IPv6 RAs leaking out of VLANs - IPv6 unusable.

NAB · January 14, 2015, 9:57am

RouterOS: 6.24
Hardware: CRS125-24G-1S
Firmware: 3.19

I have a problem with IPv6 RAs leaking out of VLANs.

Consider the following configuration:

/interface bridge add disabled=no name=bridge9

/interface vlan add disabled=no interface=ether17 name=vlan9 vlan-id=9

/interface bridge port
add bridge=bridge9 interface=ether9
add bridge=bridge9 interface=vlan9

/ipv6 address
add address=2a03:c222:8:101:1:: advertise=yes interface=ether17
add address=2a03:c222:8:109:1:: advertise=yes interface=bridge9

A Windows PC plugged into ether17 (and without any VLANs configured) receives the following addresses:

Windows IP Configuration

Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2a03:c222:8:101:5d4f:a465:7962:e18f
   IPv6 Address. . . . . . . . . . . : 2a03:c222:8:109:5d4f:a465:7962:e18f
   Temporary IPv6 Address. . . . . . : 2a03:c222:8:101:7db1:b7b9:f29d:b288
   Temporary IPv6 Address. . . . . . : 2a03:c222:8:109:7db1:b7b9:f29d:b288
   Link-local IPv6 Address . . . . . : fe80::5d4f:a465:7962:e18f%3
   IPv4 Address. . . . . . . . . . . : XXXXXXXXXXXXXXXXXXXXXXXXXX
   Subnet Mask . . . . . . . . . . . : XXXXXXXXXXXXXXXXXXXXXXXXXX
   Default Gateway . . . . . . . . . : fe80::d6ca:6dff:fe08:ff67%3
                                       XXXXXXXXXXXXXXXXXXXXXXXXXX

So, not only is it receiving RAs which were meant to be on the VLAN only, it isn’t setting up a default IPv6 gatway. Essentially, to me, this means that IPv6 is unusable.

Now, it is always possible I have made a mistake - if somebody can see something in the above configuration which I have done wrong, I will be more than grateful. I have, of course, sent an e-mail to support@…

DLNoah · January 14, 2015, 12:51pm

Do any of your Ethernet ports have master-port set (aka, are they running in switch mode)?

If so, what is the output of

/interface ethernet switch ingress-vlan-translation export compact

NAB · January 14, 2015, 1:38pm

Ports ether18 to ether 24 all have ether17 as the master, but apart from that, no. There’s no output from the “/interface ethernet switch ingress-vlan-translation export compact” command. If I remove ether18-24 from a switchgroup, the problem still occurs.

DLNoah · January 14, 2015, 2:05pm

Hm, well, that would seem (to me anyway) to rule out a configuration setting on the switch translating traffic onto vlan9. Nothing more I can think of at this point, sorry.

jkarras · January 15, 2015, 4:46am

The trouble is you have both tagged frames and untagged frames on the same port. The PC if not VLAN aware will pick up both. In other words you have port 17 setup as a partial trunk then expect it to not send both tagged and untagged frames out of it.

What is your intended use?

docmarius · January 15, 2015, 12:43pm

It is not the VLANs leaking, it is your computer not set up for vlan use.
Because VLANs are, well, virtual, and need support for them on both ends of a link.