ipv6 ND /64 and PD /48 problems

RouterOS Beginner Basics
1

I’m sure I’m making a n00b error here but I can’t work out what.

RouterOS is v6.49.13 (stable) now 7.12.1 and the machine is hEX S RB760iGS r2

I have a pppoe connection to fibre. It had ipv4 and ipv6, fixed assignments on the pppoe account.
The ipv4 is a /29 and is working fine. The clients are manually assigned. It’s not using any dhcp with ipv4.
This was configured via the quick set menu, mode router and port ether1. [a]

The problem is with ipv6. It gets a ND /64 via DHCP and a PD /48. I want the clients to use SLAAC, so they each get a
/64 from the /48 via DHCP-PD on the router.

The problem seems to be that it’ll only register the /48 on ether1 and ether1 is bound to the pppoe connection. So the clients never get ipv6, because the clients are connected via ether2.

What I’m expecting to see is the ND /64 on the pppoe connection and the /48 in ether2
What do I need to do?

[a] is this the wrong connection type?

2

This is a misconfiguration on your end.

Run DHCPv6 client for the ia_pd /48 on top of the PPPoE client interface, from there it will get the /48 from upstream and inject it into the database of the IPv6>Pool.

From there, now, you can just use it directly on each VLAN:
VLAN1- ::1/64
VLAN2- ::1:1/64
Etc

Then configure the IPv6>ND (aka RA) for each VLAN, disable it for “all” (or any interfaces that doesn’t need SLAAC).

3

Hi, thank you for looking at this.

As you can probably tell, I’m totally unfamilair with routeros, being
more used to just directly editing something like dhcpcd.conf on other systems.

I forgot to mention, ether2 is connected to the LAN. There are no other ethernet ports
connected, just ether1 for the pppoe and ether2 for LAN.

Firmware has been upgraded to 7.12.1.

Without a doubt !! :smiley:

This is what I’ve entered into the page which I get to by clicking “IPv6” and then selecting “DHCP Client”- is this what you mean?
ipv6-dhclient.jpg

From there, now, you can just use it directly on each VLAN:

Where’s “there” ? On the above screen?

is running separate VLANs a requirement? There are no VLANs configured.

The router currently has ipv6 connectivity:

ping 2606:4700:4700::1111
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                     
    0 2606:4700:4700::1111                       56 253 7ms753us   echo reply                                                                                                                                                                                                 
    1 2606:4700:4700::1111                       56 253 7ms711us   echo reply                                                                                                                                                                                                 
    2 2606:4700:4700::1111                       56 253 7ms788us   echo reply

tcpdump from a machine connected to the (external) LAN (via external dumb switch) which ether2 is plugged into

tcpdump ip6 -v -v -v -i genet0
tcpdump: listening on genet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:00:55.007805 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::7a9a:18ff:fecd:cb0e > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
          source link-address option (1), length 8 (1): 78:9a:18:cd:cb:0e
            0x0000:  789a 18cd cb0e

it’s been running for 15 mins or so and that’s all it has.

/ipv6/address> print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
#    ADDRESS                       INTERFACE   ADVERTISE
0 DL fe80::1/64                    pppoe-out1  no
1 DG 2a02:8011:XXXX:fb::1/64       pppoe-out1  no
2 DL fe80::7a9a:18ff:fecd:cb0d/64  ether1      no
4

prefix-length should be set to /64 … this setting defines prefix sizes which will later be handed out by the pool. If you wan’t to “suggest” to upstream DHCP server the prefix (and length) you want to receive, you do it using prefix hint field … like you already do, but add the prefix length, e.g. 2a02:8010:aaaa::/48 . Mind that it’s a “hint” and upstream DHCP server is free to ignore it completely.

5

aha! ok I understand that.

Made the change, clicked onto ‘save configuration’ (on the ‘quick set’ menu) and restarted the connection (but didn’t reboot). Is a reboot required?

Still no handing out ip6

EDIT: the “prefix hint” I populated with the numbers my ISP provided for the /48.

6

My experience is that sonetimes it is necessary to reboot ROS device in order to fully apply configuration changes. E.g. pool has to be “replenished” for it to be able to start handing out different prefix size.

7

ok thanks, i’ll reboot each time i make a change

I found this guide: https://wiki.mikrotik.com/wiki/Setting_up_DHCPv6

it’s not worked so far but I’ve not rebooted yet

8

For Prefix Hint, you can use ::/48, or ::/56, etc… no need to include the real prefix from your ISP. Don’t follow the old wiki guide that tell you to setup DHCPv6 server. You don’t need to configure the DHCPv6 server at all.

