IPv6 with TunnelBroker: How to create isolated subnets?

Hi All,

I have being scratching my head for this. Please give help!

So here’s what’s happening:

I have an ISP that does not provide IPv6, so I registered a Tunnel Broker that HE.net provides. I followed all the standard configuration guides and even setup a script to automatically update my IP address to the tunnel. Everything on my network works with IPv6 now. So far so good.

And recently, I am trying to build a small server farm for my colleagues to drop some data or run some processes. So I created a VLAN for that part of network, configured the IPv4 part for it. Everything is good on that aspect. But I have great trouble with IPv6.

I notice that before any setup, the computer on the VLAN can actually get IPv6 configuration. I don’t think this is right because I tried to attach IPv6 Address only on my main network interface. And when I try to create one set of configuration for my VLAN, I found that both the main network and VLAN network can get both IPv6 configuration. And somehow, only my main network works well with IPv6, and VLAN network although got configuration but cannot route.

My question is, how can I isolate these 2 networks with IPv6? My bottom line is if I can limit IPv6 to my main network it would be good enough. Because the VLAN network does not really need IPv6. However that’s impossible because whatever I do the VLAN network always get configuration. Of course, if I can make both work that would be nice.

Below is script for my current setup. Please note that there are some irrelevant things within there.

/ipv6 dhcp-server
add address-pool=ipv6pool-default interface=bridge1-lan lease-time=15m name=\
    tunnel-dhcpv6

/ipv6 address
add disabled=yes eui-64=yes from-pool=isp-defaultv6 interface=bridge1-lan
add address=2001:7040:a:406e::2 advertise=no comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default Address" interface=sit1
add address=2001:7040:b:406e::24 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/64 Default Address" \
    interface=bridge1-lan
add address=2001:7040:e9ac:59::59 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/48 Datacenter Address" \
    disabled=yes interface=v-bridge6-lan-datacenter
add address=2001:7040:e9ac:24::24 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/48 Default Address" \
    disabled=yes interface=bridge1-lan

/ipv6 dhcp-client
add add-default-route=yes interface=bridge2-wan pool-name=isp-defaultv6 \
    prefix-hint=::/60 request=address,prefix

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=2001:7040:b:406e::/64 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default/64 Address" list=\
    v6-local-lan-all
add address=2001:7040:e9ac::/48 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default/48 Address" list=\
    v6-local-lan-all

/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1-lan managed-address-configuration=yes
add advertise-mac-address=no disabled=yes interface=v-bridge6-lan-datacenter

/ipv6 nd prefix
add autonomous=no disabled=yes interface=bridge1-lan

/ipv6 route
add disabled=yes distance=1 gateway=sit1
add comment="Hurricane Electric IPv6 Tunnel Broker Static Route" distance=1 \
    dst-address=2000::/3 gateway=2001:7040:a:406e::1

/ipv6 settings
set accept-redirects=no

Please do let me know if you need more information to help. Much appreciated!

If the VLAN is separate from the main network, attaching an IPv6 address onto the main bridge should not result in the computers on the VLAN automatically getting IPs from that. You should have to add an IPv6 address onto the VLAN as well. The fact that you don’t suggests that you have an incorrect bridge configuration that is connecting together your main bridge to the VLAN on a layer 2 level into a single broadcast domain.

Thanks - as that is what I thought but I don’t know what I did wrong.
So currently my VLAN is done as a VLAN interface attached on the bridge that includes all my LAN interfaces. Something like this:

 #   NAME                                MTU ARP             VLAN-ID INTERFACE                             
 3 R bridge1-lan-vlan0059               1500 enabled              59 bridge1-lan

And then this VLAN interface goes into another bridge for ease of management but I think that is irrelevant.
Will this configuration expose broadcast to cross VLAN 59 and untagged network?

