ipv6 ND and vlan leaks

edouardkleinhans · March 31, 2025, 12:13pm

Hello,

I’m trying to find what’s wrong with my config on ipv6, but it’s not easy.

I’m using ipv6 ND from french provider Free. I’m doing prefix delegation from my modem (freebox pop) to my router (rb4011).

I have multiple vlan on it seems to work as expected for ipv4 (maybe some optimisation / tuning can be made).

And I’ve configured ipv6 delegation only for vlan10-lan & vlan20-iot.

Bu on ipv6, all clients, whatever their respective vlan (vlan10-lan or vlan20-iot), get 2 ips from the delegation (one from each delegation) which is not what I want.

Ip from my laptop

3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:95:79:87:a3:cd brd ff:ff:ff:ff:ff:ff permaddr 30:89:4a:e0:21:5d
    inet 192.168.10.63/24 brd 192.168.10.255 scope global dynamic noprefixroute wlp0s20f3
       valid_lft 82336sec preferred_lft 82336sec
    inet6 2a01:XXX:XX:b6b1:XXXX:XXXX:XXXX:XXXX/64 scope global dynamic noprefixroute 
       valid_lft 43157sec preferred_lft 1757sec
    inet6 2a01:XXX:XX:b6b2:XXXX:XXXX:XXXX:XXXX/64 scope global dynamic noprefixroute

Current configuration:

