IPv6 setup problems

Hello all,

Just got my hap ac2 and I’m trying to get IPv6 to work. My ISP is providing a GPON with router function and I need to keep this online. They provide dual stack IP v4 & v6 as per the attached picture and the setup is: GPON (handles PPOE and DHCP server for MIKROTIK) ------> MIKROTIK HAP ac2 ------>LAN clients. (cascading dual NAT, I know!, I may consider switching the GPON to bridge and handling PPOE on the tik at a future time)
I’ve got IPv4 working ok but no IPv6 and I followed just about all the online guides as so:

/system package enable ipv6
/ipv6 settings
set accept-router-advertisements=yes
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=delegation
pool-prefix-length=56 request=address,prefix
/ipv6 dhcp-server
add address-pool=delegation interface=bridge name=dhcp1
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=20s-1m

After this I get IPv6 address on LAN connections but I cannot reach test-ipv6.com.
Please, help me understand what I’m doing wrong, I’m not ready to give up that easy
Tks.

You shouldn’t need “/ipv6 settings set accept-router-advertisements=yes”, you’ll get default route added by DHCPv6 client. It’s slightly non-standard, but when DHCPv6 server is same as gateway (which in this case should be), it’s ok.

In DHCPv6 client, request=prefix should be enough, upstream connection should work with just link-local address.

Your “/ipv6 dhcp-server” is useless (unless you’d want to connect yet another router behind hAP), it can’t provide addresses. But don’t worry, you can live without it, addresses will be (well, already are) handled by SLAAC (autoconfiguration).

But even with what you have now, things shouldn’t be broken, so you need to test what exactly is wrong. Start with traceroute to some IPv6 address on internet (e.g. 2a02:610:7501:3000::239, which belongs to forum.mikrotik.com), from both PC and hAP, and see what it does.

Thank you for the answer.
Looks like it’s stuck at what looks like the router assigned ipv6, I’m also stuck…

If it works from router, but it doesn’t work from device behind router, even though it seems to have address and everything, it looks like something wrong on router. Firewall would be good candidate, but I assume you didn’t touch it, or did you?

You can try to export your config:

/export hide-sensitive file=yourconfig

and post content of resulting yourconfig.rsc in code tags, maybe there will be something visibly wrong…

Looks like if I disable “/ipv6 settings set accept-router-advertisements=yes” I get 100% loss on IPv6 traceroute from the tik

So here is my export.
The firewall is the default for both IPv4 IPv6.

# oct/11/2020 12:20:54 by RouterOS 6.47.4
# software id = IUVY-89TV
#
# model = RBD52G-5HacD2HnD
# serial number = C6140C549A2E
/interface bridge
add admin-mac=48:8F:5C:67:07:B6 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX \
    country=romania disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=ruter wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \
    country=romania disabled=no distance=indoors frequency=auto installation=\
    outdoor mode=ap-bridge ssid=ruter wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 \
    rapid-commit=no request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=20s-1m
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

yourconfig.rsc (7.13 KB)

I don’t see any obvious problem. Try to examine what exactly happens. Start ping from client to internet and keep it going (there’s option -t for that) and check using Tools->Torch on ether1 that those packets passed through router. They should. Next thing you can try is to ping client’s address from outside. If you don’t have anything to test it with yourself, use some online ping service, there’s many of them. And then same thing, you should see incoming packets on ether1.

Looks like if I disable “/ipv6 settings set accept-router-advertisements=yes” I get 100% loss on IPv6 traceroute from the tik

I guess it’s possible, because unlike with IPv4, DHCPv6 does not get gateway from server and device is supposed to get it from RA. I’m not sure if there’s some exception for prefix delegation and I’m not in the mood to read through RFCs. If accepting RAs helps, keep it that way.

Small problem is that if you enable it, router gets not only default route, but also SLAAC address, and unfortunately because of some limitation in current RouterOS, neither is shown anywhere. But router will surely use this address for outgoing traffic.

Try if traceroute from router still works when you manually specify source address as the one on bridge (2a02:…::1 from pool).

Looks like my ISP /64 prefix delegation is only working in the first layer of the LAN, were the GPON is. I have to switch it to bridge mode and do the ppoe on the tik.