That VLAN config looks correct. Please show the output of /interface bridge port export

EDIT: Actually all of “/interface bridge export” would be handy

Here it is:

/interface bridge
add igmp-snooping=yes name=bridge1-lan
add name=bridge2-wan
add name=v-bridge6-lan-datacenter protocol-mode=none
/interface bridge port
add bridge=bridge1-lan interface=ether1
add bridge=bridge1-lan interface=ether3
add bridge=bridge1-lan interface=ether4
add bridge=bridge1-lan interface=ether5
add bridge=bridge1-lan interface=ether6
add bridge=bridge1-lan interface=ether7
add bridge=bridge1-lan interface=ether8
add bridge=bridge1-lan interface=ether10
add bridge=bridge1-lan interface=sfp-sfpplus1
add bridge=bridge2-wan interface=ether9
add bridge=bridge1-lan interface=ether2
add bridge=v-bridge6-lan-datacenter interface=bridge1-lan-vlan0059
/interface bridge vlan
add bridge=bridge1-lan vlan-ids=59

That all looks fine too. Please note that “/interface bridge vlan” doesn’t do anything without having Bridge VLAN filtering enabled. You are using old-style bridging/VLAN configuration instead of bridge vlan filtering, so that setting has no impact.

Is there some other device like a switch or something else doing bridging that could be bridging together your VLAN 59 with the untagged VLAN?

Yes I am aware of that. These settings come from age of 6.43 (or 6.42?) when there’s new bridge support but VLAN filtering was not clearly documented. Didn’t bother to enable filtering as of yet but I will try.

I am not aware of switches on the network could do bridging between VLAN and untagged. But I do have a bunch of “smart managed” switches on the network. The VLAN 59 is created by configuring ports on one of the switches to untag VLAN 59 and PVID 59. I am not 100% sure but I don’t think that would leak broadcast?

And what other feature can cause issue on such type of switch? My network is mainly on Netgear GS105PE and Netgear GS108Tv2. They came way before I have any Mikrotik devices.

Untagging/PVID VLAN 59 on a port that some device is plugged into is perfectly fine. What you do not want to do is untag/PVID 59 on a link that goes to another switch or to the router.

Suppose for instance you have two switches, plugged into each other and into the router. Maybe on switch 1 it connects to the router with no special configuration, so everything from the router gets passed as it was, untagged or tagged. Now suppose on the connection between switch 1 and switch 2, PVID 59 is set. Then switch 2 is connected back to the router on another port with no special configuration.

What would happen in this instance is that the router could send a broadcast or multicast untagged (essentially VLAN1), that broadcast or multicast would go into switch 1, hit the PVID setting going to switch 2, which would turn the packet from being on VLAN1 to being on VLAN59, then go back to the router potentially and arrive back at the originating router now with a tag of 59. The result is that the misconfiguration can result in essentially connecting the two VLANs together through that one point of misconfiguration. So you will want to make sure that every switch to switch connection or switch to router connection does not have PVID set.

I am aware of the issue with mixed tagged and untagged network. I don’t think I have anything like that on my network. However, is there a way for me to diagnose this kind of issue, like to isolate where the issue could happen?

What I would do temporarily is disconnect your switches from the router, disconnect basically everything you can except for the WAN uplink port, and reconfigure one of your ether ports for the vlan59 bridge instead of bridge1-lan. Plug into that port and see if you get an IPv6 - you should not. Plug into one of the other ports that is still on bridge1-lan and see if you can get an IPv6 - you should.

If you can get an IPv6 on that reconfigured ether port on the vlan59 bridge then you have perhaps some leftover switch chip configuration in RouterOS that is incorrect somehow. If you cannot get Ipv6 on that reconfigured ether port then you know the problem is not in the RouterOS device, but instead that one of your other devices or switches is somehow bridging the untagged and tagged VLANs together and you can start reconnecting things one by one until you find that you get an IPv6 address again, then you can determine what it was you connected that created the loop.

I’ve tried to disable all VLAN 59 from all my connected switches and connected only one machine from VLAN 59 directly to the router, on ether7 with correct PVID and untag configuration. I confirmed network still works.

But once I enable the ND entry for VLAN 59, my untagged network machine will get the configuration for VLAN 59. I tried the other way around - if I start with only VLAN 59 ND entry, it works fine for VLAN 59 connected computer. That is, only VLAN 59 IPv6 configuration. But once I enable the ND entry for untagged network, almost immediately the VLAN 59 computer gets untagged network IPv6 configuration.

