IPv6 trouble

liviu2004 · April 1, 2024, 10:20am

Hi, trying to get my ipv6 going, I'm not fully grasping on the basics and settings.It appears I can obtain an prefix from my ISP, I seem to get an IPv6 address for my PC but when I activate dhcp client on ipv6, I cannot access mikrotik.com anymore and ipv6 test website shows me fail all tests.

I'm for sure missing something, or forgot something but can't figure out what .... Anyone can see the obvious?

Attached my network layout and config export with hide sensitive.

# 2024-04-01 10:15:22 by RouterOS 7.14.2
# software id =
#
# model = RB5009UPr+S+
# serial number = 
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=IP_camera_nas vlan-id=40
add interface=bridge1 name=Internal_LAN vlan-id=10
add interface=bridge1 name=Internet_of_Things vlan-id=20
add interface=bridge1 name=Work_Devices vlan-id=30
add interface=ether1 name=vlan6 vlan-id=6
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=Internal_LAN ranges=192.168.1.100-192.168.1.200
add name=Internet_of_Things ranges=10.0.20.100-10.0.20.200
add name=Work_Devices ranges=10.0.30.100-10.0.30.200
/ip dhcp-server
add address-pool=Internal_LAN interface=Internal_LAN lease-time=1d name=\
    Internal_LAN
add address-pool=Internet_of_Things interface=Internet_of_Things lease-time=\
    1d name=Internet_of_Things
add address-pool=Work_Devices interface=Work_Devices lease-time=1d name=\
    Work_Devices
/ppp profile
set *FFFFFFFE only-one=yes remote-ipv6-prefix-pool=ipv6pool use-upnp=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=30 \
    max-mtu=1492 name=pppoe-out1 profile=default-encryption use-peer-dns=yes \
    user=hide
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus1 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=\
    ether2,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=10,20,30,40
/interface list member
add interface=pppoe-out1 list=WAN
add interface=Internal_LAN list=VLAN
add interface=Internet_of_Things list=VLAN
add interface=Work_Devices list=VLAN
add interface=ether1 list=WAN
add interface=IP_camera_nas list=VLAN
add interface=*13 list=WAN
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/24 interface=Internal_LAN network=192.168.1.0
add address=10.0.20.1/24 interface=Internet_of_Things network=10.0.20.0
add address=10.0.30.1/24 interface=Work_Devices network=10.0.30.0
add address=10.0.40.1/24 interface=IP_camera_nas network=10.0.40.0
/ip dhcp-server lease
add address=10.0.20.196 mac-address=24:94:94:16:3C:F5 server=\
    Internet_of_Things
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall filter
add action=accept chain=input comment="Allow established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=fasttrack-connection chain=forward comment=fasttrack hw-offload=\
    yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "allow control of bedroom light from internal lan" dst-address=\
    10.0.20.196 in-interface=Internal_LAN out-interface=Internet_of_Things
add action=accept chain=forward comment=\
    "Allow access to IP camera from Internal LAN" dst-address=10.0.40.64 \
    in-interface=Internal_LAN
add action=accept chain=forward comment=\
    "Allow access to NAS surveillance from Internal LAN" dst-address=\
    10.0.40.182 in-interface=Internal_LAN
add action=accept chain=forward comment=\
    "allow printer to VLAN30 Work Devices" dst-address=192.168.1.5 \
    dst-address-list="" in-interface=Work_Devices out-interface=Internal_LAN
add action=drop chain=forward comment=\
    "no outside access to IP_camera_nas VLAN" in-interface=IP_camera_nas \
    out-interface-list=WAN
add action=accept chain=forward comment="VLAN internet access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="VLAN no inter communication" \
    in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=ipv6pool interface=Internal_LAN
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=ipv6pool pool-prefix-length=48 request=\
    prefix
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no hop-limit=\
    64 interface=Internal_LAN
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org

diagram.pdf (124 KB)

mkx · April 1, 2024, 11:15am

Set pool-prefix-length=64 on your DHCPv6 client.

