mfocko
August 26, 2023, 4:06pm
1
Hi,
I’ve been recently tinkering with both VLANs and IPv6. My ISP doesn’t support IPv6 yet, so I set up the 6to4 tunnel which worked fine.
Afterwards I tried to separate my devices to their own VLAN. This hit some issues, most notably failing to get IPv4 from DHCP on either ethernet or WLAN, even if server was configured.
I can do IPv6 ping from the hAP ac² just fine, but not from any of the devices on the LAN. It doesn’t work on either VLAN, nor co-VLAN. It seems like the routing doesn’t work properly from the devices themselves.
edit: Other issue I have is that my devices with VLAN tag on WLAN cannot seem to get the RA from vlan10. I always get the address from the bridge prefix.
tl;dr of what I did
set up the 6to4
sit1 uses the address given by HE
bridge uses the routed /64 block
vlan10 uses one /64 block from the /48 given by HE
set ND on both vlan10 and bridge
Thanks for any suggestions
Config:
/interface bridge
add auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="ISP"
set [ find default-name=ether2 ] comment=hertz
set [ find default-name=ether3 ] comment="ThinkPad Dock"
set [ find default-name=ether5 ] comment=maxwell
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=172.16.0.1 mtu=1280 name=sit1 remote-address=216.66.86.122
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/ip pool
add name=pool-unknown ranges=172.16.15.2-172.16.15.254
add name=pool-known ranges=172.16.7.2-172.16.8.254
add name=pool-mf ranges=172.16.16.2-172.16.17.254
/ip dhcp-server
add address-pool=pool-unknown interface=bridge lease-time=1d name=dhcp0
add address-pool=pool-mf interface=vlan10 lease-time=1d name=dhcp-mf
/ipv6 pool
add name=he-pool prefix=DEAD:BEEF::/48 prefix-length=64
/interface bridge port
add bridge=bridge comment=hertz interface=ether2 pvid=10
add bridge=bridge comment="ThinkPad Dock" interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge comment=maxwell interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface bridge vlan
add bridge=bridge tagged=bridge,wlan1,wlan2 untagged=ether2,ether3,ether4,ether5 vlan-ids=10
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220,2620:119:35::35,2620:119:53::53
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=dead:beef::1 scope=30 target-scope=10
/ipv6 address
add address=dead:beef::2 advertise=no interface=sit1
add address=dead:beeF::1 interface=bridge
add address=DEAD:BEEF:1::1 interface=vlan10
/ipv6 nd
set [ find default=yes ] hop-limit=64 ra-interval=20s-1m ra-lifetime=none reachable-time=5m
add hop-limit=64 interface=vlan10 ra-interval=20s-1m ra-lifetime=none reachable-time=5m
mfocko
August 26, 2023, 6:32pm
2
I’ve just noticed that probably after a restart, it works on ethernet, just the WLAN is broken. Even though I got assigned 2× IPv6 addresses from SLAAC, they just don’t work, locally it says “Network unreachable”. With packet sniffer I can see RAs on wlan* with correct VLAN_ID
There are a couple of issues in what’s shared so far:
MikroTik (MT) device model is missing; the hardware matters.
Hurricane Electric (HE) setup is obfuscated into unintelligable.
MT configuration is redacted into fairly incomplete as well.
Questions so far are unanswerable with information so far.
I will share a similar working example:
MT hAP ax3 device
ISP is Comcast with cable modem; no ISP gateway
Comcast provides 1 IPv4/22 1 IPv6/128 1 IPv6/60
I tested Comcast IPv6:
prefix delegation works
RA SLAAC IPv6 address works
but haven’t solved end client IPv6 source address selection.
I use HE IPv6 alone but left future concurrent Comcast option open.
Concurrent IPv6 provider operation is managed with Policy Routing.