Also I noticed that, if I start with both ND entry and restart network stack on both computer (on untagged and on VLAN 59), each of them get the correct configuration to begin with. But after a few minute each will get the other wrong configuration, and usually the VLAN 59 one will stop working because it will not use the correct routing.

I cannot figure out what leaked the broadcast this time. There’s nothing on my network even knows a VLAN 59 except the router itself.

Unless you have some device that is just removing all VLAN tags from packets that arrive with a tag. Again, I didn’t say to remove VLAN 59 from the switches. I said to disconnect basically everything else for a few minutes so you could confirm the problem is definitely the router. From the parts of the config you have shown it is practically impossible for it to have been the router, unless you have some wonky switch chip configuration in place or something.

Do you have DHCPv4 servers on both subnets too? I would expect you to also see computers on the other subnet getting IPv4 addresses sometimes from the DHCPv4 server on the other subnet.

I see what you meant now. This will require a bit more effort and I will try to find some time to conduct this test.

Yes I do have DHCPv4 servers on both subnets. I actually thought about this and tried to observe - I could find one or two switches on the network grab a VLAN 59 address but they are quickly released, like in about 10 seconds.

Just in case, here’s my switch configuration. Forgot to mention my router is a RB4011iGS+. I think this is all default:

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

Yes, if you have a few switches grabbing a VLAN 59 address then something is definitely incorrectly bridging them together. One of the switches is perhaps indiscriminately stripping all VLAN tags regardless of what they are. The fact that they are quickly released doesn’t mean there isn’t a problem - they shouldn’t even get the offer in the first place.

The switch configuration on the RB4011 is fine, it is default and won’t cause a problem. The cause of your issue is certainly some other device.

It can be really annoying to track down these sorts of layer 2 issues, but in most cases there is no alternative besides to disconnect everything and connect things incrementally to track down the source of the issue. I even had an experience where the built in switch in an IP phone was causing this issue, leaking broadcasts from the voice VLAN to the PC port (which was supposed to be on a different VLAN), causing the PC to get an IPv6 on both the voice VLAN and the PC VLAN. It may be a device that you are not expecting to be the culprit that is the cause of this.

You could change to the newer style bridge VLAN configuration (bridge vlan filtering) and tag everything going to the switches and avoid the use of VLAN 1 entirely, blocking untagged traffic from traversing trunk ports. Then you would configure your switches to untag/PVID the correct VLAN on each port. This may have the side-effect of working around the issue without disconnecting things, but it is of course not a guaranteed fix. In general, avoiding untagged traffic across trunk ports is recommended, as is avoiding the use of VLAN 1, and so configuring things in this way is not a bad idea from the perspective of defending against misbehaving devices.

Yeah I realize this is a much bigger task to do now. And I couldn’t think of a better way other than just do so.

The new style bridge VLAN - I thought about this no default VLAN 1 idea a while ago and tried a bit but messed things up. Is there a good article on implementing this on Mikrotik RouterOS? I was not sure how to handle the edge where VLAN eventually has to be converted to untagged to be compatible with all sorts of devices. I assume just do this at the router by PVID every port won’t work, right?

Also, thank you so much for helping. All your replies definitely helped a lot to eliminate all the doubts and confusions.

You will need to do a bit more than simply set the PVIDs, yes. This thread that I contributed to a few months back will be helpful: http://forum.mikrotik.com/t/vlans-setup-the-new-way/135765/1

Update on the issue:
I managed to find a moment to physically unplug everything on my router except:
WAN - because I am not 100% sure if the tunnel will work without WAN
My laptop - because I need it to test the issue.
I also reset the router just in case.
What I did is:
0) Physically removed all ethernet cables on my router except the one to WAN device (ONT) and the one to my laptop

1. Disable all port on my laptop leaving only the ethernet connecting directly to router
2. Disable all ND entries on the router
3. Reset IPv6 on the laptop and made sure there’s no address picked up
4. Enable untagged network ND, immediately check on my laptop and I got the untagged network address
5. Enable VLAN 59 network ND, immediately check on my laptop and I got the VLAN 59 network address ← BAD

At this time, there’s nothing else I can remove. Then I went ahead and tried to remove WAN, same result. Then I tried to use a different laptop (although configuration is really similar, ThinkPad T480 and T470), same result.

