I am trying to setup IPv6 with only a /64 assigned to me from ISP and 4 segregated bridges on my network. Quite new to IPv6 so not sure what is the correct solution. What is the proper way to do so?
If I set each of the router address for each of the bridge to be /64, the computers wont router traffic for the other bridges through the gateway since /64 is considered local through the RA (?) and is just sent through the ethernet interface as local traffic. However, the bridges are like individual networks and need to pass through the router to check for firewall rules.
If I set each of the router addresses for each of the bridge to be /72, I can’t set advertise=yes.
Currently ROS (and some other OSes as well) doesn’t support well IPv6 addresses with prefix lengths other than /64. Meaning you should always use /64 addressing. So if ISP only gives you a single /64 prefix, you can only have single LAN.
BTW, in modern times, using multiple bridges on single ROS device most probably means wrong setup, one should be able to get away with using single bridge … if several subnets need to be separated, then one can use VLANs … even if sole purpose is to “segment” bridge into several isolated parts.
It is perfectly normal that advertise=yes is not possible for smaller networks than /64. This is not going to change either, it is part of the standard.
The “advertise” method simply means that the router tells to the local clients what the network range is and what the router address is, not an address for the client.
The client then picks a random address from the /64, checks if it is in use, and then starts using it. The router does not keep a list of assigned addresses.
So this is quite different from DHCP.
In DHCPv6 it would be possible to assign an address from a smaller subnet, but RouterOS does not support it and hardly any clients do either.
Your only recourse is to talk to your ISP and explain to them how unreasonable it is to give a client only one /64.
At the very least you should get a /60 for a home connection. Many providers give a /56 or more, here I get a /48 (which is a bit on the other end of the scale).
That does not matter, the problem would be exactly the same. As soon as you have more than one internal network, be it on separate ports, separate VLANs, or separate bridges, you need more IPv6 address space than a /64.
Indeed. That’s why the paragraph started with BTW hinting that it’s not really related to paragraph before it.
But quite probably it matters when it comes to performance of intra-LAN communications. Both IPv4 and IPv6 … because I assume OP needs bridges to bridge multiple physical ports belonging to same LAN and only single bridge can be HW offloaded … even if it’s a trivial one. If my assumption about why OP needs bridges is not correct, then there’s additional disclaimer about it - I wrote “most probably means wrong setup”.
Well, I often use multiple bridges with only a single port each - I configure a bridge with some “application” e.g. internet connection, then put a single port in that where the internet is connected.
I do that because it makes it easy to configure all higher-level config on that bridge and then attach one port to it which can later be changed, e.g. from ether to sfp.
It is also convenient when you get another router that has different optimal port usage.
I never experienced performance issues. But of course a bridge with a single port already is more efficient (“fast forward”).
I do not know why people think they know MikroTik software/hardware better than the official MikroTik docs. Even in vanilla Linux networking, DSA was created to make the job easier by using a single bridge and then apply VLAN filtering as needed. Never understood the strange love for multiple bridges: https://www.kernel.org/doc/Documentation/networking/dsa/dsa.txt
SLAAC is a standard by definition that requires a minimum /64 per VLAN. This is the same on all operating systems including Cisco and Juniper.
The only hack you can do here is to use the 200::/7 block (because ULAs don’t work well with end-hosts in dual stack). Take 200::/7, slice it into a /56, then use a /64 per VLAN.
Now, configure NAT66 on MikroTik using netmap. Where on src nat chain, you have your /56 that netmaps to the ISP /64, and on dst nat chain, you have your ISP /64 that netmaps to your /56. This will more or less, give you 1:1 mapping, but it won’t be perfect as the /56 is larger than the /64. If you have two VLANs, and you’re using two /64s, you can replace the /56 with a /63 to help improve the mapping.
That would make things more complicated. Over here we normally get internet connections as “PPPoE over VLAN6” on the fiber or VDSL demarcation.
So when you have two internet connections you want to balance/failover, you will have to separate VLAN6 connections each running PPPoE.
That is why I make two bridges, each containing a VLAN6 subinterface of e.g. ether1 and ether2, and then name them “internet1” and “internet2” and run PPPoE on them.
It may be possible to do that in a single bridge but it would require VLAN-in-VLAN or VLAN renumbering in bridge filter rules. Too complicated for me.
“WAN” interfaces are not supposed to be in the bridge. You continue using them standalone as usual and can send tagged VLAN using L3 sub-interface VLAN if you want, or via the switch chip depending on the hardware model.
By default, a standalone port is isolated on layer 2, unless bridged, and once bridged, you use VLAN filtering.
So if ether 1 is ISP 1 and ether 2 is ISP 2, both are standalone L2 interfaces, not in any bridge. Only downstream or intra-as ports are members of the bridge, including LACP bonding slave interfaces if any.
Ideally you should let WAN VLAN tagging job to the ONT device or modem. Make it simple on the Tik box.
@pe1chl, I’ve had exactly this type of use for more than single bridge when I used “probably” when talking about multiple bridge as error. Even though your particular use case warrants use of multiple bridges, it’s a niche use case. In most cases people use multiple bridges when they really should use only one, we’ve had such case when an user complained about low throughput/high CPU load on a CRS used as (fairly simple) switch. After some fuss (user did not provide full configuration export quite a while) it turned out there was another bridge (with single port) which got HW offloaded (instead of main bridge which could actually benefit of HW offload).
So I really do think that defending mostly non-optimal setup just because you have a legitimate use for it (and you properly master it because you have both knowledge and experience to do it right) is not benefitial to most (not so advanced) users. Actually some users may (wrongly) take your input as confirmation that their config is optimal. I’d be more than happy to stand back if OP explained his use case for multiple bridges as intentional (and sensible) … but he didn’t.
Note that I’m not as arrogant as @DarkNate defending single bridge concept (and I believe that WAN interfaces can be members of single bridge in certain use cases) … but I believe that this concept is right concept in 99.9% of cases.
I explained the reason for putting the WAN interface in a bridge. It makes it easy to move it to another physical port, while keeping all the configuration.
While lots of configuration (e.g. firewall) can now be handled via an interface list, so there is no more need to put “ether1” in each firewall rule that refers to the WAN interface, it still is convenient to do it this way.
And as I write, having a separate bridge interface with only a single port has not noticably hurt the performance on CCR, RB4011 etc. Maybe I would be more careful when trying to extract the utmost from a RB2011 or similar age router.
Of course I make sure that the bridge that is used for local devices (which includes VLAN filtering and different VLANs e.g. for guest and IoT networks) is the one that is HW accelerated, and the bridge with the single port is not, but it has “fast forward”.
It appears you’re just a home end user, where of course you’re not going to see the performance issues. Try your genius multiple bridge idea on a production network pushing 100G or similar rates with the CCR2216 along with full tables.
Test my idea which is also officially explained on MikroTik (single bridge) and your genius idea to see which one has more performance with minimal CPU usage.
One should either stick to default concept (which will work always, but might not use resources most efficiently) or one can go with other concepts (which are mostly applicable only to one class of hardware). What you’re saying about CCR2216 is true for CC2216 because it features switch chip that can do L3 in hardware. Many other routers don’t (whole CCR1xxx family, early CCR20xx as well), and those don’t suffer much just because of inclusion of bridge code in already wholly SW/CPU ridden path. And for L3HW to work, all interfaces (including WAN) need to be on same bridge (because, again, only single bridge can offload things to HW, including L3).
I am not a home user but I use only 1Gbit lines. And note that I am not trying to emulate a switch, I use a single port on a bridge. That already is an optimized situation that you probably are not familiar with.
I have tested the CPU usage before and after I migrated a CCR1009 to this config and there was no change. And because this device does not have a switch chip, there is nothing to be HW accelerated at all.
I know this is marked solved, but may I make an unpopular suggestion that would work.
NATv6 using the fc00::/7 network reserved for private networks. It’s not quite the same as RFC1918, but it does give us some ipv6 space that is not going to be centrally registered, so possibility of collisions if low especially using a random generator. Adding a /64 to each local BRIDGE from this space, and NATing out would work.
By FAR not the best option, but should work. Am I being dumb or irresponsible with this space? For the record I am not doing this in production, but it works in labs.
MikroTik made it clear years ago. Single bridge + VLAN segregation and disabling STP on per port basis is the best approach:
“Sometimes it is possible to restructure a network topology to use VLANs, which is the proper way to isolate Layer2 networks.”
Even if the underlying hardware doesn’t have a switch chip like CCR1k series – The more bridges you add, the more work for the CPU for overhead. Multiple bridges with FastForward/FastPath will always be slower than single bridge with FastForward/FastPath.
ULA is definitely not what you want to use. It has a number of issues. I was involved with the testing and writing of this draft and we found that ULA in dual stack just ends up being more problematic than it is worth.
I’m not opposed to the use of NAT in IPv6 in specific circumstances (like routing an LTE/5G hotspot that only hands off a /64) but it should be the exception. Dual stack works well in home networks