It starts to work if I disable and enable back DHCP client.
Any ideas?
here is my ipv6 config (firewall rules/address lists are there but all default)
ether1 is my LAN and wlan1 is my WAN
/ipv6 address
add address=fd28:a78:c265:: interface=ether1
/ipv6 dhcp-client
add add-default-route=yes interface=wlan1 request=address
/ipv6 firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
I noticed the difference between the routes:
after restart:
after dhcp disable/enable:
any ideas why it does not come as on the last picture after router restart?
Could it be that your manual DHCPv6 client on ether1 conflicts with Router Advertisements on wlan1?
They appear to be the same route, for whichever reason the bottom one uses different notation. What is not working?
DHCPv6 doesn’t provide routing information to clients. Instead device gets the IPv6 address of gateway by listening Router Advertisements (RAs) … which are sent out by routers every now and then (interval is configurable, default setting in ROS is interval between 3m20s and 10m). So right after reboot device doesn’t know IPv6 address (the link-local one) of gateway, it can take up to 10 minutes to learn the information.
According to my experience IPv6 connectivity indeed is flaky (at best) during that time.
BTW, setting interface name as gateway is kind of futile if interface is of point-to-multipoint type (e.g. ethernet, wifi, …). The way packet delivery in those networks works is that sender needs to use L2 address of receiver, in named technologies this means that sender sends packets to MAC address of receiver (e.g. gateway). And sender needs to discover that L2 (MAC) address. Usually that’s done because sender knows IP (or IPv6) address of receiver and then uses ARP mechanisms to discover MAC address. If IP address of receiver (e.g. gateway) is not known and interface technology requires using MAC address, then the whole lot depends on abuse of other mechanisms, such as proxy-ARP (where gateway replies to ARP requests with own MAC address regardless the IP address).
Setting interface name as gateway when interface type is point-to-point (e.g. PPP, PPPoE, wireguard, etc.) is really enough because there’s only one receiver and sender doesn’t have to address it.
the default gateway that is automatically added by dhcp client is different - notice the gateway field in the first route on both screenshots
after reboot it is missing ipv6 address
and ipv6 connectivity is not working I can’t ping google.com from the router for example
@mkx, RouterOS does send Router Solicitation on boot as well as Neighbor Solicitation. There should be no delays unless the counterpart is sloppy.
@ahtoh Immediately after the reboot, before you toggle dhcp-client, what do ipv6/address and ipv6/neighbor say, can you ping the gateway over IPv6 (address from the last pic) from your router? Also print ipv6/settings.
I don’t know why Mikrotik have an add-default-route option in the DHCPv6 client, it is a hacky bodge which adds the DHCPv6 server as the default gateway. This works in some situations, but not all.
As @mkx stated DHCPv6 has no mechanism to distribute a default gateway, the gateway and subnet prefix are obtained from Router Advertisments (RA). The Mikrotik default config is essentially not to accept RAs, you have to explicitly enable them with:
/ipv6 settings set accept-router-advertisements=yes
Note the latest security announcement https://blog.mikrotik.com/security/cve-2023-32154.html so ensure you upgrade to 7.9.1 (stable), 6.49.8 (stable), 6.48.7 (long-term) or 7.10beta8 (testing) first.
Note that the advertised route is not displayed in earlier versions of RouterOS, I believe fixed in 7.8 onwards.
If you do that make sure to configure the firewall to discard RAs from unwanted interfaces and/or nodes.
Ideally the accept RA setting should be per-interface rather than global.
I am not sure that is entirely true.
In the terminal, the ipv6 after a default config reset looks like this:
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
I have never configured any of my firewalls for IPv6, and yet in winbox, both settings are set to “yes if forwarding disabled”. My read on this is that the default config disabled ipv6, however, the settings in winbox mean that if I enabled ipv6, I would have to set both of those options explicitly to no:
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no max-neighbor-entries=
8192
Perhaps this would be safer and more clearly understood:
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes
max-neighbor-entries=8192
No, yes-if-forwarding-disabled is effectively yes when /ipv6 settings forward=no
It isn’t relevant to the OPs question who is using IPv6
Edit: Corrected IPv6 forward settings syntax
these are my ipv6 settings, it’s default on my router, and I’m using latest version 7.9.1
In that case it would only apply when IPv6 forward is disabled
So what am I supposed to change to make ipv6 work?
this is so basic config so I’m surprised it’s not working.
I just want to automatically get ipv6 address from the upstream router and use NAT within a subnet behind mikrotik.
Similar to default IPv4 config in many routers that just works out of the box
Change Accept Router Advertisments to yes
should I remove add-default-route=yes from the dhcp client?
It sounded that it’s a hack that was not supposed to be there to begin with
Ok I enabled Accept Router Advertisments and disabled that option to add default gateway in the DHCP client.
But now I have another problem,
after reboot it says duplicate address detected:
If I disable and enable the address it works.
So it’s a similar situation for me as before, now instead of toggling the dhcp client I need to toggle the ipv6 address.
OK I figured this out - enabled EUI64 on the address and now it seem to work after reboot.
here is my final config that works. hopefully this will help someone else
generate your local ip6 address here:https://cd34.com/rfc4193/
/ipv6 settings
set accept-router-advertisements=yes
/ipv6 address
add address=fdXX:XXX:XXXX:XXX:XXX eui-64=yes interface=ether1
/ipv6 dhcp-client
add interface=wlan1 request=address
/ipv6 firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
There should be no need for a ULA address (fdxx:
to be assigned to the interface.
Why are you using NAT? ISPs should provide a block of addresses with prefix delegation from which you assign addresses to your internal networks. Usually the only case where this isn’t possible is LTE/5G WAN connections where carriers still assume you are only connecting a mobile phone or tablet to the internet.
Because I’m behind two routers. The first one does receive the prefix.
Don’t know how to pass the prefix to the downstream router.