So as I could tell, it’s either the router or the laptop. I don’t exactly think it’s the laptop because that would mean either Windows 10 or Intel and Realtek did this wonky thing.

I guess I will have to look into VLAN everything?

At this point I would do an /export hide-sensitive and paste here, that way I can look through your full configuration just to see if there is something I did not anticipate.

Here:

# may/16/2020 14:17:08 by RouterOS 6.46.6
#
# model = RB4011iGS+
/interface bridge
add igmp-snooping=yes ingress-filtering=yes name=bridge1-lan vlan-filtering=\
    yes
add name=bridge2-wan
add name=v-bridge3-lan-utilities protocol-mode=none
add name=v-bridge4-lan-guest protocol-mode=none
add name=v-bridge5-lan-untagged protocol-mode=none
add name=v-bridge6-lan-datacenter protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether2 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether3 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether4 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether5 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether6 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether7 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether8 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=ether9 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s
set [ find default-name=ether10 ] loop-protect-disable-time=2m \
    loop-protect-send-interval=10s speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-full,100M-full,1000M-full loop-protect-disable-time=2m \
    loop-protect-send-interval=10s rx-flow-control=auto speed=1Gbps \
    tx-flow-control=auto
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" dont-fragment=inherit \
    !keepalive local-address=50.35.67.174 mtu=1280 name=sit1 remote-address=\
    216.218.226.238
/interface vlan
add disabled=yes interface=bridge1-lan name=bridge1-lan-vlan0014 vlan-id=14
add interface=bridge1-lan name=bridge1-lan-vlan0019 vlan-id=19
add interface=bridge1-lan name=bridge1-lan-vlan0029 vlan-id=29
add interface=bridge1-lan name=bridge1-lan-vlan0059 vlan-id=59
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip kid-control
add fri="" mon="" name=default-unlimited sat="" sun="" thu="" tue="" wed=""
/ip pool
add name=ippool-dhcp-default ranges=192.168.23.140-192.168.23.190
add name=ippool-dhcp-utilities ranges=192.168.219.140-192.168.219.190
add name=ippool-dhcp-guest ranges=192.168.229.140-192.168.229.190
add name=ippool-dhcp-datacenter ranges=192.168.59.140-192.168.59.190
/ip dhcp-server
add add-arp=yes address-pool=ippool-dhcp-utilities disabled=no interface=\
    v-bridge3-lan-utilities name=dhcp-lan-utilities
add add-arp=yes address-pool=ippool-dhcp-guest disabled=no interface=\
    v-bridge4-lan-guest name=dhcp-lan-guest
add add-arp=yes address-pool=ippool-dhcp-default disabled=no interface=\
    bridge1-lan name=dhcp-lan-default
add add-arp=yes address-pool=ippool-dhcp-default interface=\
    v-bridge5-lan-untagged name=dhcp-lan-untagged
add add-arp=yes address-pool=ippool-dhcp-datacenter disabled=no interface=\
    v-bridge6-lan-datacenter name=dhcp-lan-datacenter
/ipv6 dhcp-server
add address-pool=ipv6pool-default interface=bridge1-lan lease-time=15m name=\
    tunnel-dhcpv6
/queue type
add kind=pcq name=pcq-download-500mbps pcq-burst-rate=480M \
    pcq-burst-threshold=400M pcq-classifier=dst-address pcq-limit=256KiB \
    pcq-rate=440M pcq-total-limit=32768KiB
add kind=pcq name=pcq-upload-500mbps pcq-burst-rate=500M pcq-burst-threshold=\
    400M pcq-classifier=src-address pcq-limit=256KiB pcq-rate=450M \
    pcq-total-limit=32768KiB
/queue tree
add name=general-bandwidth-limit-download packet-mark=general-client-download \
    parent=global queue=pcq-download-500mbps
add name=general-bandwidth-limit-upload packet-mark=general-client-upload \
    parent=global queue=pcq-upload-500mbps
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1-lan interface=ether1
add bridge=v-bridge4-lan-guest interface=bridge1-lan-vlan0029
add bridge=v-bridge3-lan-utilities interface=bridge1-lan-vlan0019
add bridge=v-bridge5-lan-untagged interface=bridge1-lan-vlan0014
add bridge=bridge1-lan interface=ether3
add bridge=bridge1-lan interface=ether4
add bridge=bridge1-lan interface=ether5
add bridge=bridge1-lan interface=ether6
add bridge=bridge1-lan interface=ether7
add bridge=bridge1-lan interface=ether8
add bridge=bridge1-lan interface=ether10
add bridge=bridge1-lan interface=sfp-sfpplus1
add bridge=bridge2-wan interface=ether9
add bridge=bridge1-lan interface=ether2
add bridge=v-bridge6-lan-datacenter interface=bridge1-lan-vlan0059
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no
/interface bridge vlan
add bridge=bridge1-lan tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether\
    7,ether8,ether10,sfp-sfpplus1,bridge1-lan" vlan-ids=19
add bridge=bridge1-lan tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether\
    7,ether8,ether10,sfp-sfpplus1,bridge1-lan" vlan-ids=29
add bridge=bridge1-lan tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether\
    7,ether8,ether10,sfp-sfpplus1,bridge1-lan" vlan-ids=59
add bridge=bridge1-lan untagged="ether1,ether2,ether3,ether4,ether5,ether6,eth\
    er7,ether8,ether10,sfp-sfpplus1" vlan-ids=14
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=bridge2-wan list=WAN
add interface=bridge1-lan list=LAN
add interface=v-bridge3-lan-utilities list=LAN
add interface=v-bridge4-lan-guest list=LAN
add interface=v-bridge5-lan-untagged list=LAN
add interface=v-bridge6-lan-datacenter list=LAN
/ip address
add address=192.168.23.24/24 interface=bridge1-lan network=192.168.23.0
add address=192.168.219.24/24 interface=v-bridge3-lan-utilities network=\
    192.168.219.0
add address=192.168.229.24/24 interface=v-bridge4-lan-guest network=\
    192.168.229.0
add address=192.168.59.24/24 interface=v-bridge6-lan-datacenter network=\
    192.168.59.0
add address=192.168.224.24/24 interface=bridge1-lan network=192.168.224.0
/ip dhcp-client
add dhcp-options=hostname,clientid,clientid_duid disabled=no interface=\
    bridge2-wan
/ip dhcp-server network
add address=192.168.23.0/24 gateway=192.168.23.24 netmask=24
add address=192.168.59.0/24 gateway=192.168.59.24 netmask=24
add address=192.168.219.0/24 gateway=192.168.219.24 netmask=24
add address=192.168.224.0/24 gateway=192.168.224.24
add address=192.168.229.0/24 gateway=192.168.229.24 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB \
    max-concurrent-queries=500 max-concurrent-tcp-sessions=100 \
    query-server-timeout=1s500ms servers="1.1.1.1,208.67.222.222,74.40.74.40,8\
    .8.8.8,1.0.0.1,208.67.220.220,74.40.74.41,8.8.4.4,2001:4860:4860::8888,200\
    1:4860:4860::4444"
/ip firewall address-list
add address=192.168.23.0/24 list=local-lan-all
add address=192.168.219.0/24 list=local-lan-all
add address=192.168.229.0/24 list=local-lan-all
add address=192.168.59.0/24 list=local-lan-all
add address=192.168.224.0/24 list=local-lan-all
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf new: established, related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
    log=yes log-prefix=LAN_!LAN src-address-list=!local-lan-all
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "20200131 Port scanners to list " protocol=tcp psd=21,5s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "20200131 NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200131 SYN/FIN scan" \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200131 SYN/RST scan" \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200131 FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200131 ALL/ALL scan" \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200131 NMAP NULL scan" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="20200131 dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="Stop Utilities from accessing Default" \
    dst-address=192.168.23.0/24 in-interface=v-bridge3-lan-utilities
add action=drop chain=forward comment="Stop Utilities from accessing Infra" \
    dst-address=192.168.224.0/24 in-interface=v-bridge3-lan-utilities
add action=drop chain=forward comment=\
    "Stop Utilities from access default gateway IP" dst-address=192.168.23.24 \
    in-interface=v-bridge3-lan-utilities
add action=drop chain=forward comment=\
    "Stop Utilities from access none-gateway IP in same network" dst-address=\
    !192.168.219.24 in-interface=v-bridge3-lan-utilities out-interface=\
    v-bridge3-lan-utilities
add action=accept chain=forward comment="Enable Utilities to access WAN" \
    in-interface=v-bridge3-lan-utilities out-interface-list=WAN
add action=fasttrack-connection chain=forward comment=\
    "Enable Utilities to access WAN with fast track" connection-state=\
    established,related disabled=yes in-interface=v-bridge3-lan-utilities \
    out-interface-list=WAN
add action=drop chain=forward comment="Stop Guest from accessing Default" \
    disabled=yes dst-address=192.168.23.0/24 in-interface=v-bridge4-lan-guest
add action=drop chain=forward comment="Stop Guest from accessing Infra" \
    dst-address=192.168.224.0/24 in-interface=v-bridge4-lan-guest
add action=drop chain=forward comment=\
    "Stop Guest from access default gateway IP" dst-address=192.168.23.24 \
    in-interface=v-bridge4-lan-guest
add action=fasttrack-connection chain=forward comment=\
    "Enable Guest to access WAN with fast track" connection-state=\
    established,related disabled=yes in-interface=v-bridge4-lan-guest \
    out-interface-list=WAN
add action=drop chain=forward comment=\
    "Stop Datacenter from accessing Default" dst-address=192.168.23.0/24 \
    in-interface=v-bridge6-lan-datacenter
add action=drop chain=forward comment="Stop Datacenter from accessing Infra" \
    dst-address=192.168.224.0/24 in-interface=v-bridge6-lan-datacenter
add action=fasttrack-connection chain=forward comment=\
    "Enable Datacenter to access WAN with fast track" connection-state=\
    established,related disabled=yes in-interface=v-bridge6-lan-datacenter \
    out-interface-list=WAN
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Download - Default" in-interface=bridge2-wan \