# 2025-03-31 13:57:43 by RouterOS 7.18.2
# software id = VL6J-0M77
#
# model = RB4011iGS+
# serial number = B8F30BFFDC65
/interface bridge
add admin-mac=C4:AD:34:73:D7:A1 auto-mac=no comment=bridge-lan frame-types=admit-only-vlan-tagged igmp-snooping=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Freebox
set [ find default-name=ether2 ] comment=tac
set [ find default-name=ether3 ] comment=Mgmt
set [ find default-name=ether4 ] comment="Local Interface 192.168.4.1/24"
set [ find default-name=ether5 ] comment=Trunk
set [ find default-name=ether6 ] comment="Trunk (qnap) 1/2"
set [ find default-name=ether7 ] comment="Trunk (qnap) 2/2"
set [ find default-name=ether8 ] comment=Lan
set [ find default-name=ether9 ] comment="Trunk (hp2915) 1/2"
set [ find default-name=ether10 ] comment="Trunk (hp2915) 2/2"
/interface wireguard
add listen-port=13231 mtu=1420 name=wg0
/interface vlan
add interface=sfp-sfpplus1 name=vlan-internet vlan-id=666
add interface=bridge name=vlan10-lan vlan-id=10
add interface=bridge name=vlan20-iot vlan-id=20
add interface=bridge name=vlan30-cctv vlan-id=30
add interface=bridge name=vlan40-srv vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
add interface=bridge name=vlan99-mgmt vlan-id=99
/interface bonding
add comment=hp2915 mode=802.3ad name=hp2915 slaves=ether9,ether10 transmit-hash-policy=layer-3-and-4
add comment=qnap mode=802.3ad name=qnap slaves=ether6,ether7 transmit-hash-policy=layer-3-and-4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/ip pool
add name=dhcp-mgmt ranges=192.168.99.10-192.168.99.254
add name=dhcp-lan ranges=192.168.10.50-192.168.10.99
add name=dhcp-iot ranges=192.168.20.50-192.168.20.99
add name=dhcp-guest ranges=192.168.50.50-192.168.50.99
add name=dhcp-cctv ranges=192.168.30.50-192.168.30.99
add name=dhcp-srv ranges=192.168.40.50-192.168.40.99
/ip dhcp-server
add address-pool=dhcp-lan interface=vlan10-lan lease-script=lease-script lease-time=1d name=dhcp-lan
add address-pool=dhcp-iot interface=vlan20-iot lease-script=lease-script lease-time=1d name=dhcp-iot
add address-pool=dhcp-guest interface=vlan50-guest lease-script=lease-script lease-time=1d name=dhcp-guest
add address-pool=dhcp-mgmt interface=vlan99-mgmt lease-script=lease-script lease-time=1d name=dhcp-mgmt
add address-pool=dhcp-cctv interface=vlan30-cctv lease-script=lease-script lease-time=1d name=dhcp-cctv
add address-pool=dhcp-srv interface=vlan40-srv lease-script=lease-script lease-time=1d name=dhcp-srv
/ipv6 pool
add name=lan-ipv6 prefix=2a01:XXX:XX:b6b1::/64 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=logserver remote=192.168.40.50 remote-log-format=syslog remote-port=10514 syslog-facility=local6 syslog-severity=emergency target=remote
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge comment="qnap trunk" frame-types=admit-only-untagged-and-priority-tagged interface=qnap pvid=10
add bridge=bridge comment="hp2915 trunk" frame-types=admit-only-vlan-tagged interface=hp2915 pvid=100
add bridge=bridge comment=sfp frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set accept-router-advertisements=no
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5,hp2915 untagged=ether2,ether8,qnap vlan-ids=10
add bridge=bridge comment=mgmt-vlan tagged=bridge,ether5,qnap,hp2915,sfp-sfpplus1 untagged=ether3 vlan-ids=99
add bridge=bridge comment=guest-vlan tagged=bridge,ether5,hp2915,ether2,qnap vlan-ids=50
add bridge=bridge comment=iot-vlan tagged=bridge,ether5,hp2915,qnap,ether2 vlan-ids=20
add bridge=bridge comment=cctv-vlan tagged=bridge,hp2915 vlan-ids=30
add bridge=bridge comment=srv-vlan tagged=bridge,hp2915 vlan-ids=40
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether4 list=LAN
add interface=vlan10-lan list=LAN
add interface=vlan10-lan list=VLAN
add interface=vlan20-iot list=VLAN
add interface=vlan50-guest list=VLAN
add interface=vlan99-mgmt list=MGMT
add interface=vlan10-lan list=MGMT
add interface=vlan99-mgmt list=VLAN
add interface=wg0 list=VLAN
add interface=vlan30-cctv list=VLAN
add interface=vlan40-srv list=VLAN
add interface=vlan-internet list=WAN
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.88.0/24 interface=wg0 name=tic-et-tac-fw public-key="*******"
/ip address
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
add address=192.168.10.254/24 comment=vlan10-lan interface=vlan10-lan network=192.168.10.0
add address=192.168.20.254/24 comment=vlan20-iot interface=vlan20-iot network=192.168.20.0
add address=192.168.50.254/24 comment=vlan50-guest interface=vlan50-guest network=192.168.50.0
add address=192.168.99.254/24 comment=vlan99-mgmt interface=vlan99-mgmt network=192.168.99.0
add address=10.10.10.1/30 interface=wg0 network=10.10.10.0
add address=192.168.30.254/24 comment=vlan30-cctv interface=vlan30-cctv network=192.168.30.0
add address=192.168.40.254/24 comment=vlan40-srv interface=vlan40-srv network=192.168.40.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
add disabled=yes interface=vlan-internet use-peer-dns=no
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.254 gateway=10.0.10.254 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.200,192.168.10.201 domain=mk.lan gateway=192.168.10.254 netmask=24
add address=192.168.20.0/24 dns-server=192.168.10.200,192.168.10.201 domain=iot.mk.lan gateway=192.168.20.254 netmask=24
add address=192.168.30.0/24 dns-server=192.168.10.200,192.168.10.201 domain=cctv.mk.lan gateway=192.168.30.254 netmask=24
add address=192.168.40.0/24 dns-server=192.168.10.200,192.168.10.201 domain=srv.mk.lan gateway=192.168.40.254 netmask=24
add address=192.168.50.0/24 dns-server=8.8.8.8,9.9.9.9 domain=guest.mk.lan gateway=192.168.50.254 netmask=24
add address=192.168.99.0/24 dns-server=192.168.99.254 domain=mgmt.mk.lan gateway=192.168.99.254 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=81920KiB doh-max-concurrent-queries=100 doh-max-server-connections=10 doh-timeout=6s mdns-repeat-ifaces=vlan10-lan,vlan20-iot servers=9.9.9.9,149.112.112.112
/ip dns adlist
add ssl-verify=no url=https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/light.txt
/ip dns static
add address=192.168.10.1 comment="redirect for local plex" regexp=*.plex.direct type=A
/ip firewall address-list
add address=192.168.20.74 list=SonosDevices
add address=192.168.20.75 list=SonosDevices
add address=192.168.99.10 comment="Proxmox servers" list=pve
add address=192.168.10.200 list=dns
add address=192.168.10.201 list=dns
add address=192.168.40.50 list=dns
/ip firewall filter
add action=drop chain=input comment="crowdsec input drop rules" in-interface=ether1 src-address-list=crowdsec
add action=drop chain=forward comment="crowdsec forward drop rules" in-interface=ether1 src-address-list=crowdsec
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow srv01-srv to mikrotik" in-interface=vlan40-srv src-address=192.168.40.50
add action=accept chain=input comment="Allow Radius from wg" dst-port=1812-1813 in-interface=wg0 protocol=udp
add action=drop chain=input comment="Drop all other traffic" log-prefix=FW