And why all those advertise-*=no in ipv6 nd setup?

liviu2004 · April 1, 2024, 1:46pm

I’ve set pool-prefix-lenght=64 on the dhcpv6 client, but did not made a difference. From various posts about my KPN ipv6 settings, I always found 48 to be used and I see the prefix I get is also /48. My feeling tells me that 48 is all I will get?

I’ve set advertise-*=no to yes in the ipv6 nd setup and also did not made a difference. The moment I activate dhcp client, I loose connectivity to this forum and ipv6 test websites shows a test result of 0/10. Something is not good at all in my setup.

Tracert seems to do well for www.mikrotik.com, is this a DNS issue?

mkx · April 1, 2024, 2:25pm

The pool-prefix-length property sets the prefix size which pool will hand out (yup, its location is not logical, but it is where it is). If you want to affect the prefix size you’re receiving from ISP, you do it in prefix-hint, e.g. prefix-hint=::/56 to get a /56 prefix … but it’s only a hint and DHCPv6 server is free to completely ignore it. But setting it to whatever prefix/size you once receive (increasing the chance to get the same prefix next time) doesn’t hurt.

Traceroute shows that IPv6 is somehow working so it’s a bit unclear by services don’t work over IPv6.

But beware, it can take quite some time for changes in /ipv6/nd to propagate to clients. Routing Advertisements (which is what this menu affects) are only sent out every now and then (I think default interval is around 30 seconds). IPv6 client can poll RAs but it usually only does do when joining a network (just like it sends out DHCP discovery messages) to speed up the IPv6 setup.

Kentzo · April 2, 2024, 8:27pm

You want /ipv6/settings/set accept-redirects=no and /ipv6/settings/set accept-router-advertisements=yes as well as /ipv6/nd/enable on the pppoe-out1 interface.

As @mkx mentioned, there are some IPv6-specific timeouts in RouterOS that are intrinsic to how the protocol works. A reboot might be a viable solution to force reconfiguration.

liviu2004 · April 3, 2024, 6:08am

I appreciate all the help,I read everything and applied accordingly. I still want to read the documentation and understand what settings affect what, in the meantime, problem is solved as follows: applied MTU of 1480 in IPv6-ND. IPv6 test website shows a result of 10/10 in an instant.

This is against the conclusions of this topic last post: http://forum.mikrotik.com/t/ipv6-mtu-problems/93243/1

Therefore, at this moment in time, if someone has an VDSL2 pppoe connection to KPN Netherlands, they need to set this MTU of 1480.

I can only mark one reply as the answer, you both have the merit! Thank you again.
mtu 1480.JPG

Kentzo · April 3, 2024, 7:33am

Most of the settings in /ipv6/nd are for the case when RouterOS is the Advertising Router, i.e. when it sends a configuration. However, in case of the PPPoE interface it’s acting as a Host because it receives a configuration.

You, most likely, want the following settings on pppoe-out1:

add advertise-dns=no interface=pppoe-out1 ra-lifetime=none ra-preference=low reachable-time=5m

Other settings, such as MTU, Managed Configuration and Other Configuration should not be relevant.

Don’t rush to conclusions when you change multiple settings at once. If you have solid evidence that this is an MTU problem, you should rather set appropriate MTU on the downstream interfaces in /ipv6/nd, as well as review /interfaces. You may want to refresh your understanding by reading MTU in RouterOS.

liviu2004 · April 3, 2024, 12:44pm

Well noted.

This results in an failure of the ipv6 tests, and modifying it one by one found that setting ra-lifetime=none to be the culprit. Setting a value of e.g. 1800 restores connectivity.

Indeed, I haven’t rush in conclusions and took my time to leave the system as is for a while to observe. I am definitely sure that the MTU setting has caused a fail / pass for my ipv6 connection.

