IPv6 from fibre provider

lordimac · July 27, 2023, 9:03am

Hello,
we got the following information from our provider regarding ipv6 connection. But I dont think thats enough information to configure ipv6.

IPv6 Customer-Prefix/length: 2a00:3:xxxx::/48
IPv6 LAN-Prefix/length: 2a00:3:xxxx::/64
IPv6 GW-Adr./length: 2a00:3:xxxx::1/64

Is a ipv6 configuration with a mikrotik router possible just with this information? How should a configuration look like? If I try to get a ipv6 with DHCPv6 Client it’s just “searching” and nothing else.
Any tips for the configuration? Thanks!

pe1chl · July 27, 2023, 9:24am

It gives you fixed addresses so you should not use DHCPv6.
Instead use something like this:

/ipv6 address
add address=2a00:3:xxxx::2/64 advertise=no interface=ether1
add address=2a00:3:xxxx:0:1::1/64 advertise=yes interface=bridge
/ipv6 route
add dst-address=::/0 gateway= 2a00:3:xxxx::1

lordimac · July 27, 2023, 12:03pm

Hello,
thanks. I configured this but I cant ping any IPv6 outside our network. Even if I try to ping the GW. Maybe there is something wrong with their configuration. Firewall Rules are default.

rextended · July 27, 2023, 12:35pm

at most you have to ask for a IPv6 pool, not just one IPv6...
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=pool rapid-commit=no request=prefix
Withiut have network description and one /export of your actual configuration, the help can be only approximative.
/ip dns
set cache-max-ttl=30m servers=1.1.1.1,8.8.8.8,2606:4700:4700::1111,2001:4860:4860::8888

/ipv6 pool
add name=pool prefix=2a00:3:xxxx::/48 prefix-length=64

/ipv6 address

the :: is wanted, must be keeped as is

add address=:: advertise=yes disabled=no eui-64=yes from-pool=pool interface=bridge no-dad=no

/ipv6 nd
set [ find default=yes ] advertise-dns=yes hop-limit=64 interface=bridge

/ipv6 route
add distance=10 dst-address=2000::/3 gateway=fe80:remo:teli:nklo:cal%interfacename

pe1chl · July 27, 2023, 12:50pm

Your mangled IPv6 address is probably wrong and as a result your configuration is also wrong.

Kentzo · July 27, 2023, 7:17pm

@pe1chl Shouldn’t the default route be of distance >0, e.g.

@lordimac When you say that you cannot ping, do you receive an ICMPv6 error or get a timeout?
I do no know what are the default ipv6 firewall rules on RouterOS, can you post them? Or, even do “/ipv6 export hide-sensitive”

I would try to sniff on the WAN port to see if there are any IPv6 packets coming from the upstream at all.

rextended · July 27, 2023, 9:01pm

What kind of question is it?
If nothing is specified, it is obvious that it is still a value between 1 and 255, and the default is 1.

No matter, the default permit “ping”.
Using search function give results…
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4

“hide-sensitive” do not hide anything sensitive on IPv6, and on some version of v7 is not present at all…

lordimac · July 28, 2023, 6:30am

Hello and thanks for your replies

@rextended: I tried your recommended configuration as well. Same problem. And sorry for the misunderstanding in my initial post, I trtied to search for an prefix as well without success.

My latest IPv6 config:

/ipv6 pool
add name=pool prefix=2a00:3:xxxx::/48 prefix-length=64
/ipv6 address
add address=::de2c:6eff:fe41:4a42 eui-64=yes from-pool=pool interface=bridge1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge1
/ipv6 route
add distance=10 dst-address=2000::/3 gateway=ether1
/ipv6 settings
set max-neighbor-entries=8192

Ping to Google DNS IPv6:

ping 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
From 2a00:0:a028:1:de2c:6eff:fe41:4a41 icmp_seq=1 Destination unreachable: Address unreachable
From 2a00:0:a028:1:de2c:6eff:fe41:4a41 icmp_seq=2 Destination unreachable: Address unreachable
From 2a00:0:a028:1:de2c:6eff:fe41:4a41 icmp_seq=3 Destination unreachable: Address unreachable
From 2a00:0:a028:1:de2c:6eff:fe41:4a41 icmp_seq=4 Destination unreachable: Address unreachable

Traceroute to Google DNS IPv6:

traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  2a00:0:a028:1:de2c:6eff:fe41:4a41 (2a00:0:a028:1:de2c:6eff:fe41:4a41)  0.613 ms  0.563 ms  0.533 ms
 2  2a00:0:a028:1:de2c:6eff:fe41:4a41 (2a00:0:a028:1:de2c:6eff:fe41:4a41)  3143.252 ms !H  3143.238 ms !H  3143.183 ms !H

Ping to GW from my provider (according to their informations):

ping 2a00:3:xxxx::1
PING 2a00:3:xxxx::1(2a00:3:xxxx::1) 56 data bytes
From 2a00:0:a028:1:de2c:6eff:fe41:4a41 icmp_seq=1 Destination unreachable: Address unreachable
From 2a00:3:xxxx:0:250:56ff:fe80:a94f icmp_seq=2 Destination unreachable: Address unreachable
From 2a00:3:xxxx:0:250:56ff:fe80:a94f icmp_seq=3 Destination unreachable: Address unreachable
From 2a00:3:xxxx:0:250:56ff:fe80:a94f icmp_seq=4 Destination unreachable: Address unreachable

(I masked a part of our prefix with xxxx because of paranoia. )

rextended · July 28, 2023, 8:35am

do not have same axpect…
/ipv6 route
add distance=10 dst-address=2000::/3 gateway=fe80:remo:teli:nklo:cal%interfacename
open the ipv6 / neighbors and read the fe80::xxxx:xxxx:xxxx:xxx address that have the ISP interface, on the other side of ether1,
and combine something like: gateway=fe80::xxxx:xxxx:xxxx:xxx%ether1

pe1chl · July 28, 2023, 8:49am

Yeah but now you made it all very confusing…
Before I misinterpreted it, the actual config should be like:

/ipv6 address
add address=2a00:3:xxxx::2/64 advertise=no interface=ether1
add address=2a00:3:xxxx:1::1/64 advertise=yes interface=bridge
/ipv6 route
add dst-address=::/0 gateway= 2a00:3:xxxx::1
add blackhole 2a00:3:xxxx:://48

(the last route is to prevent a routing loop when traffic comes in for a network you don’t have configured)

Of course when you test using ping, don’t ping to your own address but to some IPv6 address on internet.

rextended · July 28, 2023, 8:58am

damn, i forgot about it

RouterOS 6 do not have IPv6 blackhole.
/ipv6 route
add distance=2 dst-address=2a00:3:xxxx::/48 type=unreachable
/ipv6 route
add blackhole disabled=no dst-address=2a00:3:xxxx::/48

Kentzo · July 28, 2023, 2:42pm

Would RouterOS consider the incoming port as an outgoing though? Doesn’t seem right.

Just learned that RouterOS adds default blackhole route when set up with DHCPv6 prefix delegation.

lordimac · July 31, 2023, 1:08pm

Hello, just a short remark. The support of my provider is checking their IPv6 config in their routers. To be clear, we are using 2 fibre connections which are combined (HSRP.) The virtual HSRP interface is providing IPv4 perfectly, but not IPv6. At the moment we think thats the problem, because both routers are recognized by ND with their link-local address but not the virtual HSRP interface.