add action=drop chain=forward comment="Block Internet access" log=yes out-interface=ether1 src-address-list=no-internet
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Allow LAN to MGMT" connection-state=new in-interface=vlan10-lan out-interface=vlan99-mgmt
add action=accept chain=forward comment="VLAN Allow LAN to IOT" connection-state=new in-interface=vlan10-lan out-interface=vlan20-iot
add action=accept chain=forward comment="VLAN Allow LAN to Guest" connection-state=new in-interface=vlan10-lan out-interface=vlan50-guest
add action=accept chain=forward comment="VLAN Allow LAN to SRV" connection-state=new in-interface=vlan10-lan out-interface=vlan40-srv
add action=accept chain=forward comment="VLAN Allow LAN to CCTV" connection-state=new in-interface=vlan10-lan out-interface=vlan30-cctv
add action=accept chain=forward comment="Allow Syslog to vector (openobserver)" dst-address=192.168.40.50 dst-port=10514 in-interface=vlan99-mgmt out-interface=vlan40-srv protocol=udp
add action=accept chain=forward comment="Allow Proxmox Datacenter Manager to Proxmox servers" dst-address-list=pve in-interface=vlan40-srv out-interface=vlan99-mgmt src-address=192.168.40.51
add action=accept chain=forward comment="Allow Komo.do agent" dst-port=8120 in-interface=vlan40-srv out-interface-list=VLAN protocol=tcp src-address=192.168.40.50
add action=accept chain=forward comment="Allow srv01-cctv to NAS" dst-address=192.168.10.1 dst-port=445 in-interface=vlan30-cctv out-interface=vlan10-lan protocol=tcp src-address=192.168.30.50
add action=accept chain=forward comment="Allow srv01-cctv to HA" dst-address=192.168.10.100 dst-port=1883 in-interface=vlan30-cctv out-interface=vlan10-lan protocol=tcp src-address=192.168.30.50
add action=accept chain=forward comment="Allow Espresence to ha (mqtt)" dst-address=192.168.10.100 dst-port=1883 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp src-address=192.168.20.80
add action=accept chain=forward comment="Allow pve to srv01-srv" dst-address=192.168.40.50 dst-port=80,443 in-interface=vlan99-mgmt out-interface=vlan40-srv protocol=tcp src-address-list=pve
add action=accept chain=forward comment="Allow srv01-srv to pve" dst-address-list=pve dst-port=8006 in-interface=vlan40-srv out-interface=vlan99-mgmt protocol=tcp src-address=192.168.40.50
add action=accept chain=forward comment="Allow srv02-srv to nas" dst-address=192.168.10.1 dst-port=445 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address=192.168.40.53
add action=accept chain=forward comment="Allow from pve to nas" dst-address=192.168.10.1 dst-port=445 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address-list=pve
add action=accept chain=forward comment="Allow from pbs-srv to nas" dst-address=192.168.10.1 dst-port=445 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address=192.168.40.52
add action=accept chain=forward comment="Allow pve to pbs" dst-address=192.168.40.52 dst-port=8007 in-interface=vlan99-mgmt out-interface=vlan40-srv protocol=tcp src-address-list=pve
add action=accept chain=forward comment="PBX to HA" dst-address=192.168.10.100 in-interface=vlan40-srv out-interface=vlan10-lan src-address=192.168.40.56
add action=accept chain=forward comment="Allow Ecowitt to HA" dst-address=192.168.10.100 dst-port=80 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp src-address=192.168.20.67
add action=accept chain=forward comment="Allow Vlan-iot to HA" dst-address=192.168.10.100 dst-port=80 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp
add action=accept chain=forward comment="Allow SRV01-SRV to all vlan" in-interface=vlan40-srv out-interface-list=VLAN src-address=192.168.40.50
add action=accept chain=forward comment="Allow Zabbix to srv01-srv" dst-address=192.168.40.50 dst-port=10051 in-interface-list=VLAN out-interface=vlan99-mgmt protocol=tcp
add action=accept chain=forward comment="Allow Sonos to HA" dst-address=192.168.10.100 dst-port=1400 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp src-address-list=SonosDevices
add action=accept chain=forward comment="Allow srv02-srv to plex" dst-address=192.168.10.1 dst-port=32400 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address=192.168.40.53
add action=accept chain=forward comment="Allow VLANS to DNS udp" dst-address-list=dns dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Allow VLANS to DNS TCP" dst-address-list=dns dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=redirect chain=dstnat comment=internetprotection disabled=yes dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment=internetprotection disabled=yes dst-port=53 protocol=tcp to-ports=53
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade Allow V-IOT (needed for HA - xiaomi_miio)" ipsec-policy=out,none out-interface=vlan20-iot
add action=dst-nat chain=dstnat comment="Allow Plex" dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.10.1 to-ports=32400
add action=dst-nat chain=dstnat comment="Allow Urbackup" dst-port=55415 in-interface=ether1 protocol=tcp to-addresses=192.168.10.1 to-ports=55415
add action=dst-nat chain=dstnat comment="Allow saltmaster" disabled=yes dst-port=4505 in-interface=ether1 protocol=tcp to-addresses=192.168.10.118 to-ports=4505
add action=dst-nat chain=dstnat comment="Allow saltmaster" disabled=yes dst-port=4506 in-interface=ether1 protocol=tcp to-addresses=192.168.10.118 to-ports=4506
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=fe80::3a07:16ff:fe0b:d9d%ether1 routing-table=main scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set www-ssl certificate=webfig
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=ether1,bridge
/ip traffic-flow target
add dst-address=162.159.65.1 version=5
add dst-address=192.168.40.50 version=ipfix
/ipv6 address
add address=2a01:XXX:XX:b6b1::254 interface=vlan10-lan
add address=2a01:XXX:XX:b6b2::254 interface=vlan20-iot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="crowdsec input drop rules" in-interface=ether1 src-address-list=crowdsec
add action=drop chain=forward comment="crowdsec forward drop rules" in-interface=ether1 src-address-list=crowdsec
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no hop-limit=64 interface=vlan10-lan managed-address-configuration=yes ra-interval=20s-1m
add advertise-dns=no hop-limit=64 interface=vlan20-iot ra-interval=20s-1m
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=12h
/routing igmp-proxy interface
add interface=vlan10-lan upstream=yes
add interface=vlan20-iot
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=cas-fw
/system logging
add action=logserver topics=critical
add action=logserver topics=error
add action=logserver topics=info
add action=logserver topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add interface=ether1 store-on-disk=no
add interface=vlan10-lan store-on-disk=no
add interface=vlan20-iot store-on-disk=no
add interface=vlan50-guest store-on-disk=no
add interface=vlan99-mgmt store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