    new-packet-mark=general-client-download passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Default" in-interface=bridge1-lan \
    new-packet-mark=general-client-upload passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Utilities" in-interface=v-bridge3-lan-utilities \
    new-packet-mark=general-client-upload passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Datacenter" in-interface=\
    v-bridge6-lan-datacenter new-packet-mark=general-client-upload \
    passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Guest" in-interface=v-bridge4-lan-guest \
    new-packet-mark=general-client-upload passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.23.0/24 disabled=yes port=8080
set ssh disabled=yes
set www-ssl address=192.168.23.0/24
set api disabled=yes
set winbox address=192.168.23.0/24 port=8291
set api-ssl disabled=yes
/ip smb
set comment="" domain=CNOVA.INFO
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=1M
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1-lan type=internal
add interface=bridge2-wan type=external
add interface=v-bridge3-lan-utilities type=internal
add interface=v-bridge4-lan-guest type=internal
/ipv6 address
add disabled=yes eui-64=yes from-pool=isp-defaultv6 interface=bridge1-lan
add address=2001:7040:a:406e::2 advertise=no comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default Address" interface=sit1
add address=2001:7040:b:406e::24 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/64 Default Address" \
    interface=bridge1-lan
add address=2001:7040:e9ac:59::59 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/48 Datacenter Address" \
    interface=v-bridge6-lan-datacenter
add address=2001:7040:e9ac:24::24 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/48 Default Address" \
    disabled=yes interface=bridge1-lan
/ipv6 dhcp-client
add add-default-route=yes interface=bridge2-wan pool-name=isp-defaultv6 \
    prefix-hint=::/60 request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=2001:7040:b:406e::/64 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default/64 Address" list=\
    v6-local-lan-all
add address=2001:7040:e9ac::/48 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default/48 Address" list=\
    v6-local-lan-all
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop bad_ipv6" \
    connection-state="" src-address-list=bad_ipv6
add action=drop chain=input comment="defconf: drop bad_ipv6" \
    connection-state="" dst-address-list=bad_ipv6
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=drop chain=forward comment=\
    "Disable some lower port range for all IPv6 clients" dst-port=3389 \
    protocol=tcp
add action=drop chain=forward comment=\
    "Disable some lower port range for all IPv6 clients" dst-port=3389 \
    protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "20200512 IPv6 NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200512 IPv6 SYN/FIN scan" \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200512 IPv6 SYN/RST scan" \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "20200512 IPv6 FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="20200512 IPv6 ALL/ALL scan" \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "20200512 IPv6 NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="20200512 IPv6 dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment=\
    "Stop Datacenter from accessing Default" disabled=yes dst-address=\
    2001:7040:b:406e::/64 in-interface=v-bridge6-lan-datacenter
/ipv6 firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Download - Default" in-interface=bridge2-wan \
    new-packet-mark=general-client-download passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Default" in-interface=bridge1-lan \
    new-packet-mark=general-client-upload passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Utilities" in-interface=v-bridge3-lan-utilities \
    new-packet-mark=general-client-upload passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Datacenter" in-interface=\
    v-bridge6-lan-datacenter new-packet-mark=general-client-upload \
    passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Rate Limiting - Upload - Guest" in-interface=v-bridge4-lan-guest \
    new-packet-mark=general-client-upload passthrough=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1-lan managed-address-configuration=yes
add advertise-mac-address=no disabled=yes interface=v-bridge6-lan-datacenter \
    managed-address-configuration=yes
/ipv6 nd prefix
add autonomous=no disabled=yes interface=bridge1-lan
/ipv6 route
add disabled=yes distance=1 gateway=sit1
add comment="Hurricane Electric IPv6 Tunnel Broker Static Route" distance=1 \
    dst-address=2000::/3 gateway=2001:7040:a:406e::1
/special-login
add disabled=yes port=serial1 user=carlton
/system clock
set time-zone-name=America/Los_Angeles
/system console
set [ find port=serial1 ] disabled=yes port=serial1
/system identity
set name=rt4.cnova.info
/system ntp client
set enabled=yes primary-ntp=13.65.245.138 secondary-ntp=198.211.103.209
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

