IPv6 on RB4011 via AT&T Fiber

archerious · March 14, 2020, 10:50pm

I am pretty new to ipv6, I think I did it wrong.

Basically I made a dhcp-client on my ether1, it pulls /64 prefix and address (pool prefix length 64) and creates general-pool6. If I tried pulling 60 it wouldn’t work, but oddly it assigned me a 2600:1700 address on a /60.

Then I added VLAN20, VLAN50, and VLAN100 to ipv6 address list using ::64 it pulled basically 2600:1700 blah blah :1871,1870,and1872 endings all on a /64. 2001:506 ipv6 was assigned via DHCP to my ether1. I don’t seem to have a 2600:1700 for ether1, but I assume that’s fine? There is also a link local fe80: for ether1 and all VLAN interfaces, but ether1 is fe80:a67a:blahblah while the others are fe80:c6ad:blahblah.

IPv6 shows working, but I feel like I did this wrong. Also I am not using peer DNS since I hate AT&T DNS.

mkx · March 15, 2020, 10:24am

I suggest you to post full IPv6 config. Get output of the following commands (obfuscate public IP addresses, but hide most significant octets, not the least significant ones as they show relevant information):

/ipv6 export
/ipv6 dhcp-client print detail
/ipv6 pool print detail
/ipv6 address print detail

archerious · March 16, 2020, 9:29am

I suggest you to post full IPv6 config. Get output of the following commands (obfuscate public IP addresses, but hide most significant octets, not the least significant ones as they show relevant information):
/ipv6 export
/ipv6 dhcp-client print detail
/ipv6 pool print detail
/ipv6 address print detail

Thank you, here is the info requested:

/ipv6 export

MikroTik-RB4011] > /ipv6 export
# mar/16/2020 04:24:29 by RouterOS 6.46.4
# software id = 86CU-YT4V
#
# model = RB4011iGS+
# serial number = XXXXXXXXXXXXXXXX
/ipv6 dhcp-server
add address-pool=general-pool6 interface=VLAN50 name="VLAN50 DHCP"
add address-pool=general-pool6 interface=VLAN100 name="vlan100 ipv6"
add address-pool=general-pool6 interface=VLAN20 name=vlan20
/ipv6 address
add from-pool=general-pool6 interface=VLAN100
add from-pool=general-pool6 interface=VLAN50
add from-pool=general-pool6 interface=VLAN20
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 request=\
    address,prefix use-peer-dns=no
/ipv6 firewall filter
add action=drop chain=forward in-interface=VLAN70 in-interface-list=WAN
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept (established, related)" \
    connection-state=established,related
add action=accept chain=input comment="Accept DHCP (10/sec)" in-interface=\
    ether1 limit=10,20:packet protocol=udp src-port=547
add action=drop chain=input comment="Drop DHCP (>10/sec)" in-interface=ether1 \
    protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" \
    in-interface=ether1 limit=10,20:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
    in-interface=ether1 protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" in-interface=\
    !ether1 protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface=ether1
add action=reject chain=input comment="Reject everything else"
add action=accept chain=output comment="Accept all"
add action=drop chain=forward comment="Drop (invalid)" connection-state=invalid
add action=accept chain=forward comment="Accept (established, related)" \
    connection-state=established,related
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
    in-interface=ether1 limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
    in-interface=ether1 protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface=!ether1
add action=accept chain=forward comment="Accept outgoing" out-interface=ether1
add action=drop chain=forward comment="Drop external" in-interface=ether1
add action=reject chain=forward comment="Reject everything else"
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=VLAN100 ra-interval=20s-1m
add interface=VLAN50 ra-interval=20s-1m
add interface=VLAN20 ra-interval=20s-1m

