Leaking of IPv6 prefix that's not present on Router

RouterOS version: 7.18.2
Model: RB5009

I’m really confused as to where does this prefix come from but I seem to always get an prefix from 2001::45a:2103::/64 but I cannot find it anywhere on my Router? The router advertisements from the Router include :2103 prefix but shouldn’t?
The network does include an Apple TV running with HomeKit.

# 2025-03-31 20:42:49 by RouterOS 7.18.2
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether3 ] disabled=yes poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] disabled=yes poe-out=off
set [ find default-name=ether6 ] disabled=yes poe-out=off
set [ find default-name=ether7 ] disabled=yes poe-out=off
set [ find default-name=ether8 ] comment="Management BACKUP" poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=fiber-trunk
set [ find default-name=ether2 ] comment="LTE backup" name=wan2 poe-out=off
/interface wireguard
add listen-port=51821 mtu=1420 name=backdoor
add listen-port=51820 mtu=1420 name=home-vpn
/interface vlan
add interface=bridge name=IoT vlan-id=50
add interface=bridge name=KubeDev vlan-id=110
add interface=bridge name=KubeProd vlan-id=105
add interface=bridge name=MGMNT vlan-id=99
add interface=bridge name=MainLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANs
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=lan-dhcp-pool ranges=192.168.2.10-192.168.2.245
add name="management dhcp-pool" ranges=192.168.99.99-192.168.99.100
add name=iot-dhcp-pool ranges=10.0.50.30-10.0.50.100
add name=kubernetes-prod-dhcp-pool ranges=10.0.105.30-10.0.105.100
add name=kubernetes-dev-dhcp-pool ranges=10.0.110.20-10.0.110.30
/ip dhcp-server
add address-pool="management dhcp-pool" conflict-detection=no interface=MGMNT name=Management
add address-pool=iot-dhcp-pool conflict-detection=no interface=IoT lease-time=12h name=IoT
add address-pool=kubernetes-dev-dhcp-pool conflict-detection=no interface=KubeDev lease-time=1d name=KubeDev
add address-pool=kubernetes-prod-dhcp-pool conflict-detection=no interface=KubeProd lease-time=1d name=KubeProd
add address-pool=lan-dhcp-pool conflict-detection=no interface=MainLAN lease-time=6h name=LAN
/ipv6 pool
add name=KubeProdULA prefix=fd9d:7a72:44eb:c::/64 prefix-length=64
/queue type
add cake-flowmode=dual-srchost cake-nat=yes kind=cake name=cake-upload
add cake-flowmode=dual-dsthost cake-nat=yes kind=cake name=cake-download
/queue tree
add bucket-size=0.001 max-limit=600M name=download packet-mark=no-mark parent=MainLAN queue=cake-download
add bucket-size=0.001 max-limit=600M name=download-kube packet-mark=no-mark parent=KubeProd queue=cake-download
add bucket-size=0.001 max-limit=100M name=upload packet-mark=no-mark parent=ether1 queue=cake-upload
/system logging action
set 0 memory-lines=100
/container config
set registry-url=https://registry-1.docker.io tmpdir=containers/tmp
/disk settings
set auto-media-interface=*B auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=*B comment=defconf interface=ether8
add bridge=bridge interface=fiber-trunk pvid=99
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether3 pvid=110
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=110
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=105
add bridge=bridge tagged=bridge,fiber-trunk untagged=ether8 vlan-ids=99
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=50
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=10
/interface list member
add comment=defconf disabled=yes interface=*B list=LAN
add interface=bridge list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wan2 list=WAN
add interface=ether1 list=WAN
add interface=MainLAN list=LAN
add interface=KubeDev list=LAN
add interface=KubeProd list=LAN
add interface=IoT list=LAN
add interface=KubeDev list=VLANs
add interface=KubeProd list=VLANs
add interface=IoT list=VLANs
add interface=MainLAN list=VLANs
add interface=MGMNT list=LAN
/ip address
add address=172.19.0.1/24 interface=bridge network=172.19.0.0
add address=192.168.99.1/24 interface=MGMNT network=192.168.99.0
add address=10.0.50.1/24 interface=IoT network=10.0.50.0
add address=10.0.110.1/24 interface=KubeDev network=10.0.110.0
add address=10.0.105.1/24 interface=KubeProd network=10.0.105.0
add address=192.168.2.1/24 interface=MainLAN network=192.168.2.0
add address=10.13.38.4/24 interface=backdoor network=10.13.38.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add default-route-distance=25 default-route-tables=main interface=ether1 use-peer-dns=no
add default-route-distance=254 disabled=yes interface=wan2
/ip dhcp-server network
add address=10.0.50.0/24 comment="IoT DHCP Network" dns-server=10.0.50.1 domain=iot.<snip>.fi gateway=10.0.50.1
add address=10.0.105.0/24 comment="Kubernetes Production DHCP Network" dns-server=10.0.105.1 domain=kubeprod.<snip>.fi gateway=10.0.105.1
add address=10.0.110.0/24 comment="Kubernetes Development DHCP Network" dns-server=10.0.110.1 domain=kubedev.<snip>.fi gateway=10.0.110.1
add address=192.168.2.0/24 comment="LAN DHCP Network" dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.99.0/24 comment="Management DHCP Network" dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=IoT,MainLAN servers=2a07:a8c0::<snip>,2a07:a8c1::<snip>>,45.90.28.251,45.90.30.251
/ip firewall address-list
add address=10.0.0.0/24 list=backdoor-addr-v4
add address=172.17.50.0/24 list=backdoor-addr-v4
add address=10.0.1.0/24 list=backdoor-addr-v4
add address=172.17.51.0/24 list=backdoor-addr-v4
add address=<snip>.sn.mynetname.net list=WANs
add address=192.168.2.0/24 list=LANs
