Hello
2116 7.18.2
I receive via BGP the default route. The v6 works correctly in all the network.
I have a POP where I began to have issues a while ago and I dont understand why…
The conf is identical to the other 50+ POPs we have.
The /36 is dedicated to the pop, announced but unreachable.
Then we deliver /48 to each of our customer’s routers (managed by us).
/ipv6 dhcp-server
add allow-dual-stack-queue=no interface=sfp-sfpplus4 lease-time=30m name=server1 prefix-pool=Pool-v6 rapid-commit=no
/ipv6 pool
add name=Pool-v6 prefix=2a05:9d42::/36 prefix-length=48
/ipv6 address
add address=2a05:9d40::6002:2/125 advertise=no comment=“SW 01” interface=sfp-sfpplus1
add address=2a05:9d42:fff:ffff::1 comment=“Nuovo IPv6 per ND” interface=sfp-sfpplus4
/ipv6 dhcp-server binding
add address=2a05:9d42::/48 comment=“USER 01” duid=0x962a6ff6f210 iaid=1 life-time=1d prefix-pool=Pool-v6
/ipv6 firewall address-list
add address=2a05:9d42::/36 list=bgp-networks_v6 ( I announce the /36 explicitily via BGP)
/ipv6 firewall filter
add action=accept chain=input protocol=icmpv6
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log-prefix=invalid_ipv6
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes
add action=accept chain=forward connection-state=established,related disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
I have disabled the rules because I prefer the L3-HW I have.
/ipv6 firewall raw
add action=drop chain=prerouting comment=“Protection router IPv6” dst-address-type=local dst-port=22,53,80,8291,8728-8729 protocol=tcp
add action=drop chain=prerouting comment=“Protection router IPv6” dst-address-type=local dst-port=53 protocol=tcp
add action=jump chain=prerouting comment=inbound dst-address-list=bgp-networks_v6 jump-target=inbound
add action=jump chain=prerouting comment=outbound jump-target=outbound src-address-list=bgp-networks_v6
add action=notrack chain=prerouting dst-address-type=!local
add action=drop chain=inbound comment=“perimeter filter to users” dst-address-list=bgp-networks_v6 dst-port=22,23,53,80,111,443,1723,2000 protocol=tcp
add action=drop chain=inbound dst-address-list=bgp-networks_v6 dst-port=53,111,161-162,1900 protocol=udp
add action=accept chain=inbound disabled=yes dst-address-list=bgp-networks_v6
add action=drop chain=outbound comment=“perimeter filter to users” dst-port=25,135,137-139,445,593 protocol=tcp src-address-list=bgp-networks_v6
add action=drop chain=outbound dst-port=135,137-139,445,593 protocol=udp src-address-list=bgp-networks_v6
add action=accept chain=outbound disabled=yes src-address-list=bgp-networks_v6
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=sfp-sfpplus4
/ipv6 route
add blackhole disabled=no distance=250 dst-address=2a05:9d42::/36 gateway=“” routing-table=main scope=30 target-scope=10
The /64 used for the ND is the latest /64 in the /36.
A lot of customer’s router appears OFFERED, other works fine. Mixed vendors but managed by us with known conf and known firmware. In other POPs the net works fine, here is not working fine.