I noticed during my efforts to set up IPv6 via a hurricane electric tunnel something that seems odd and possibly a bug but wanted to see if anyone else is seeing it and if it is perhaps expected behaviour before i report it and look like an idiot
I have an RB750GR2 running 7.12.1 with an HE tunnel getting both /48 and /64 prefixes from Tunnelbroker
My bridge has 3 vlans; 1 as the main, 17 as guest wifi (where I put IPv6 for experimentation) and 19 for IOT
My understanding was that having the ND set up on the bridge would not result in any router advertisements on interfaces without IPv6 addresses.
I would have expected that to include interfaces on which there is an IPv6 address configured but it is disabled.
However, I am seeing Router advertisements coming from the mikrotik on the bridge main lan (VLAN1 - untagged ports ) and therefor addresses being created (SLAAC) on connected devices but there is no routing happening on the mikrotik.
My solution was to move the Neighbour Discovery (ND) off the bridge and only onto VLAN17. This seems to work fine but means that i need to have a different ND entry for each subnet/vlan. HArly difficult but less tidy than having one and only having to put an active address on the subnets/vlans I want IPv6 active on.
Am i correct in my belief that MT should not be sending RA’s on an interface upon which the IPv6 address is disabled?
What do you mean?
By default there is an ND config entry for “all”. When you do not like that, you can put individual config per interface.
There is nothing that would inherit config “for the bridge” down into a VLAN on that bridge.
If an interface advertises IPv6 is not determined by the ND setting but by the “Advertise” flag on the IPv6 Address for that interface.
@pe1chl, apologies… I was imprecise… and thanks for the prompt reply
The default ND config is indeed ALL (although in the case of my little router that has a sizeable overlap with the bridge)
As you say, I moved it to just VLAN17 in my case and that works
Is my understanding that the MT should/would not send RA’s on an interface that does not have an IPv6 address incorrect? IIRC when i did not have one on the bridge i don’t think there were RAs sent on there. I expected the same behaviour if there was an IPv6 address on the bridge but it was disabled. (advertise was still ticked but I assume that enabled being unticked would overide that)
thanks.. that is quite a comprehensive writeup! some evening reading… but should advance my understanding of things (and perhaps ad to confusion by mixing in other vendors approaches
NB: the document you linked to seems unequivocal that turning off default RA’s on all interfaces is a good thing
Yeah, “disable all”, enable selectively on what you need, example your VLAN17 or whatever it is.
I do the same thing at home, this ensures there’s no room for some random BUM traffic issue in the network.
Same thing on your MikroTik APs or switches etc, if they are running RouterOS, ipv6 ra is enabled for all, of course it doesn’t mean it’s going to flood RAs per-se, but the moment you forget to add advertise=no on an interface, bada boom, it floods RAs.
Thanks DarkNate
good advice about mikrotik AP’s… I have two of those so will be careful. I’ll also have to look at my one AP running openwrt in case it does anyhting similar
one upside of conrolling the RA’s this way on a per subnet basis seems to be that I can have different DNS servers advertised it seems (by entering some directly in the ND entry). That allows my home network to use pihole/adguard but the guest lan and iot to avoid the filtering (sometimes useful when you want to be able to click on an ad ) .. or indeed to have more filtering
) .. or indeed to have more filtering