If someone can take a look and show me my mistakes, I would be grateful

Larsa · March 31, 2025, 1:23pm

I just glanced through your config very briefly and might be totally off or missing something here, so take this as a guess but it looks like both delegated IPv6 prefixes are being advertised on all VLANs.

You’re assigning one prefix to vlan10-lan and another to vlan20-iot, but the default /ipv6 nd config is still active on vlan10-lan and might be causing both prefixes to leak into both VLANs.

Try adding a dedicated /ipv6 nd config for vlan10-lan, like you did for vlan20-iot. Then disable the default nd instance (the one with default=yes). After that, check which prefixes are being advertised using “/ipv6 nd prefix print”.

edouardkleinhans · March 31, 2025, 2:10pm

Just do it:

# 2025-03-31 16:06:44 by RouterOS 7.18.2
# software id = VL6J-0M77
#
# model = RB4011iGS+
# serial number = B8F30BFFDC65
/ipv6 address
add address=2a01:XXX:XX:b6b1::254 interface=vlan10-lan
add address=2a01:XXX:XX:b6b2::254 interface=vlan20-iot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="crowdsec input drop rules" in-interface=ether1 src-address-list=crowdsec
add action=drop chain=forward comment="crowdsec forward drop rules" in-interface=ether1 src-address-list=crowdsec
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes hop-limit=64 managed-address-configuration=yes ra-interval=20s-1m
add advertise-dns=no hop-limit=64 interface=vlan10-lan ra-interval=20s-1m
add advertise-dns=no hop-limit=64 interface=vlan20-iot ra-interval=20s-1m
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=12h
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=fe80::3a07:16ff:fe0b:d9d%ether1 routing-table=main scope=30 target-scope=10
/ipv6 settings
set accept-router-advertisements=no

And prefix :

/ipv6/nd/prefix/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D prefix=2a01:XXX:XX:b6b1::/64 6to4-interface=none interface=vlan10-lan on-link=yes autonomous=yes valid-lifetime=12h preferred-lifetime=30m 

 1  D prefix=2a01:XXX:XX:b6b2::/64 6to4-interface=none interface=vlan20-iot on-link=yes autonomous=yes valid-lifetime=12h preferred-lifetime=30m

CGGXANNX · March 31, 2025, 5:19pm

Can you try to disable IGMP Snooping? First, when you have multiple tagged VLANs, special handling with the multicast querier is needed if IGMP Snooping is to be enabled https://help.mikrotik.com/docs/spaces/ROS/pages/59277403/Bridge+IGMP+MLD+snooping#BridgeIGMP/MLDsnooping-IGMPsnoopingconfigurationwithVLANs. And second, at least on my RB5009, IGMP Snooping always caused trouble with IPv6 + multiple VLANs (however in my case it’s the opposite of your problem, enabling IGMP Snooping causes devices to fail to get prefixes after a while).

Furthermore, currently frame-types is incorrectly set on some of your ports. For instance, both ether2 and qnap have frame-types=admit-only-untagged-and-priority-tagged, while still being part of the tagged list of multiple VLAN IDs.

edouardkleinhans · March 31, 2025, 5:48pm

Thanks for the feedback, I’ve changed my VLAN configuration and forget to remove interfaces on bridge.

I will wait, but I think disabling default ND and explicitly create a nd for each vlan do the trick

eltikpad · March 31, 2025, 6:30pm

Just a note- When I recently changed the ND and VLANs on my router I had to reboot it before all the correct settings were in place.

edouardkleinhans · April 2, 2025, 12:25pm

Try reboot, but nothing change. don’t know why.
Maybe I miss inter-vlan communication

eltikpad · April 2, 2025, 3:31pm

DId you turn off igmp snooping? Maybe its time to post your current config.

Otherwise I wonder if there is an issue with your vlan configuration. Im not an expert on debugging this but looking at the output of

/interface/bridge/vlan print

may show an error.

Is your current issue that clients on the IPv6 interfaces get 2 addresses?

Guess it would be nice to see the output of

/ipv6/nd print
/ipv6/address print
/ipv6 neighbor print

edouardkleinhans · April 3, 2025, 12:01pm

So, even with igmp proxy disabled, it fail.
I’m still receiving 2 ip on my laptop