The following configuration
# 2023-08-26 13:22:33 by RouterOS 7.11
# model = C53UiG+5HPaxD2HPaxD
#
/interface bridge
add admin-mac=48:A9:8A:C0:94:DD auto-mac=no name=bridge vlan-filtering=yes
/interface 6to4
# local-address=0.0.0.0 (default) just works
# and provides public IPv4 change immunity
# Hurrican Electric published recipe MTU is low
add mtu=1480 name=hef2 remote-address=72.52.104.74
/interface vlan
add interface=bridge name=vlan403 vlan-id=403
add interface=bridge name=vlan404 vlan-id=404
add interface=bridge name=vlan405 vlan-id=405
add interface=bridge name=vlan406 vlan-id=406
add interface=bridge name=vlan407 vlan-id=407
/interface list
add name=snat
/interface wifiwave2 channel
add band=2ghz-ax name=ch2g skip-dfs-channels=10min-cac width=20/40mhz
add band=5ghz-ax name=ch5g skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifiwave2 datapath
# Wifiwave2 datapath handles WiFi VLAN setup and teardown dynamically
add bridge=bridge client-isolation=yes name=path-guest vlan-id=403
add bridge=bridge client-isolation=no name=path-prime vlan-id=405
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=auth-guest wps=disable
add authentication-types=wpa2-psk,wpa3-psk name=auth-prime wps=disable
/interface wifiwave2 configuration
add country="United States" mode=ap name=conf-guest security=auth-guest
add country="United States" mode=ap name=conf-prime security=auth-prime
/interface wifiwave2
set [ find default-name=wifi1 ] channel=ch5g configuration=conf-prime configuration.mode=ap .ssid=Radar-Love datapath=path-prime
set [ find default-name=wifi2 ] channel=ch2g configuration=conf-guest configuration.mode=ap .ssid=Radar-Pain datapath=path-guest
/ip pool
add name=dhcp_pool_net40 ranges=192.168.40.140-192.168.40.199
add name=dhcp_pool_net41 ranges=192.168.41.20-192.168.41.199
/ip dhcp-server
add address-pool=dhcp_pool_net40 interface=vlan403 lease-time=4h name=dhcp_net40 server-address=192.168.40.14
add address-pool=dhcp_pool_net41 interface=vlan405 lease-time=4h name=dhcp_net41 server-address=192.168.41.14
/routing table
# Policy Routing Hurricane Electric so Comcast is IPv6 default gateway
add fib name=rt-hef2
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3 pvid=403
add bridge=bridge interface=ether4 pvid=405
add bridge=bridge interface=ether5 pvid=407
/interface bridge vlan
add bridge=bridge untagged=bridge,ether1,ether2 vlan-ids=1
add bridge=bridge tagged=bridge,ether1 untagged=ether3 vlan-ids=403
add bridge=bridge tagged=bridge,ether1 vlan-ids=404
add bridge=bridge tagged=bridge,ether1 untagged=ether4 vlan-ids=405
add bridge=bridge tagged=bridge,ether1 vlan-ids=406
add bridge=bridge tagged=bridge,ether1 untagged=ether5 vlan-ids=407
/interface list member
add interface=vlan407 list=snat
/ip address
add address=192.168.88.14/24 interface=bridge network=192.168.88.0
add address=192.168.40.14/24 interface=vlan403 network=192.168.40.0
add address=192.168.41.14/24 interface=vlan405 network=192.168.41.0
add address=192.168.44.14/24 interface=vlan406 network=192.168.44.0
add address=192.168.40.1/24 interface=vlan403 network=192.168.40.0
add address=192.168.41.1/24 interface=vlan405 network=192.168.41.0
add address=192.168.44.1/24 interface=vlan406 network=192.168.44.0
/ip dhcp-client
add !dhcp-options interface=vlan407
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.41.201,192.168.41.202 gateway=192.168.40.1
add address=192.168.41.0/24 dns-server=192.168.41.201,192.168.41.202 gateway=192.168.41.1
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=snat
/ipv6 route
# Policy Routing Hurricane Electric so Comcast is IPv6 default gateway
add dst-address=::/0 gateway=2001:470:1f04:4fc::1 routing-table=rt-hef2
# Comcast ND has MTU above 9120 so C53UiG logs every time overflowing memory log
# Disabling or blocking Comcast ND breaks IPv6 default gateway discovery
# Since Comcast provides /128 address gateway=interface works
# Omit static default gateway or use Hurricane Electric to omit Policy Routing
add dst-address=::/0 gateway=vlan407
/ipv6 address
# Hurricane Electric linked /64 subnet
add address=2001:470:1f04:4fc::2 advertise=no interface=hef2
# Hurricane Electric routed /64 subnet
add address=2001:470:1f05:4fc::1 advertise=no interface=vlan406
# Hurricane Electric routed /48 subnetted /64
add address=2001:470:8248:28::e interface=vlan403
# Hurricane Electric routed /48 subnetted /64
add address=2001:470:8248:29::e interface=vlan405
/ipv6 dhcp-client
# Comcast prefix delegation /60 into dynamic pool
# Comcast accepts 2 message rapid commit; I prefer standard 4 message
add interface=vlan407 pool-name=Comcast prefix-hint=::/60 rapid-commit=no request=address,prefix use-peer-dns=no
/ipv6 nd
# Hurricane Electric subnets should advertise correct MTU
add interface=vlan403 mtu=1480
add interface=vlan405 mtu=1480
/routing rule
# Policy Routing Hurricane Electric so Comcast is IPv6 default gateway
# The table=main rules are unneeded but are included for tutorial clarity
add action=lookup-only-in-table dst-address=2001:470:8248::/48 table=main
