IPv6 Configuration under Router OS 7

supermancampus · November 6, 2023, 3:34am

Hello Everyone I just purchased a RB5009UPr+S+in (love it) and I’m trying to get my IPv6 configuration working but I’m not 100% I’m doing things correctly.

I received a /56 prefix from my ISP by going to IPv6 ==> DHCPv6 client ==> and selecting prefix, creating a pool named pool2, prefix length of 56 and a prefix-hint of ::/56. I also selected Use Peer DNS, Rapid commit and Add default route. My WAN interface is sfp sfpplus1

All of my interfaces on the LAN side are a part of group named LOCAL. I would like to take a /64 from that /56 and just assign it to the bridge interface. Are there any steps that might walk me through how to do this? Thank you.

mkx · November 6, 2023, 6:53am

When configuring DHCPv6 client, you should set (or rather: leave at default) pool-prefix-length=64. Because that’s the prefix size created by the pool when one configures IPv6 address with from-pool=ZZZ property.

supermancampus · November 6, 2023, 1:32pm

Thank you for the information. I changed it so that now my settings are:

IPv6
DHCPv6 Client
Interface: sfp-sfpplus1
Request: prefix
Pool Name: pool2
Pool Prefix Length: 64
Prefix Hint: ::/56
Use Peer DNS: checked
Rapid Commit: checked
Add Default Route: checked

I was successfully able to pull a prefix of 2700:8801:3c20:4200::/56 I also configured the Address:

IPv6
IPv6 Address List
Address: 2700:8801:3c20:4200::1/64
From Pool: pool2
Interface: LOCAL
Advertise: checked

I then configured the DHCP Pool

IPv6
IPv6 Pool
Name: pool2
Prefix: 2700:8801:3c20:4200::/64
Prefix Length: 64

And a DHCP Server

DHCPv6 Server
Name: server1
Interface: LOCAL
Address Pool6: pool2
DHCP Options
Allow Dual Stack Queue: checked
Rapid Commit: checked
Can you please tell me if I’m missing anything?

mkx · November 6, 2023, 2:32pm

I don’t know how exactly you configured those IPv6 addresses … but in principle it should be done like this:

/ipv6/address
add address=::aa:bbcc:ddee from-pool=pool2 interface=exampleInterface

The above will pull a yet-unused /64 prefix from named pool and add the postfix part set by address property in the command shown above - the postfix should therefore start with double colon and should be up to /64 long. The same interface will, in principle, retain same IPv6 address (including prefix) across reboots even though it’s “randomly” taken from the pool when first set.

supermancampus · November 6, 2023, 3:10pm

I don’t know how exactly you configured those IPv6 addresses … but in principle it should be done like this:
/ipv6/address
add address=::aa:bbcc:ddee from-pool=pool2 interface=exampleInterface
The above will pull a yet-unused /64 prefix from named pool and add the postfix part set by address property in the command shown above - the postfix should therefore start with double colon and should be up to /64 long. The same interface will, in principle, retain same IPv6 address (including prefix) across reboots even though it’s “randomly” taken from the pool when first set.

I configured it in this way:

Should the interface actually be the interface of the WAN where the prefix came from and not the LOCAL bridge interface where my clients are? Also should I change the IP address from the whole prefix to ::64?

mkx · November 6, 2023, 3:35pm

You should set address to your LAN interface.

By setting whole address, you are

not actually using pool functionality (which takes care that all prefixes actually fall into pool prefix space)
risking invalid configuration in case that assigned prefix changes … using pool changes in prefix are handled automatically (prefix change potentially causes issues with firewall)

So yes, you should set address in format I showed in my previous post (i.e. without prefix part).

supermancampus · November 6, 2023, 3:53pm

Thank you so much for your knowledge and helping me. I have made the change and I see the clients on my network are getting addresses. They are also able to ping the gateway interface of the bridge interface.

