IPv6 Routing Help

RouterOS Beginner Basics
1

Hi!

I'm quite new to RouterOS, just having configured a CRS-125 and a CCR-1009 over the weekend. So far, everything is up and running and performing great!

However, I have been struggling to get IPv6 support working for my setup. My ISP, Fiber7/Init7 supports native IPv6 with SLAAC-PD, giving each customer a /48
I'm still quite new to RouterOS, as well as IPv6, so bear with me if I get something incorrect or omit some information.

Following configuration recommendations from RouterOS - RouterOS - MikroTik Documentation I have the following configured so far:

/ipv6 address
add from-pool=Fiber7 interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=combo1 pool-name=Fiber7 request=prefix

My addresses and routes look like so:
ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local

ADDRESS FROM-POOL INTERFACE ADVERTISE

0 G 2a02:168:64f2::1/64 Fiber7 bridge1 yes
1 DL fe80::66d1:54ff:fed4:dd2f/64 bridge1 no
2 DL fe80::66d1:54ff:fed4:dd2e/64 combo1 no

ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable

DST-ADDRESS GATEWAY DISTANCE

0 ADS ::/0 fe80::ca9c:1dff:fe05:... 1
1 ADSU 2a02:168:64f2::/48 1
2 ADC 2a02:168:64f2::/64 bridge1 0

With this setup, I am able to successfully ping external IPv6 addresses from the router, via the WAN interface. However, nothing inside my LAN is able to reach out via IPv6, and I am unable to ping external IPv6 addresses via the LAN interface on the router:

/ping 2001:1620:2777:1::10%combo1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                       
    0 2001:1620:2777:1::10                       56  59 1ms   echo reply                                                                   
    1 2001:1620:2777:1::10                       56  59 0ms   echo reply

/ping 2001:1620:2777:1::10%bridge1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                       
    0 2001:1620:2777:1::10                                    timeout

Ping results from a host inside the LAN:

ping6 2001:1620:2777:1::10
PING 2001:1620:2777:1::10(2001:1620:2777:1::10) 56 data bytes
From 2a02:168:64f2:0:201:2eff:fe6c:b9ee icmp_seq=32 Time exceeded: Hop limit
From 2a02:168:64f2:0:201:2eff:fe6c:b9ee icmp_seq=33 Time exceeded: Hop limit

Any ideas what I am missing here? With previous router hardware/software I had IPv6 working without issue, so I am assuming I am missing something in the configuration of RouterOS, but I am stumped as to what I am missing. Let me know if any additional information would help here.

Thanks!

2

Trying to ping external address on internal interface does not make sense. You’re sending packets destined to external address to LAN, but the external address is not there. If your goal was to test how it would work if something from LAN sent packets to external address, it’s not how it works.

Ping from LAN host, if the host has 2a02:168:64f2:0:201:2eff:fe6c:b9ee, looks like the host might have some problems with routes. Try traceroute, it might show something more useful.

But it’s possible that you already fixed it, because I can ping both 2a02:168:64f2::1 and 2a02:168:64f2:0:201:2eff:fe6c:b9ee from outside. Actually, not anymore, but it worked just a few minutes ago.

3

Try setting the request portion of your IPv6 DHCP client to “address,prefix” to assign a global unicast address to your WAN interface. While technically not required the routing of the assigned prefix may depend on it for your specific implementation by the provider.

4

Welp, I feel stupid.
Turns out an old pfsense router I had moved off the edge but kept on the LAN for handling other duties like DNS and DHCP still had the radvd daemon running, advertising itself as an IPv6 router, incorrectly. Once I killed this advertiser, a full reboot of one of my clients has it able to successfully ping out of the network now.

Caught this when inspecting routes on a client and noticed the default v6 route pointed to the address of the old gateway and not the new router. Cue lightbulb moment, closely followed by head-desk moment.

While I feel incredibly dumb for not catching this initially, I feel much more knowledgeable about IPv6 now!

Thanks for the input though!

5

This is the IPv6 version of the ol’ rogue DHCP server problem.
I don’t know if CSR has a way to configure RAguard on access ports, but if it has that, you’d be well-advised to consider making that part of your standard configuration for user-facing ports so they can’t accidentally or maliciously inject RAs into your network.