add action=lookup-only-in-table src-address=2001:470:8248::/48 table=rt-hef2
add action=lookup-only-in-table dst-address=2001:470:1f05:4fc::/64 table=main
add action=lookup-only-in-table src-address=2001:470:1f05:4fc::/64 table=rt-hef2
created following hAP address set:
/ip address print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.88.14/24 192.168.88.0 bridge
1 192.168.41.14/24 192.168.41.0 vlan405
2 192.168.40.14/24 192.168.40.0 vlan403
3 192.168.44.14/24 192.168.44.0 vlan406
4 192.168.44.1/24 192.168.44.0 vlan406
5 192.168.40.1/24 192.168.40.0 vlan403
6 192.168.41.1/24 192.168.41.0 vlan405
7 D 67.170.205.29/22 67.170.204.0 vlan407
/ipv6 address print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
# ADDRESS INTERFACE ADVERTISE
0 G 2001:470:1f04:4fc::2/64 hef2 no
1 G 2001:470:1f05:4fc::1/64 vlan406 no
2 G 2001:470:8248:28::e/64 vlan403 yes
3 G 2001:470:8248:29::e/64 vlan405 yes
4 DL fe80::/64 hef2 no
5 DL fe80::4aa9:8aff:fec0:94dd/64 bridge no
6 DL fe80::4aa9:8aff:fec0:94dd/64 vlan405 no
7 DL fe80::4aa9:8aff:fec0:94dd/64 vlan406 no
8 DL fe80::4aa9:8aff:fec0:94dd/64 vlan403 no
9 DL fe80::4aa9:8aff:fec0:94dd/64 vlan407 no
10 DL fe80::4aa9:8aff:fec0:94dd/64 vlan404 no
11 DG 2001:558:6045:76:7d09:68b7:95aa:863e/128 vlan407 no
12 DL fe80::4aa9:8aff:fec0:94e3/64 wifi2 no
/ipv6 pool print
Flags: D - DYNAMIC
Columns: NAME, PREFIX, PREFIX-LENGTH, EXPIRES-AFTER
# NAME PREFIX PREFIX-LENGTH EXPIRES-AFTER
0 D Comcast 2601:642:4e80:f950::/60 64 1h39m36s
Be safe, be well, and good luck!
mfocko
September 1, 2023, 4:34pm
4
I’ve pinpointed the issue to the VLANs, though I don’t have a clue what’s wrong, cause the IPv4 works fine with the VLANs
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=DC:2C:6E:0E:37:CB auto-mac=no fast-forward=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX country=slovakia disabled=no frequency=auto installation=indoor mode=ap-bridge ssid=dekimu vlan-id=404 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=slovakia disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=dekimu vlan-id=404 vlan-mode=\
use-tag wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan42 vlan-id=42
add interface=bridge name=vlan404 vlan-id=404
/interface bridge port
add bridge=bridge comment=hertz interface=ether2 pvid=42
add bridge=bridge comment="ThinkPad Dock" interface=ether3 pvid=42
add bridge=bridge interface=ether4 pvid=42
add bridge=bridge comment=maxwell interface=ether5
add bridge=bridge interface=WLAN multicast-router=disabled
/interface bridge vlan
add bridge=bridge tagged=bridge,wlan1,wlan2 untagged=ether2,ether3,ether4,ether5 vlan-ids=42
add bridge=bridge tagged=bridge,wlan1,wlan2 untagged=ether5 vlan-ids=1
add bridge=bridge tagged=bridge,wlan1,wlan2 vlan-ids=404
/interface wireless access-list
# vlan42 or vlan1 based on the MAC addresses
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220,2620:119:35::35,2620:119:53::53
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:11:2c::1 scope=30 target-scope=10
/ipv6 address
add address=2001:470:11:2c::2 advertise=no interface=sit1
add address=2001:470:1111:dcaf:: interface=vlan1
add address=2001:470:1111:cafe:: interface=vlan42
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] dns=2620:119:35::35,2620:119:53::53 hop-limit=64 interface=vlan1 mtu=1280 ra-interval=20s-1m reachable-time=5m
add dns=2620:119:35::35,2620:119:53::53 hop-limit=64 interface=vlan42 mtu=1280 ra-interval=20s-1m reachable-time=5m
/ipv6 nd prefix default
set valid-lifetime=1w
It’s only the WLAN+VLAN combination that’s not playing out
@mfocko Last configuration is better but still incomplete. I don’t see interface definitions for WLAN sit1
/interface bridge port
add bridge=bridge interface=WLAN multicast-router=disabled
/ipv6 address
add address=2001:470:11:2c::2 advertise=no interface=sit1
The IPv6 address blocks are Hurricane Electric. A tunnel and native IPv6 are not identical. Please provide complete IPv6 provisioning information.
I understand privacy concerns but over redacting wastes everybody’s time. Be aware that is a great method to destroy the incentive to help.
mfocko
September 1, 2023, 6:12pm
6
WLAN is an alias for wlan1 and wlan2
/interface list member
add interface=wlan1 list=WLAN
add interface=wlan2 list=WLAN
IPv6:
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive mtu=1280 name=sit1 remote-address=216.66.86.122
/ipv6 address
add address=2001:470:6e:2c::2 advertise=no interface=sit1
add address=2001:470:58e5:dcaf:: interface=vlan1
add address=2001:470:58e5:cafe:: interface=vlan42
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] dns=2620:119:35::35,2620:119:53::53 hop-limit=64 interface=vlan1 mtu=1280 ra-interval=20s-1m reachable-time=5m
add dns=2620:119:35::35,2620:119:53::53 hop-limit=64 interface=vlan42 mtu=1280 ra-interval=20s-1m reachable-time=5m
/ipv6 nd prefix default
set valid-lifetime=1w