# 2025-04-03 12:50:13 by RouterOS 7.18.2
# software id = VL6J-0M77
#
# model = RB4011iGS+
# serial number = B8F30BFFDC65
/interface bridge
add admin-mac=C4:AD:34:73:D7:A1 auto-mac=no comment=bridge-lan frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Freebox
set [ find default-name=ether2 ] comment=tac
set [ find default-name=ether3 ] comment=Mgmt
set [ find default-name=ether4 ] comment="Local Interface 192.168.4.1/24"
set [ find default-name=ether5 ] comment=Trunk
set [ find default-name=ether6 ] comment="Trunk (qnap) 1/2"
set [ find default-name=ether7 ] comment="Trunk (qnap) 2/2"
set [ find default-name=ether8 ] comment=Lan
set [ find default-name=ether9 ] comment="Trunk (hp2915) 1/2"
set [ find default-name=ether10 ] comment="Trunk (hp2915) 2/2"
/interface wireguard
add listen-port=13231 mtu=1420 name=wg0
/interface vlan
add interface=sfp-sfpplus1 name=vlan-internet vlan-id=666
add interface=bridge name=vlan10-lan vlan-id=10
add interface=bridge name=vlan20-iot vlan-id=20
add interface=bridge name=vlan30-cctv vlan-id=30
add interface=bridge name=vlan40-srv vlan-id=40
add interface=bridge name=vlan50-guest vlan-id=50
add interface=bridge name=vlan99-mgmt vlan-id=99
/interface bonding
add comment=hp2915 mode=802.3ad name=hp2915 slaves=ether9,ether10 transmit-hash-policy=layer-3-and-4
add comment=qnap mode=802.3ad name=qnap slaves=ether6,ether7 transmit-hash-policy=layer-3-and-4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/ip hotspot profile
set [ find default=yes ] rate-limit=5m use-radius=yes
/ip pool
add name=dhcp-mgmt ranges=192.168.99.10-192.168.99.254
add name=dhcp-lan ranges=192.168.10.50-192.168.10.99
add name=dhcp-iot ranges=192.168.20.50-192.168.20.99
add name=dhcp-guest ranges=192.168.50.50-192.168.50.99
add name=dhcp-cctv ranges=192.168.30.50-192.168.30.99
add name=dhcp-srv ranges=192.168.40.50-192.168.40.99
/ip dhcp-server
add address-pool=dhcp-lan interface=vlan10-lan lease-script=lease-script lease-time=1d name=dhcp-lan
add address-pool=dhcp-iot interface=vlan20-iot lease-script=lease-script lease-time=1d name=dhcp-iot
add address-pool=dhcp-guest interface=vlan50-guest lease-script=lease-script lease-time=1d name=dhcp-guest
add address-pool=dhcp-mgmt interface=vlan99-mgmt lease-script=lease-script lease-time=1d name=dhcp-mgmt
add address-pool=dhcp-cctv interface=vlan30-cctv lease-script=lease-script lease-time=1d name=dhcp-cctv
add address-pool=dhcp-srv interface=vlan40-srv lease-script=lease-script lease-time=1d name=dhcp-srv
/ip hotspot
add address-pool=dhcp-guest interface=vlan50-guest name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp-guest
/ipv6 pool
add name=pool-lan prefix=2a01:e0a:c6:b6b1::/64 prefix-length=64
add name=pool-iot prefix=2a01:e0a:c6:b6b2::/64 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=logserver remote=192.168.40.50 remote-log-format=syslog remote-port=10514 syslog-facility=local6 syslog-severity=emergency target=remote
/user group
add name=no_access
add name=home_assistant policy=reboot,read,write,policy,test,api,!local,!telnet,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/user-manager user
add attributes=Mikrotik-Group:write name=ekleinhans
add attributes=Mikrotik-Group:read name=oxidized
add attributes=Mikrotik-Group:default name=hs_user1
add attributes=Mikrotik-Group:write name=crowdsec
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge comment="qnap" frame-types=admit-only-untagged-and-priority-tagged interface=qnap pvid=10
add bridge=bridge comment="hp2915 trunk" frame-types=admit-only-vlan-tagged interface=hp2915 pvid=100
add bridge=bridge comment=sfp frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 pvid=100
/ip neighbor discovery-settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set discover-interface-list=MGMT
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5,hp2915 untagged=ether2,ether8,qnap vlan-ids=10
add bridge=bridge comment=mgmt-vlan tagged=bridge,ether5,hp2915,sfp-sfpplus1 untagged=ether3 vlan-ids=99
add bridge=bridge comment=guest-vlan tagged=bridge,ether5,hp2915 vlan-ids=50
add bridge=bridge comment=iot-vlan tagged=bridge,ether5,hp2915 vlan-ids=20
add bridge=bridge comment=cctv-vlan tagged=bridge,hp2915 vlan-ids=30
add bridge=bridge comment=srv-vlan tagged=bridge,hp2915 vlan-ids=40
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether4 list=LAN
add interface=vlan10-lan list=LAN
add interface=vlan10-lan list=VLAN
add interface=vlan20-iot list=VLAN
add interface=vlan50-guest list=VLAN
add interface=vlan99-mgmt list=MGMT
add interface=vlan10-lan list=MGMT
add interface=vlan99-mgmt list=VLAN
add interface=wg0 list=VLAN
add interface=vlan30-cctv list=VLAN
add interface=vlan40-srv list=VLAN
add interface=vlan-internet list=WAN
/interface ovpn-server server
add mac-address=FE:E0:63:89:A1:09 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.10.0/30,192.168.88.0/24 interface=wg0 name=tic-et-tac-fw public-key="XXXXXXXXX"
/ip address
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
add address=192.168.10.254/24 comment=vlan10-lan interface=vlan10-lan network=192.168.10.0
add address=192.168.20.254/24 comment=vlan20-iot interface=vlan20-iot network=192.168.20.0
add address=192.168.50.254/24 comment=vlan50-guest interface=vlan50-guest network=192.168.50.0