For /interfaces, setting anything else than 1492 will cause loss of total internet connectivity.

I need to disagree with you on one, I don’t need to refresh my understanding by reading MTU in RouterOS, I need to start from scratch with it! Which is not bad, because something is funky with my KPN connection, they say it should be 1500, which is not what I observe?

Technische details Internet
• PPPoE via VLAN 6 (802.1q) voor VDSL technieken
• Uitsluitend voor ADSL2: PPPoA via ATM PVC 8/48 vcmux. IPv4 adres en DNS via PPPoA. IPv6 prefix en
DNS via DHCPv6-PD in PPP interface
• PPP authenticatie PAP met een gebruikersnaam en wachtwoord (bijv internet / internet).
• Maximale pakket grote (mtu) 1500 bytes (rfc4638)
• IPv4 adres + DNS-servers via PPPoE verkrijgen
• IPv6 adres reeks + DNS-servers (IPv6) via DHCPv6-PD verzoek (in PPP). Een adres gebruiken uit reeks voor router.

CGGXANNX · April 3, 2024, 1:47pm

Your ISP supports RFC4638, which means you can have the full size MTU=1500 for the pppoe-out1 interface. You can then keep MTU=1500 for your bridges and other vlans.

First you should increase the MTU of ether1, and then of vlan6 to 1508. This is not strictly necessary to achieve MTU 1500 for pppoe-out1, but is needed if you want to have MSS (IPv4 TCP) at maximum (1460 bytes) when the setting “Change TCP MSS” is set to “Yes” in the corresponding PPP profile under PPP Profiles.

Then in the configuration of the pppoe-out1 interface. set both Max MTU and Max MRU to 1500:

Redial, and Actual MTU will now be shown as 1500. No more MTU adjustments are needed in your LAN or your IPv6 ND settings. You can go to https://www.speedguide.net/analyzer.php to verify that your MTU is now 1500 and MSS is 1460 for IPv4 TCP.

liviu2004 · April 3, 2024, 4:57pm

Dear CGGXANNX, it is exactly like you said.

All set according your post, as well on ipv6-nd, then I saw an avalanche in the logs about pppoe connecting and disconnecting. It took 24 tries before the pppoe connection established, I was about to go back …

Thanks, I could of not figure it out by myself, I mean, I was trying different MTUs for ether1 and vlan6 and also did not set an MRU. All good now.

« SpeedGuide.net TCP Analyzer Results » 
Tested on: 2024.04.03 12:59 
IP address: 145.53.xxx.xxx 
Client OS/browser: Windows 10 (Chrome 123.0.0.0) 
 
TCP options string: 020405b40103030801010402 
MSS: 1460 
MTU: 1500 
TCP Window: 131328 (not multiple of MSS) 
RWIN Scaling: 8 bits (2^8=256) 
Unscaled RWIN : 513 
Recommended RWINs: 64240, 128480, 256960, 513920, 1027840 
BDP limit (200ms): 525 Mbps (53 Megabytes/s) 
BDP limit (500ms): 210 Mbps (21 Megabytes/s) 
MTU Discovery: ON 
TTL: 114 
Timestamps: OFF 
SACKs: ON 
IP ToS: 00000000 (0)

mtu 1500.JPG

Kentzo · April 3, 2024, 5:21pm

I’m pretty sure that your ISP does not care for RAs sent by your router upstream, it should not break anything in itself. Perhaps this change forced a reconfiguration that just expedited oncoming of the existing problem?

This setting needs to replace whatever you currently have for the pppoe interface, hence add not set.

If it still does not work then attach the output of /ipv6/nd/export for review.

liviu2004 · April 4, 2024, 3:23pm

Not disagreeing that something else might be not right, however, I have no functional complaints.

Herewith the output of /ipv6/nd/export.