What you need is to add an address entry:

/ipv6 address
add address=::1234:abcd comment="From WAN pool" from-pool=v6pool interface=ether2

ether2 is you LAN interface ::1234:abcd is the interface id part (64bit suffix) of the IPv6 address of the router that will be set on that ether2.interface. v6pool is the pool created by DHCPv6 client.

When you now print the IPv6 address list, this entry will have the full address, including a /64 prefix from the prefix provided by your ISP, and the “Advertise” flag will be enabled. With this flag and /ipv6 nd properly configured for ether2, the clients will all get their IPv6 addresses using SLAAC with the same /64 prefix.

If you have more VLAN or other interfaces, repeat the same and add one /ipv6 address entry for each of them.

9

I zeroed my ipv6 config and started again.

Unfortunately, I couldn’t make your suggestion work. It’s still not issuing anything SLAAC can use. I am surely doing something wrong.
By “::1234:abcd” do you mean, in my case, ::1 ? (that being the first /64 of the /48)

Is the ipv6 implementation that routerOS uses non-standard? (see [1])

On other routers (openbsd edgerouter, fritzbox etc) i’ve not had to specify actual address entries, so this is all new.
They get the right ND via DHCP when pppoe comes up, and the PD /48 gets set (i.e. configured) as the network for the LAN interface,
(in other words what’s entered is not the full or partial ip, just “/48” for the ether2 equivalent) and that’s it.

[1] My ISP has this to say about its implementation:

/48 Delegation Prefix. This is usually provided over DHCPv6, and requires that your router acts as a requesting router for the purpose of IPv6 delegation RFC3633 - (> https://tools.ietf.org/html/rfc3633> ). Subnets of this prefix are used by the CPE to address devices on the LAN.



Routers supporting RFC7084 (> https://tools.ietf.org/html/rfc7084> ) are expected to work without issue. Older routers, or ones that do not fully implement RFC7084 may experience issues.

10

Yes, it’s the interface-id part of the address, the 64-bit at the end of the IPv6 address. You can set it to ::1 if you wish. If you enter it with the UI in WebFig or Winbox, you should enter it as ::1/64. Once you have done that you can check with


/ipv6 address print

whether a corresponding entry with the G (global) flag and without the D (dynamic) flag is present for the ether2 interface. This address should have the prefix from the ISP and the interface-id that you chose above. Please note that in your DHCPv6 client configuration, you should only request for the prefix, not an address

dhcpc.png
Also make sure that you’ve created an entry for the ether2 interface under /ipv6 nd (Neighbor Discovery). The two following checkboxes should be enabled:

/ipv6 nd
add interface=ether2 managed-address-configuration=yes other-configuration=yes

ipv6nd.png
From my experience, the DHCPv6 client implementation in RouterOS works fine and has no problems supporting prefix delegation.

11

bingo! it works :smiley: TYVM

Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
#    ADDRESS                       FROM-POOL  INTERFACE   ADVERTISE
;;; From WAN pool
0  G 2a02:8010:XXXX:1::1/64        v6pool     ether2      yes      
1 DL fe80::7a9a:18ff:fecd:cb0e/64             bridge      no       
2 DG 2a02:8010:XXXX:1::1/64                   bridge      no       
3 DL fe80::1/64                               pppoe-out1  no       
4 DG 2a02:8011:YYYY:fb::1/64                  pppoe-out1  no       
5 DL fe80::7a9a:18ff:fecd:cb0d/64             ether1      no

(from freebsd SLAAC-enabled machine):

(genet0)
inet6 2a02:8010:XXXX:1:ZZZZ:32ff:fee2:48fc prefixlen 64 autoconf pltime 604800 vltime 2592000

so, essentially, if ::2 is required, i’d put that on ether3. That’s very powerful.

12

I’m going to make a step-by-step howto as the process was (for me) counter-intuitive
probably mostly down to my own unfamiliarity with routerOS.

13

Cleaned config would look something like this:

/ipv6 dhcp-client
add add-default-route=yes interface=pppoe1 pool-name=ISP-PD-Pool pool-prefix-length=64 prefix-hint=::/48 request=prefix use-peer-dns=no

/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=ether2

/ipv6 address
add address=::1 advertise=yes from-pool=ISP-PD-Pool interface=ether2
14

thank you! :smiley: