IPv6 routing woes

robkampen · August 12, 2021, 9:44am

I have an IP4 network in place and seems to be working as desired. Adding IPv6 and things have not worked out so well.
I have an IPv6 /56 prefix delegation from our ISP - setup with /ipv6 dhcp-client
I have setup /ipv6 dhcp-server with a subnet /64 from the delegated prefix and use static addresses within this pool for my servers and MT devices.
I have set up /ip firewall filter and this appears to work fine as I can ping from WAN to servers and MT devices, I can also ssh into the servers.
I can ping internally from server to server and to the MT devices.
I can ping from the MT router (RB4011) to the WAN.
Now comes the issue - I cannot ping from the servers to any WAN address with the /ipv6 route (all dynamic) that ROS creates.

/ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable

DST-ADDRESS GATEWAY DISTANCE

0 ADS ::/0 ISP1pppoe 1
1 DS ::/0 fe80::9000:\b:1%ISP1pppoe 1 (please note the \ is added to ensure post works otherwise I get a huge red B)
2 ADSU 2406:e100:a900:c000::/56 1
3 ADC 2406:e100:a900:c080::/64 bridgeLAN 0

if I add a static route
4 A S 2620:fe::fe/128 ISP1pppoe 1

then I can ping 2620:fe::fe from the servers
so I am left wondering what's up? the universal address ::/0 does not seem to be capturing the outbound traffic.
I have wasted days on this and wonder if others have some insight they can share that might help me sort this out.
running ROS 6.47.10 on all the MT devises.
TIA Rob

nescafe2002 · August 12, 2021, 10:35am

Note that the pppoe-client already adds a default route (based on ppp profile).
So first try setting add-default-route=no in your dhcpv6 client to prevent the extra route to be added.
Have you added bridgeLAN to the LAN interface list?

For testing, you could add a route to a more specific public prefix:

/ipv6 route add dst-address=2000::/3 gateway=ISP1pppoe

robkampen · August 13, 2021, 6:45am

thanks for the suggestion.
yes bridgeLAN is on the LAN interface list
I have set default-route=no on both the /ipv6 dhcp-client AND ALSO on the /interface pppoe-client
This meant that I now needed to add static routes to both the /ip route and the /ipv6 route tables.
So far that makes sense and IP4 remains working.
IPv6 is a little more difficult.
As there have been a large number of changes to the router I rebooted it to start with a clean system.
When the router first came up, everything was working from both the LAN to WAN and from WAN to LAN.
I didn’t mention this in my initial post, but this has been the case almost from the beginning - when the router first boots IPv6 works as expected.
It then proceeds to fail in stages.
The first thing to stop working was the ability to ping6 from the server to the WAN. Previous testing has this occurring anywhere from 2 to 10+ minutes after a reboot.
This occurred after the changes above / reboot within about 5 minutes.
Previously, the next thing to fail was the ability to ping6 / ssh -6 from WAN to the server. That seems to now be okay, so I guess progress is happening - time will tell, as this failed up to a day or two later.
So next I tried adding your suggested route to dst-address=2000::/3
Sure enough that opened up the ability to ping from the server to WAN (again, i.e. just like immediately after a reboot). I will leave this in place and wait some time for the connection tracking to timeout and see how long it remains working.
There is certainly something funny about /ipv6 route ???
A print shows the same three entries, only now static for the default ::/0 destination rather than dynamic, but it only works for a while.

I also have a question about a traceroute6 that I have done from my home.
If I traceroute6 to the global ipv6 address assigned to the router, it works as expected with the last entry being the global IPv6 address of the router and the traceroute6 ends.
However, if I traceroute6 to say the server’s global ipv6 address the traceroute stalls. The last entry in this case is a global IPv6 address within our delegated /56 prefix ::12, but that is not an address that I recognise.
So looking at our /ipv6 address print we have, as expected, a list of all the link local addresses and one of these is fe80::12/64 and is assigned to the ISP1pppoe interface. But why does the traceroute end there?
Should we have a global address assigned to the ISP1pppoe interface? Do we need to do this manually? Why, as we do not intend to have any need to connect to this interface, other than its linking function into our network after passing our firewall.
In the case of IP4, the static IP address assigned by our ISP is dynamically added for this interface.
With IPv6 there is no address assignment, other than a link local.
None of the examples I have looked at have indicated a need for this. Feel a little lost at this point.
TIA for any insight you may have on this.
Rob

nescafe2002 · August 13, 2021, 7:40am

What ‘works on my machine’ is:

/interface pppoe-client add add-default-route=yes name=pppoe-client
/ipv6 dhcp-client add add-default-route=no interface=pppoe-client request=prefix

This will add a dynamic route to ::/0 via pppoe-client. And a default ipv4 route.
The 2000::/3 is a testing route to find out if you need more ‘specific’ routes, but you could keep it if needed.

Note that MT hide itself from traceroutes in the firewall, you can disable the forward rule titled “defconf: rfc4890 drop hop-limit=1” to make it work.

You don’t have to assign a global address to the pppoe interface.