# 2024-04-04 17:22:54 by RouterOS 7.14.2
# software id = LRF1-VRV8
#
# model = RB5009UPr+S+
# serial number =
/ipv6 nd
set [ find default=yes ] advertise-dns=no hop-limit=64 interface=pppoe-out1 managed-address-configuration=yes other-configuration=yes \
    ra-preference=low reachable-time=5m

Kentzo · April 5, 2024, 3:53am

It seems wrong to me to have an interface set on the “default” record. It also appears that you do not have ND on LAN interfaces, did you omit the output?

For the reference, mine looks like this:

/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=no interface=ether1-gateway ra-lifetime=none ra-preference=low reachable-time=5m
add dns=... interface=vlan-main other-configuration=yes ra-preference=high reachable-time=5m
add advertise-dns=no interface=vlan-ipsec ra-preference=high reachable-time=5m

Where

I disable “default” as I run in mixed environment and some interfaces are IPv4 only (e.g. IoT)
The ether1-gateway WAN interface has RA effectively disabled (ra-lifetime=none)
The vlan-main and vlan-ipsec LAN interfaces have RA enabled with slightly different configuration

mkx · April 5, 2024, 9:24am

On my routers I set “advertise=no” to addresses which are not supposed to be advertised (so no RA for that particular address). And it seems that if an interface doesn’t have any address without this setting, RAs are disabled as well. (BTW, it seems that contents of RAs don’t mention global addresses, only ULAs … so it doesn’t really matter if an interface has multiple IPv6 addresses set without “advertise=no” set, such interface will still emit same set of RAs).

In my case, ISP uses PPPoE … pppoe interface doesn’t need (and doesn’t have) GUA set. And it seems that ROS’ default is to set “advertise=no” on ULA addresses. So my WAN interface has RA effectively disabled (by default). I’m not sure how DHCPv6 client (which requests address in addition to prefix) configures this property.

Kentzo · April 5, 2024, 8:25pm

I’m hesitant to trust RouterOS’s undocumented defaults regarding IPv6 just yet

liviu2004 · April 6, 2024, 6:30am

I must of misunderstood one of your previous posts.

I have corrected the ND configuration and indeed, it appears to work without RA lifetime set on pppoe-out1. Herewith the latest config, if someone else struggles as me in the future.

# 2024-04-06 06:30:31 by RouterOS 7.14.2
# software id = LRF1-VRV8
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mtu=1508 poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=IP_camera_nas vlan-id=40
add interface=bridge1 name=Internal_LAN vlan-id=10
add interface=bridge1 name=Internet_of_Things vlan-id=20
add interface=bridge1 name=Work_Devices vlan-id=30
add interface=ether1 mtu=1508 name=vlan6 vlan-id=6
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=Internal_LAN ranges=192.168.1.100-192.168.1.200
add name=Internet_of_Things ranges=10.0.20.100-10.0.20.200
add name=Work_Devices ranges=10.0.30.100-10.0.30.200
/ip dhcp-server
add address-pool=Internal_LAN interface=Internal_LAN lease-time=1d name=\
    Internal_LAN
add address-pool=Internet_of_Things interface=Internet_of_Things lease-time=\
    1d name=Internet_of_Things
add address-pool=Work_Devices interface=Work_Devices lease-time=1d name=\
    Work_Devices
/ppp profile
set *FFFFFFFE only-one=yes use-upnp=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=30 \
    max-mru=1500 max-mtu=1500 name=pppoe-out1 profile=default-encryption \
    use-peer-dns=yes user=xxx
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus1 pvid=10
/ipv6 settings
set accept-redirects=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=\
    ether2,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=10,20,30,40
/interface list member
add interface=pppoe-out1 list=WAN
add interface=Internal_LAN list=VLAN
add interface=Internet_of_Things list=VLAN
add interface=Work_Devices list=VLAN
add interface=ether1 list=WAN
add interface=IP_camera_nas list=VLAN
add interface=*13 list=WAN
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/24 interface=Internal_LAN network=192.168.1.0
add address=10.0.20.1/24 interface=Internet_of_Things network=10.0.20.0
add address=10.0.30.1/24 interface=Work_Devices network=10.0.30.0
add address=10.0.40.1/24 interface=IP_camera_nas network=10.0.40.0
/ip dhcp-server lease
add address=10.0.20.196 mac-address=24:94:94:16:3C:F5 server=\
    Internet_of_Things
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall filter
add action=accept chain=input comment="Allow established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=fasttrack-connection chain=forward comment=fasttrack hw-offload=\
    yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "allow control of bedroom light from internal lan" dst-address=\
    10.0.20.196 in-interface=Internal_LAN out-interface=Internet_of_Things
add action=accept chain=forward comment=\
    "Allow access to IP camera from Internal LAN" dst-address=10.0.40.64 \
    in-interface=Internal_LAN
add action=accept chain=forward comment=\
    "Allow access to NAS surveillance from Internal LAN" dst-address=\
    10.0.40.182 in-interface=Internal_LAN
add action=accept chain=forward comment=\
    "allow printer to VLAN30 Work Devices" dst-address=192.168.1.5 \
    dst-address-list="" in-interface=Work_Devices out-interface=Internal_LAN
add action=drop chain=forward comment=\
    "no outside access to IP_camera_nas VLAN" in-interface=IP_camera_nas \
    out-interface-list=WAN
add action=accept chain=forward comment="VLAN internet access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="VLAN no inter communication" \
    in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=ipv6pool interface=Internal_LAN
add from-pool=ipv6pool interface=Work_Devices
add from-pool=ipv6pool interface=Internet_of_Things
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=ipv6pool request=\
    prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes hop-limit=64 \
    managed-address-configuration=yes other-configuration=yes ra-preference=\
    low reachable-time=5m
add advertise-dns=no interface=pppoe-out1 ra-lifetime=none ra-preference=low \
    reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Internal_LAN \
    other-configuration=yes ra-preference=high reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Work_Devices \
    other-configuration=yes ra-preference=high reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Internet_of_Things \
    other-configuration=yes ra-preference=high reachable-time=5m
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org

Kentzo · April 8, 2024, 8:37pm

I don’t know if this is necessary for PPPoE connections, but I would recommend to at least try the following:

Set accept-router-advertisements=yes in /ipv6/settings
Set add-default-route=no in /ipv6/dhcp-client: route, normally, should be learned via RAs (but it might be a peculiarity of PPPoE I’m not aware of)

CGGXANNX · April 9, 2024, 10:07am

I think for PPPoE there is no need for accept-router-advertisements=yes in /ipv6/settings. I keep the default settings which are:

and because “IPv6 forward” is on, both “Accept redirects” and “Accept Router Advertisements” are effectively turned off with those default settings.

Because PPPoE is Point-to-Point. There is normally only one IPv4 address and one IPv6 link local address (fe80::/10) at each of both ends of the connection. The IPv6 link local address of the ISP end of the connection is effectively the gateway address. There is nothing to “advertise”, and no alternative routes are needed. So, it’s correct that “add-default-route=yes” is unnecessary on the DHCPv6 Client configuration, but turning it on doesn’t harm neither (because it will add the same route with the other peer as gateway).

When we turn on DHCPv6 Client on the connection for prefix delegation, the client end (using its UDP Port 546) can connect directly to UDP port 547 of the link local IPv6 address of the other end (ISP) to exchange messages. No router advertisement or multicast is needed.

Kentzo · April 10, 2024, 1:36am

On the one hand I agree with your reasoning… on the other hand I’d prefer IPv6 to negotiate its configuration as intended by the protocol rather than relying on this ad-hoc knowledge of underlying connection and RouterOS “hacks”.

liviu2004 · April 10, 2024, 5:36pm

Thanks for the suggestions, implemented and all still functional as before.