I requested a default route when I did my prefix delegation and this is showing in the routing table. When I try to ping an IPv6 address from the terminal of the Mikrotik, it’s telling me that it can’t reach the IPv6 address of the bridge interface. Shouldn’t this be trying to reach the WAN interface which is my sfp-sfpplus1? When I look at that interface in the IPv6 address list section, the sfp-sfpplus1 interface is listed but it only has an fe80 address.

mkx · November 6, 2023, 4:10pm

IPv6 routing is different than IPv4 … in particular, DHCPv6 doesn’t provide gateway information. Instead, Routing Anouncements are sent out by routers. By default, ROS is configured to ignore those … which might be safe but it’s wrong. You should enable it:

/ipv6/settings/set accept-router-advertisements=yes

And that DHCPv6 client “add-default-route” property is a hack, it sets DHCPv6 server’s address as default gateway … which might work but mostly it doesn’t because it’s plain wrong (so you should disable it). ISP might implement some other workarounds to aide misconfigured client routers to still work somehow even with such wrongly configured gateways.

It is normal to see link-local IPv6 addresses (fe80: used as gateways. If you’ll peek into RA messages (using e.g. wireshark), you’ll see proper prefix (according to router interface global IPv6 address and prefix length) and router’s link-local address as gateway address. And clients will happily use it (windows, linux, android, … all of them).

Note: it’s not wrong to use router’s global address for routing purposes, that works as well. But in case of changing prefixes, that would be another reason for network hiccups (link local addresses don’t change in this case).

supermancampus · November 6, 2023, 5:46pm

IPv6 routing is different than IPv4 … in particular, DHCPv6 doesn’t provide gateway information. Instead, Routing Anouncements are sent out by routers. By default, ROS is configured to ignore those … which might be safe but it’s wrong. You should enable it:
/ipv6/settings/set accept-router-advertisements=yes
And that DHCPv6 client “add-default-route” property is a hack, it sets DHCPv6 server’s address as default gateway … which might work but mostly it doesn’t because it’s plain wrong (so you should disable it). ISP might implement some other workarounds to aide misconfigured client routers to still work somehow even with such wrongly configured gateways.

It is normal to see link-local IPv6 addresses (fe80: used as gateways. If you’ll peek into RA messages (using e.g. wireshark), you’ll see proper prefix (according to router interface global IPv6 address and prefix length) and router’s link-local address as gateway address. And clients will happily use it (windows, linux, android, … all of them).

Note: it’s not wrong to use router’s global address for routing purposes, that works as well. But in case of changing prefixes, that would be another reason for network hiccups (link local addresses don’t change in this case).

Thank you so much for all the assistance you’ve provided and the knowledge. I will make the changes you suggested and report back.

supermancampus · November 6, 2023, 6:19pm

IPv6 routing is different than IPv4 … in particular, DHCPv6 doesn’t provide gateway information. Instead, Routing Anouncements are sent out by routers. By default, ROS is configured to ignore those … which might be safe but it’s wrong. You should enable it:
/ipv6/settings/set accept-router-advertisements=yes
And that DHCPv6 client “add-default-route” property is a hack, it sets DHCPv6 server’s address as default gateway … which might work but mostly it doesn’t because it’s plain wrong (so you should disable it). ISP might implement some other workarounds to aide misconfigured client routers to still work somehow even with such wrongly configured gateways.

It is normal to see link-local IPv6 addresses (fe80: used as gateways. If you’ll peek into RA messages (using e.g. wireshark), you’ll see proper prefix (according to router interface global IPv6 address and prefix length) and router’s link-local address as gateway address. And clients will happily use it (windows, linux, android, … all of them).

Note: it’s not wrong to use router’s global address for routing purposes, that works as well. But in case of changing prefixes, that would be another reason for network hiccups (link local addresses don’t change in this case).

I made the changes you suggested sir and removed the default route. Traffic is no longer bouncing back and forth between bridge interface, it’s now simply saying no route to host when I try to ping from the Miktrotik:

2023-11-06 17:55:12 system,critical,info cloud change time Nov/06/2023 17:54:40
=> Nov/06/2023 17:55:12
[admin@MikroTik] > ping 2001:4860:4860::8888
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
2 no route to host
3 no route to host
4 no route to host
5 no route to host
6 no route to host
7 no route to host
8 no route to host
9 no route to host
10 no route to host
11 no route to host
12 no route to host
sent=13 received=0 packet-loss=100%

Is there anything you would suggest I check at this point?

mkx · November 6, 2023, 7:47pm

You can check actual state of IPv6 routing table by executing

/ipv6/route/print

But it comes with a gotcha: you have to run fairly recent ROSv7 … 7.11.2 is fine but I don’t remember when print command of routes started to display dynamic routes.

