladdr 01:02:03:04:05:06 nud permanent
and the problem went away. If I am not wrong, I think that there is no way to do the same under RouterOS. Maybe the possibility of creating permanent IPv6 neighbor cache entries can be included in future releases of RouterOS or maybe someone here knows another way to circumvent my problem.