There’s a VLAN 14 that I was trying to use as the replacement for untagged, but it is not being used.

One thing I am wondering about is the IGMP snooping. IPv6 uses multicast instead of broadcast for advertisements. I haven’t tried using IGMP snooping before (never had a need) so I wasn’t sure how it handled VLANs. You might try turning that off temporarily to see if it makes a difference.

Below I have commented the parts of your config that should be changed. I haven’t actually made the changes myself, simply quoted your existing config and explained what should be changed.

I would get rid of these bridges, there is no need for them (leave only bridge1-lan).

/interface bridge
add name=bridge2-wan
add name=v-bridge3-lan-utilities protocol-mode=none
add name=v-bridge4-lan-guest protocol-mode=none
add name=v-bridge5-lan-untagged protocol-mode=none
add name=v-bridge6-lan-datacenter protocol-mode=none

Re-enable your VLAN interface for vlan 14

/interface vlan add disabled=yes interface=bridge1-lan name=bridge1-lan-vlan0014 vlan-id=14

Under interface bridge port, you need PVID set for each port, also delete the entries for the bridges that you are removing:

/interface bridge port
add bridge=bridge1-lan interface=ether1
add bridge=v-bridge4-lan-guest interface=bridge1-lan-vlan0029
add bridge=v-bridge3-lan-utilities interface=bridge1-lan-vlan0019
add bridge=v-bridge5-lan-untagged interface=bridge1-lan-vlan0014
add bridge=bridge1-lan interface=ether3
add bridge=bridge1-lan interface=ether4
add bridge=bridge1-lan interface=ether5
add bridge=bridge1-lan interface=ether6
add bridge=bridge1-lan interface=ether7
add bridge=bridge1-lan interface=ether8
add bridge=bridge1-lan interface=ether10
add bridge=bridge1-lan interface=sfp-sfpplus1
add bridge=bridge2-wan interface=ether9
add bridge=bridge1-lan interface=ether2
add bridge=v-bridge6-lan-datacenter interface=bridge1-lan-vlan0059

Under interface bridge VLAN, only set tagged= for bridge1-lan plus any ports that are trunk ports going to switches. You have a bunch of ethernet ports currently there that I’m assuming are not all for VLAN trunking? If some of them should be access ports for a specific VLAN they shouldn’t be in the tagged list for other VLANs.