/ipv6 dhcp-client print detail

MikroTik-RB4011] > /ipv6 dhcp-client print detail
Flags: D - dynamic, X - disabled, I - invalid 
 0    interface=ether1 status=bound duid="0x000xxxxxxxxxxxx" 
      dhcp-server-v6=fe80::2d0:xxxx:xxxx:xxxxrequest=address,prefix 
      add-default-route=yes default-route-distance=1 use-peer-dns=no 
      pool-name="general-pool6" pool-prefix-length=64 prefix-hint=::/0 
      dhcp-options="" prefix=2600:1700:xxxx:xxxx::/60, 51m2s 
      address=2001:506:xxxx:xxxx::1, 51m2s

/ipv6 pool print detail

MikroTik-RB4011] > /ipv6 pool print detail
Flags: D - dynamic 
 0 D name="general-pool6" prefix=2600:1700:xxxx:xxxx::/60 prefix-length=64 
     expires-after=49m22s

/ipv6 address print detail

MikroTik-RB4011] > /ipv6 address print detail
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 0 DL address=fe80::a67a:xxxx:xxxx:xxx/64 from-pool="" interface=ether1 
      actual-interface=ether1 eui-64=no advertise=no no-dad=no 

 1 DL address=fe80::c6ad:xxxx:xxxx:xxxx/64 from-pool="" interface=sfp-sfpplus1 
      actual-interface=sfp-sfpplus1 eui-64=no advertise=no no-dad=no 

 2 DL address=fe80::c6ad:xxxx:xxxx:xxxx/64 from-pool="" interface=VLAN20 
      actual-interface=VLAN20 eui-64=no advertise=no no-dad=no 

 3 DL address=fe80::c6ad:xxx:xxxx:xxxx/64 from-pool="" interface=VLAN100 
      actual-interface=VLAN100 eui-64=no advertise=no no-dad=no 

 4 DL address=fe80::c6ad:xxxx:xxxx:xxxx/64 from-pool="" interface=VLAN50 
      actual-interface=VLAN50 eui-64=no advertise=no no-dad=no 

 5  G address=2600:1700:xxxx:xxxx::/64 from-pool=general-pool6 interface=VLAN100 
      actual-interface=VLAN100 eui-64=no advertise=yes no-dad=no 

 6  G address=2600:1700:xxxx:xxxx::/64 from-pool=general-pool6 interface=VLAN50 
      actual-interface=VLAN50 eui-64=no advertise=yes no-dad=no 

 7  G address=2600:1700:xxxx:xxxx::/64 from-pool=general-pool6 interface=VLAN20 
      actual-interface=VLAN20 eui-64=no advertise=yes no-dad=no 

 8 DG address=2001:506:xxxx:xxxx::1/64 from-pool="" interface=ether1 
      actual-interface=ether1 eui-64=no advertise=no no-dad=no

I censored with X’s on anything sensitive.

archerious · March 19, 2020, 12:15am

If any other info is needed please let me know.

mkx · March 19, 2020, 7:13pm

Sorry I overlooked you posted lots of information.

Disclaimer: I’m by no means an expert for IPv6 in ROS, so my analysis likely missed something.

Anyways, I don’t see anything much wrong in your setup. The only thing I’m doing differently (and I have a few VLANs with IPv6 addresses from pool which are not the same) is the way of assigning addresses … here’s my config:

add address=::b869:f4ff:fe20:a549 eui-64=yes from-pool=general-pool6 interface=VLAN50

Note the double-colon at the beginning of address, it actually instructs ROS to take one of /64 prefixes from pool and append the rest of cofigured address and then assign tgat address to the interface. And the address I used is the LSB part of link-local address on the same interface. You can use anything else, e.g. “address=::1” …

In my case, ISP is giving out /56 prefixes and I have 3 VLANs. And similar construct assigns addresses from different prefixes to each of interfaces.

The other difference between your and my setup is that I don’t try to run DHCPv6 server … it’s very incomplete in ROS. Instead I rely on Router Advertisements to make their magic (and they do for all different devices I have: Windows and Linux PCs, Android phones). But this difference should not cause the weirdness about same IPv6 address being assigned to multiple interfaces.