add address=192.168.99.254/24 comment=vlan99-mgmt interface=vlan99-mgmt network=192.168.99.0
add address=10.10.10.1/30 interface=wg0 network=10.10.10.0
add address=192.168.30.254/24 comment=vlan30-cctv interface=vlan30-cctv network=192.168.30.0
add address=192.168.40.254/24 comment=vlan40-srv interface=vlan40-srv network=192.168.40.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
add disabled=yes interface=vlan-internet use-peer-dns=no
/ip dhcp-server lease
add address=192.168.10.201 comment=ns2 mac-address=BC:24:11:B3:2A:73 server=dhcp-lan
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.254 gateway=10.0.10.254 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.200,192.168.10.201 domain=mk.lan gateway=192.168.10.254 netmask=24
add address=192.168.20.0/24 dns-server=192.168.10.200,192.168.10.201 domain=iot.mk.lan gateway=192.168.20.254 netmask=24
add address=192.168.30.0/24 dns-server=192.168.10.200,192.168.10.201 domain=cctv.mk.lan gateway=192.168.30.254 netmask=24
add address=192.168.40.0/24 dns-server=192.168.10.200,192.168.10.201 domain=srv.mk.lan gateway=192.168.40.254 netmask=24
add address=192.168.50.0/24 dns-server=8.8.8.8,9.9.9.9 domain=guest.mk.lan gateway=192.168.50.254 netmask=24
add address=192.168.99.0/24 dns-server=192.168.99.254 domain=mgmt.mk.lan gateway=192.168.99.254 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=81920KiB doh-max-concurrent-queries=100 doh-max-server-connections=10 doh-timeout=6s mdns-repeat-ifaces=vlan10-lan,vlan20-iot servers=9.9.9.9,149.112.112.112
/ip dns adlist
add ssl-verify=no url=https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/light.txt
/ip dns static
add address=192.168.10.1 comment="redirect for local plex" regexp=*.plex.direct type=A
/ip firewall address-list
add address=192.168.20.74 list=SonosDevices
add address=192.168.20.75 list=SonosDevices
add address=192.168.99.10 comment="Proxmox servers" list=pve
add address=192.168.10.200 list=dns
add address=192.168.10.201 list=dns
add address=192.168.40.50 list=dns
/ip firewall filter
add action=drop chain=input comment="crowdsec input drop rules" in-interface=ether1 src-address-list=crowdsec
add action=drop chain=forward comment="crowdsec forward drop rules" in-interface=ether1 src-address-list=crowdsec
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow srv01-srv to mikrotik" in-interface=vlan40-srv src-address=192.168.40.50
add action=accept chain=input comment="Allow Radius from wg" dst-port=1812-1813 in-interface=wg0 protocol=udp
add action=drop chain=input comment="Drop all other traffic" log-prefix=FW
add action=drop chain=forward comment="Block Internet access" log=yes out-interface=ether1 src-address-list=no-internet
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Allow LAN to MGMT" connection-state=new in-interface=vlan10-lan out-interface=vlan99-mgmt
add action=accept chain=forward comment="VLAN Allow LAN to IOT" connection-state=new in-interface=vlan10-lan out-interface=vlan20-iot
add action=accept chain=forward comment="VLAN Allow LAN to Guest" connection-state=new in-interface=vlan10-lan out-interface=vlan50-guest
add action=accept chain=forward comment="VLAN Allow LAN to SRV" connection-state=new in-interface=vlan10-lan out-interface=vlan40-srv
add action=accept chain=forward comment="VLAN Allow LAN to CCTV" connection-state=new in-interface=vlan10-lan out-interface=vlan30-cctv
add action=accept chain=forward comment="Allow Syslog to vector (openobserver)" dst-address=192.168.40.50 dst-port=10514 in-interface=vlan99-mgmt out-interface=vlan40-srv protocol=udp
add action=accept chain=forward comment="Allow Proxmox Datacenter Manager to Proxmox servers" dst-address-list=pve in-interface=vlan40-srv out-interface=vlan99-mgmt src-address=192.168.40.51
add action=accept chain=forward comment="Allow Komo.do agent" dst-port=8120 in-interface=vlan40-srv out-interface-list=VLAN protocol=tcp src-address=192.168.40.50
add action=accept chain=forward comment="Allow srv01-cctv to NAS" dst-address=192.168.10.1 dst-port=445 in-interface=vlan30-cctv out-interface=vlan10-lan protocol=tcp src-address=192.168.30.50
add action=accept chain=forward comment="Allow srv01-cctv to HA" dst-address=192.168.10.100 dst-port=1883 in-interface=vlan30-cctv out-interface=vlan10-lan protocol=tcp src-address=192.168.30.50
add action=accept chain=forward comment="Allow Espresence to ha (mqtt)" dst-address=192.168.10.100 dst-port=1883 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp src-address=192.168.20.80
add action=accept chain=forward comment="Allow pve to srv01-srv" dst-address=192.168.40.50 dst-port=80,443 in-interface=vlan99-mgmt out-interface=vlan40-srv protocol=tcp src-address-list=pve
add action=accept chain=forward comment="Allow srv01-srv to pve" dst-address-list=pve dst-port=8006 in-interface=vlan40-srv out-interface=vlan99-mgmt protocol=tcp src-address=192.168.40.50
add action=accept chain=forward comment="Allow srv02-srv to nas" dst-address=192.168.10.1 dst-port=445 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address=192.168.40.53
add action=accept chain=forward comment="Allow from pve to nas" dst-address=192.168.10.1 dst-port=445 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address-list=pve