Also for VLAN14 you don’t have to specify untagged ports since those will automatically be untagged by setting PVID=14 for the ports in the previous step. You do have to specify tagged=bridge1-lan for VLAN 14, you are currently missing that.

/interface bridge vlan
add bridge=bridge1-lan tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether\
    7,ether8,ether10,sfp-sfpplus1,bridge1-lan" vlan-ids=19
add bridge=bridge1-lan tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether\
    7,ether8,ether10,sfp-sfpplus1,bridge1-lan" vlan-ids=29
add bridge=bridge1-lan tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether\
    7,ether8,ether10,sfp-sfpplus1,bridge1-lan" vlan-ids=59
add bridge=bridge1-lan untagged="ether1,ether2,ether3,ether4,ether5,ether6,eth\
    er7,ether8,ether10,sfp-sfpplus1" vlan-ids=14

Since you would be deleting the extra bridges (and will only have one bridge), you’ll have to fix your interface lists to use the VLAN interfaces instead of the vlan bridges and to use the physical interface for the uplink:

/interface list member
add interface=bridge2-wan list=WAN
add interface=bridge1-lan list=LAN
add interface=v-bridge3-lan-utilities list=LAN
add interface=v-bridge4-lan-guest list=LAN
add interface=v-bridge5-lan-untagged list=LAN
add interface=v-bridge6-lan-datacenter list=LAN

You’ll also have to fix these IP addresses. The IP address that you currently have on bridge1-lan should be on VLAN interface VLAN 14 instead. The other IP addresses should also be on their VLAN interfaces:

/ip address
add address=192.168.23.24/24 interface=bridge1-lan network=192.168.23.0
add address=192.168.219.24/24 interface=v-bridge3-lan-utilities network=\
    192.168.219.0
add address=192.168.229.24/24 interface=v-bridge4-lan-guest network=\
    192.168.229.0
add address=192.168.59.24/24 interface=v-bridge6-lan-datacenter network=\
    192.168.59.0
add address=192.168.224.24/24 interface=bridge1-lan network=192.168.224.0

DHCP client will need to be changed from bridge2-wan to the wan interface name:

/ip dhcp-client
add dhcp-options=hostname,clientid,clientid_duid disabled=no interface=\
    bridge2-wan

You’ll have to fix the uPNP interfaces to reference the VLAN interfaces and external physical interface instead of the bridges:

/ip upnp interfaces
add interface=bridge1-lan type=internal
add interface=bridge2-wan type=external
add interface=v-bridge3-lan-utilities type=internal
add interface=v-bridge4-lan-guest type=internal

Any IPv6 addresses currently assigned to the bridges will have to be moved to the VLAN interfaces:

/ipv6 address
add disabled=yes eui-64=yes from-pool=isp-defaultv6 interface=bridge1-lan
add address=2001:7040:a:406e::2 advertise=no comment=\
    "Hurricane Electric IPv6 Tunnel Broker Default Address" interface=sit1
add address=2001:7040:b:406e::24 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/64 Default Address" \
    interface=bridge1-lan
add address=2001:7040:e9ac:59::59 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/48 Datacenter Address" \
    interface=v-bridge6-lan-datacenter
add address=2001:7040:e9ac:24::24 comment=\
    "Hurricane Electric IPv6 Tunnel Broker Client/48 Default Address" \
    disabled=yes interface=bridge1-lan

Managed-address-configuration should be no, otherwise you are telling the computers to search for a DHCPv6 server to find IPs (and you probably don’t have one). Also have to change interface from bridge1-lan to the vlan interface for vlan14, and the other v-bridge-lan-datacenter to its VLAN interface.

/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1-lan managed-address-configuration=yes
add advertise-mac-address=no disabled=yes interface=v-bridge6-lan-datacenter \
    managed-address-configuration=yes

I’m not entirely sure why you have autonomous set to no below, it would normally be set to yes to enable SLAAC addressing. RouterOS does not have a DHCPv6 server that is capable of handling out individual addresses to clients. Also it should be changed from bridge1-lan to the VLAN interface.

/ipv6 nd prefix
add autonomous=no disabled=yes interface=bridge1-lan

In addition you also have to fix any firewall rules that referenced the bridges to reference the VLAN interfaces instead.