You can also run

/tool/traceroute 2001:4860:4860::8888

to see if packets manage to get anywhere or not.

[edit] And there’s a (fun) fact about RAs: they are sent out periodically by routers with periodicity of a few minutes. A host that newly joins network can ask for a RA but routers are not required to respond. So it can take some time for default route to be configured …

supermancampus · November 6, 2023, 8:04pm

You can check actual state of IPv6 routing table by executing
/ipv6/route/print
But it comes with a gotcha: you have to run fairly recent ROSv7 … 7.11.2 is fine but I don’t remember when print command of routes started to display dynamic routes.

You can also run
/tool/traceroute 2001:4860:4860::8888
to see if packets manage to get anywhere or not.

[edit] And there’s a (fun) fact about RAs: they are sent out periodically by routers with periodicity of a few minutes. A host that newly joins network can ask for a RA but routers are not required to respond. So it can take some time for default route to be configured …

Thank you, I updated to 7.11.2. Below is what shows in my ipv6 print, do you see anything that looks off?

[admin@MikroTik] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 2700:8801:3c20:4200::/56 1
DAc 2700:8801:3c20:4200::/64 LOCAL 0
DAc fe80::%ether2/64 ether2 0
DAc fe80::%sfp-sfpplus1/64 sfp-sfpplus1 0
DAc fe80::%LOCAL/64 LOCAL 0
DAc fe80::%bridge1/64 bridge1 0
[admin@MikroTik] >

mkx · November 6, 2023, 8:12pm

Dynamic gateway is missing. On my router I get such entry:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS             GATEWAY                            DISTANCE
DAg  ::/0                    fe80::2cc8:1bff:fe77:dee6%vlan-99         1

Note the ‘g’ flag (gateway).

mkx · November 6, 2023, 8:15pm

A question: what kind of technology (from your router’s point of view) does your ISP use? Is it plain ethernet? Or is it PPPoE? In the later case default route is configured differently.

supermancampus · November 6, 2023, 10:36pm

It’s just plain ethernet, no PPoE. In the last information I shared, I just deselected the add default route option.

supermancampus · November 7, 2023, 3:42am

Dynamic gateway is missing. On my router I get such entry:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS             GATEWAY                            DISTANCE
DAg  ::/0                    fe80::2cc8:1bff:fe77:dee6%vlan-99         1

Note the ‘g’ flag (gateway).

I see, I am not getting that flag at all. Currently under IPv6 settings I have
Disable IPv6 - unchecked
IPv6 Forward - checked
Accept redirects - yes if forwarding disabled
Accept router advertisements - yes

Are those correct? Trying to figure out why it’s not getting them. I could also change everything to a /64 prefix? I received a /64 prefix but then changed it to a /56 when I found out they accepted it.

mkx · November 7, 2023, 5:55am

Your IPv6 settings are the same as I have when ISP uses simple IPv6 over ethernet. So I guess these should be fine unless your ISP requires something special …

Regarding prefix: DHCPv6 has two properties: pool-prefix-length which should be left set to 64 unless you know (much) better .. and prefix-hint which is a hint for DHCPv6 server as to what kind of prefix you want to receive but DHCPv6 server is free to do do about it whatever it chooses, so you can set it to e.g. “::/56” (without quotes) or even to “2700:8801:__3c20:4200::/56” (but that doesn’t guarantee that prefix doesn’t change).

Did you try with traceroute command I posted previously?

supermancampus · November 7, 2023, 6:05am

My apologies, I just did the traceroute and it looks like it’s getting nowhere

04:40:52 echo: system,critical,info cloud change time Nov/07/2023 04:40:20 => Nov/07/2023 04:40:52
[admin@MikroTik] > /tool/traceroute 2001:4860:4860::8888
Columns: LOSS, SENT, LAST

LOSS SENT LAST

1 100% 2 timeout
2 100% 2 timeout
3 100% 2 timeout
4 100% 2 timeout
5 100% 1 timeout

[admin@MikroTik] >

Kentzo · November 7, 2023, 6:27am

Try

/ipv6/nd/add advertise-dns=no interface=sfp-sfpplus1 ra-lifetime=none ra-preference=low reachable-time=5m

to see if it gets you a default route (::/0) in /ipv6/route/print

supermancampus · November 8, 2023, 9:56pm

Thank you sir, I will try this now.