add action=accept chain=forward comment="Allow from pbs-srv to nas" dst-address=192.168.10.1 dst-port=445 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address=192.168.40.52
add action=accept chain=forward comment="Allow pve to pbs" dst-address=192.168.40.52 dst-port=8007 in-interface=vlan99-mgmt out-interface=vlan40-srv protocol=tcp src-address-list=pve
add action=accept chain=forward comment="PBX to HA" dst-address=192.168.10.100 in-interface=vlan40-srv out-interface=vlan10-lan src-address=192.168.40.56
add action=accept chain=forward comment="Allow Ecowitt to HA" dst-address=192.168.10.100 dst-port=80 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp src-address=192.168.20.67
add action=accept chain=forward comment="Allow Vlan-iot to HA" dst-address=192.168.10.100 dst-port=80 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp
add action=accept chain=forward comment="Allow srv01-srv to all vlan" in-interface=vlan40-srv out-interface-list=VLAN src-address=192.168.40.50
add action=accept chain=forward comment="Allow srv03-srv to all vlan" in-interface=vlan40-srv out-interface-list=VLAN src-address=192.168.40.54
add action=accept chain=forward comment="Allow Zabbix to srv01-srv" dst-address=192.168.40.50 dst-port=10051 in-interface-list=VLAN out-interface=vlan99-mgmt protocol=tcp
add action=accept chain=forward comment="Allow Sonos to HA" dst-address=192.168.10.100 dst-port=1400 in-interface=vlan20-iot out-interface=vlan10-lan protocol=tcp src-address-list=SonosDevices
add action=accept chain=forward comment="Allow srv02-srv to plex" dst-address=192.168.10.1 dst-port=32400 in-interface=vlan40-srv out-interface=vlan10-lan protocol=tcp src-address=192.168.40.53
add action=accept chain=forward comment="Allow VLANS to DNS udp" dst-address-list=dns dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Allow VLANS to DNS TCP" dst-address-list=dns dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
add action=accept chain=forward comment=------------------------------------------------------------------------------------------ disabled=yes
add action=accept chain=forward comment=------------------------------------------------------------------------------------------ disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=redirect chain=dstnat comment=internetprotection disabled=yes dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment=internetprotection disabled=yes dst-port=53 protocol=tcp to-ports=53
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade Allow V-IOT (needed for HA - xiaomi_miio)" ipsec-policy=out,none out-interface=vlan20-iot
add action=dst-nat chain=dstnat comment="Allow Plex" dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.10.1 to-ports=32400
add action=dst-nat chain=dstnat comment="Allow Urbackup" dst-port=55415 in-interface=ether1 protocol=tcp to-addresses=192.168.10.1 to-ports=55415
add action=dst-nat chain=dstnat comment="Allow saltmaster" disabled=yes dst-port=4505 in-interface=ether1 protocol=tcp to-addresses=192.168.10.118 to-ports=4505
add action=dst-nat chain=dstnat comment="Allow saltmaster" disabled=yes dst-port=4506 in-interface=ether1 protocol=tcp to-addresses=192.168.10.118 to-ports=4506
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=fe80::3a07:16ff:fe0b:d9d%ether1 routing-table=main scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set www-ssl certificate=webfig
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=ether1,bridge
/ip traffic-flow target
add dst-address=162.159.65.1 version=5
add dst-address=192.168.40.50 version=ipfix
/ipv6 address
add address=::254 from-pool=pool-lan interface=vlan10-lan
add address=::254 from-pool=pool-iot interface=vlan20-iot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="crowdsec input drop rules" in-interface=ether1 src-address-list=crowdsec
add action=drop chain=forward comment="crowdsec forward drop rules" in-interface=ether1 src-address-list=crowdsec
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from VLAN" in-interface-list=!VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from VLAN" in-interface-list=!VLAN
add action=accept chain=forward comment="Allow internet access from VLAN" disabled=yes in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything not explicitly allowed" disabled=yes log=yes log-prefix=blocked-not-whitelisted
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=no interface=vlan10-lan
add advertise-dns=no disabled=yes interface=vlan20-iot
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=1h
/routing igmp-proxy interface
add disabled=yes interface=vlan10-lan upstream=yes
add disabled=yes interface=vlan20-iot
/snmp
set contact="Edouard Kleinhans" enabled=yes location=Garage
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=cas-fw
/system logging
add action=logserver topics=critical
add action=logserver topics=error
add action=logserver topics=info
add action=logserver topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add interface=ether1 store-on-disk=no
add interface=vlan10-lan store-on-disk=no
add interface=vlan20-iot store-on-disk=no
add interface=vlan50-guest store-on-disk=no
add interface=vlan99-mgmt store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

