IPv6 prefixes leaking between vlans?

RouterOS General
1

I have AT&T fiber and two VLANs. AT&T will only issue a /64 but they will give as many /64s as you ask for. So, I’ve been using a couple vrrp interfaces to do that. It works fine. But I’ve noticed that devices get IPv6 addresses on both prefixes. Here’s the partial result of ipconfig:

Wireless LAN adapter Wi-Fi:

   IPv6 Address. . . . . . . . . . . : 2600:1700:7c50:379e:
   IPv6 Address. . . . . . . . . . . : 2600:1700:7c50:379f:

Router configuration is (running ROS 7.12):

/interface vrrp
add comment="ipv6 for LAN" interface=ether8 name=vrrp1 v3-protocol=ipv6
add comment="ipv6 for guest" interface=ether8 name=vrrp2 v3-protocol=ipv6 \
    vrid=2
/ipv6 dhcp-server
add address-pool=lan-ipv6 interface=vlan-lan lease-time=12h name=\
    lan-ipv6-pool
add address-pool=guest-ipv6 interface=vlan-guest lease-time=12h name=\
    guest-ipv6-pool
/ipv6 address
add address=fcdc::100 advertise=no interface=wireguard1
add address=::1 from-pool=lan-ipv6 interface=vlan-lan
add address=::1 from-pool=guest-ipv6 interface=vlan-guest
/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=prefix \
    use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=prefix \
    use-interface-duid=yes use-peer-dns=no
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=vlan-lan
add advertise-dns=no interface=vlan-guest
/ipv6 settings
set accept-router-advertisements=yes

Can someone help me figure out why this is happening?

2

Update: I seem to have resolved it, but I don’t understand why. All I did was add address to the items requested:

/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=address,prefix \
    use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=address,prefix \
    use-interface-duid=yes use-peer-dns=no

Does anyone know why this changed things?

3

I wonder what underlying ICMPv6 packets looked like when RouterOS advertised itself to each vlan.
Perhaps it’s reasonable to file a bug request at help.mikrotik.com?

By the way, what is the goal of


/ipv6 dhcp-server
add address-pool=lan-ipv6 interface=vlan-lan lease-time=12h name=\
    lan-ipv6-pool
add address-pool=guest-ipv6 interface=vlan-guest lease-time=12h name=\
    guest-ipv6-pool

Are you subnetting your /64 prefixes down the line? Not that it’s related to your problem.

4

After the update to 7.12 I have similar experiences with Prefixes deployed over VLAN borders.
hc_093.jpg
All 4 prefixes are deployed in my home network, not only in the correspondib VLAN´s.
This has worked without problems with 7.11.2 and before.
The correct prefix assignment can be seen in this picture:
hc_094.jpg
I´ve already opened a support ticket SUP-134767 to clarify if this is anwe bug in 7.12 or 7.13

5

I am not doing any further subnetting. I thought I needed that config to pass the prefix from the ISP to my LANs - is that not the case? I just disabled those two and lost IPv6 on the network. And, even with it re-enabled my iPhone isn’t getting a new IPv6 address. Hmm.

6

The easiest way is to push your prefix (via DHCP Client…) in a pool. From this pool you assign each (VLAN-)Interface an IP.
hc_344.jpg
Important is to activate Advertise=yes only on these adapters, where you have to right prefixes for deployment.
If this is ready you control the Router Advertisement under IPv6 → ND:
hc_343.jpg
So no need to activate an DHCPv6 server :wink:

7

Ah, neat!

The weird thing is, if I delete the dhcpv6-server AND turn off advertisements for that address under IPV6-Addresses, I still get a single IPv6 address on client devices in the correct prefix.

At this point I don’t know if this is a bug or if I just don’t understand IPv6 at all.

Current full config:

/ipv6 address
add address=fcdc::100 advertise=no interface=wireguard1
add address=::1 from-pool=lan-ipv6 interface=vlan-lan
add address=::1 from-pool=guest-ipv6 interface=vlan-guest
/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=address,prefix use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=address,prefix use-interface-duid=yes use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept origin Guest VLAN" in-interface-list=guest
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=vlan-lan ra-delay=0s ra-interval=10s-30s ra-lifetime=5m retransmit-interval=30s
add advertise-dns=no interface=vlan-guest ra-delay=0s ra-interval=10s-30s ra-lifetime=5m retransmit-interval=30s
/ipv6 settings
set accept-router-advertisements=yes
8

Unless there is a very new change I’m not aware of, DHCPv6 server on RouterOS does not support address assignment and only allows prefix delegation (and only a subset of capabilities at that) and configuration options.