[admin@cas-fw] > /interface/bridge/vlan print
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
;;; main-vlan
0 bridge        10  bridge          ether2          
                    hp2915          ether8          
                                    qnap            
;;; mgmt-vlan
1 bridge        99  bridge                          
                    hp2915                          
;;; guest-vlan
2 bridge        50  bridge                          
                    hp2915                          
;;; iot-vlan
3 bridge        20  bridge                          
                    hp2915                          
;;; cctv-vlan
4 bridge        30  bridge                          
                    hp2915                          
;;; srv-vlan
5 bridge        40  bridge                          
                    hp2915

[admin@cas-fw] > /ipv6/nd print
Flags: X - disabled, I - invalid; * - default 
 0 X* interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=no other-configuration=no 

 1    interface=vlan10-lan ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=no managed-address-configuration=no other-configuration=no 

 2    interface=vlan20-iot ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=no managed-address-configuration=no other-configuration=no

[admin@cas-fw] > /ipv6/address print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE, VALID
 #    ADDRESS                                  FROM-POOL  INTERFACE     ADVERTISE  VALID 
 0  G 2a01:e0a:c6:b6b1::254/64                 pool-lan   vlan10-lan    yes              
 1  G 2a01:e0a:c6:b6b2::254/64                 pool-iot   vlan20-iot    yes              
 2 DL fe80::7960:8831:716e:143d/64                        wg0           no               
 3 D  ::1/128                                             lo            no               
 4 DL fe80::c6ad:34ff:fe73:d7a1/64                        vlan10-lan    no               
 5 DL fe80::c6ad:34ff:fe73:d7a1/64                        bridge        no               
 6 DL fe80::c6ad:34ff:fe73:d7a1/64                        vlan50-guest  no               
 7 DL fe80::c6ad:34ff:fe73:d7a1/64                        vlan20-iot    no               
 8 DL fe80::c6ad:34ff:fe73:d7a1/64                        vlan99-mgmt   no               
 9 DL fe80::c6ad:34ff:fe73:d7a1/64                        vlan30-cctv   no               
10 DL fe80::c6ad:34ff:fe73:d7a1/64                        vlan40-srv    no               
11 DL fe80::c6ad:34ff:fe73:d7a2/64                        ether1        no               
12 DG 2a01:e0a:c6:b6b0:XXXX:XXX:XXXX:XXXX/64             ether1        no         23h29s

eltikpad · April 3, 2025, 2:37pm

Can you show us an “ifconfig” “netstat -rn” or equivalent from your laptop? What is the operating system? Im not sure how to keep that anonymous but you could blank out the MAC addresses and parts of the IPv6 address. Im mostly interested in which IPv6 networks are there and the default routers youre picking up.

edouardkleinhans · April 3, 2025, 2:51pm

> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 xdpgeneric/id:124 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether e8:80:88:3f:1f:fc brd ff:ff:ff:ff:ff:ff
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:95:79:87:a3:cd brd ff:ff:ff:ff:ff:ff permaddr 30:89:4a:e0:21:5d
    inet 192.168.10.63/24 brd 192.168.10.255 scope global dynamic noprefixroute wlp0s20f3
       valid_lft 72429sec preferred_lft 72429sec
    inet6 2a01:e0a:c6:b6b1:XXXX:XXXX:XXXX:5729/64 scope global deprecated dynamic noprefixroute 
       valid_lft 1536sec preferred_lft 0sec
    inet6 2a01:e0a:c6:b6b2:XXXX:XXXX:XXXX:125b/64 scope global dynamic noprefixroute 
       valid_lft 3598sec preferred_lft 1798sec
    inet6 fe80::294c:1452:70bd:9fa0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

eltikpad · April 3, 2025, 3:23pm

So this is what you are interested in

wlp0s20f3:
inet6 2a01:e0a:c6:b6b1:XXXX:XXXX:XXXX:5729/64 scope global deprecated dynamic noprefixroute
valid_lft 1536sec preferred_lft 0sec
inet6 2a01:e0a:c6:b6b2:XXXX:XXXX:XXXX:125b/64 scope global dynamic noprefixroute
valid_lft 3598sec preferred_lft 1798sec

Im assuming this should be on VLAN10. It does have a valid address there. The other b6b2 is deprecated and will not originate traffic but will still accept it. It shouldn’t affect anything.

Is IPv6 working on the laptop? Can you ping and browse and everything? These addresses should work just fine (if routing is set up correctly). It is interesting that I dont see it in the neighbors list.

Off topic- I dig how you use “254” for the router interface address, just like in the old IPv4 days

edouardkleinhans · April 3, 2025, 4:34pm

When activate nd on vlan20-iot, my laptop (which is on vlan10-lan) obtains 2 ipv6 and start to have performance issue.

vlan10-lan should obtain an ipv6 in : 2a01:e0a:c6:b6b1:XXXX
vlan20-iot should obtain an ipv6 in : 2a01:e0a:c6:b6b2:XXXX

I’m just starting ipv6 implementation on multiple vlan.

my ipv6 setup is based on this tuto: https://squeaky.tech/2022/03/07/fr-notes-freebox-bridge-ipv6-et-mikrotik/

CGGXANNX · April 3, 2025, 5:05pm

Is the laptop directly connected to the RB4011? (on ether2 or ether8?) Or is this plugged to the Aruba 2915 switch?

edouardkleinhans · April 7, 2025, 7:05am

Hello,

I found my problem, and it wasn’t where I thought it was.

My Mikrotik configuration is good and functional. (It can probably be improved, changing the ::254, but it’s not a blocking point.)

My issue came from my Grandstream WiFi access points (GWN7660).

To segment my network, I use VLANs, and for the WiFi side, I came across the concept of PPSK (Private Pre-Shared Key) a few months ago.

In IPv4, it works well and I’ve never had any issues. However, and I think this is a bug that I’ll report to the manufacturer, in IPv6, I find myself having IP leaks between VLANs.

I switched back to 1 VLAN = 1 WiFi network, and now, no more issues.

Thank all very much for your help.