add address=10.0.105.0/24 list=LANs
add address=10.0.110.0/24 list=LANs
add address=10.0.50.0/24 list=IoT
add address=10.0.199.0/24 list=backdoor-addr-v4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-address-list=WANs dst-port=51821 protocol=udp
add action=accept chain=input comment="Allow multicast DNS" dst-address=224.0.0.251 dst-port=5353 in-interface-list=VLANs protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop port 53 access from WAN" disabled=yes dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Block NTP from WAN" disabled=yes dst-port=123 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=4443 in-interface-list=VLANs protocol=tcp src-address=10.0.105.0/24
add action=accept chain=input dst-port=161 protocol=udp src-address=192.168.99.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow MQTT from IoT network to Kubernetes SVCs" dst-address=10.96.69.0/24 dst-port=1883 log-prefix=mqtt protocol=tcp src-address=10.0.50.0/24
add action=accept chain=forward comment="Allow homekit bridge" dst-address-list=IoT src-address=192.168.2.0/24
add action=accept chain=forward comment="Allow IoT to LAN" dst-address=192.168.2.0/24 src-address-list=IoT
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Invalid packets to VLANs" connection-state=invalid in-interface-list=LAN log-prefix=INVALID: out-interface-list=VLANs
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" disabled=yes dst-address-list=WANs new-connection-mark="Hairpin NAT" src-address-list=LANs
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NAT Containers Traffic" out-interface=bridge src-address=172.19.0.0/24
add action=masquerade chain=srcnat dst-address-list=backdoor-addr-v4 log=yes out-interface=backdoor
add action=dst-nat chain=dstnat comment="Port-Forward to Kubernetes cluster external ingress" dst-address-list=WANs dst-port=80 protocol=tcp to-addresses=10.96.69.80 to-ports=80
add action=dst-nat chain=dstnat comment="Port-Forward to Kubernetes cluster external ingress" dst-address-list=WANs dst-port=443 protocol=tcp to-addresses=10.96.69.80 to-ports=443
add action=dst-nat chain=dstnat comment=Bittorrent dst-port=57427 in-interface-list=WAN protocol=tcp to-addresses=10.41.69.202 to-ports=57427
add action=dst-nat chain=dstnat comment="Port-forward for Factorio" dst-address-list=WANs dst-port=31497 in-interface-list=WAN log=yes protocol=udp to-addresses=10.96.69.200 to-ports=31497
/ip route
add distance=1 dst-address=172.17.51.0/24 gateway=backdoor routing-table=main scope=30 target-scope=10
add distance=1 dst-address=10.0.0.0/24 gateway=backdoor routing-table=main scope=30 target-scope=10
add distance=1 dst-address=10.0.1.0/24 gateway=backdoor routing-table=main scope=30 target-scope=10
add distance=1 dst-address=172.17.50.0/24 gateway=backdoor routing-table=main scope=30 target-scope=10
add dst-address=192.168.100.0/24 gateway=ether1
add disabled=no distance=1 dst-address=10.0.199.0/24 gateway=backdoor routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=fe80::213:2%ether1 routing-table=main suppress-hw-offload=no
add dst-address=2001:67c:1be8:2::/64 gateway=backdoor
/ipv6 address
add address=fd9d:7a72:44eb:e::1 interface=IoT
add address=fd9d:7a72:44eb:d::1 interface=KubeDev
add address=fd9d:7a72:44eb:c::1 interface=KubeProd
add address=fd9d:7a72:44eb:a::1 interface=MainLAN
add from-pool=delegated-wan interface=MainLAN
add address=::f61e:57ff:fe51:88f4 eui-64=yes from-pool=delegated-wan interface=KubeDev
add address=::1 advertise=no from-pool=delegated-wan interface=KubeProd
/ipv6 dhcp-client
add interface=ether1 pool-name=delegated-wan rapid-commit=no request=address,prefix use-interface-duid=yes use-peer-dns=no
/ipv6 dhcp-server
add address-pool=KubeProdULA interface=KubeProd name=k8s-prod prefix-pool=KubeProdULA
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2001:67c:1be8:2::/64 list=backdoor-addr-v6
add address=fd9d:7a72:44eb:a::/64 list=k8s_ula
add address=fd9d:7a72:44eb:c::/64 list=k8s_ula
add address=fc00::/7 comment="ULA range" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input dst-port=179 in-interface-list=VLANs protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!VLANs
add action=passthrough chain=input disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp
add action=drop chain=input disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" log=yes out-interface-list=!WAN src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 out-interface-list=!WAN
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=5" disabled=yes hop-limit=equal:5 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward dst-address=2001:<snip>:45a:213d::4443/128 dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=2001:<snip>:45a:213d::4443/128 dst-port=443 in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=output comment="Allow outgoing BGP traffic" dst-port=179 protocol=tcp
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ipv6 firewall nat
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-address=2001:<snip>:45a:213d::4443/128 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-address=2001:<snip>:45a:213d::4443/128 to-ports=80
add action=masquerade chain=srcnat comment="K8S ULA nat out" log=yes log-prefix="k8s: " out-interface=ether1 src-address-list=k8s_ula
add action=dst-nat chain=dstnat comment=Factorio dst-port=31497 in-interface-list=WAN protocol=udp to-address=fded:687e:c3bf::200/128 to-ports=31497
add action=masquerade chain=srcnat dst-address=2001:67c:1be8:2::/64 out-interface=backdoor to-address=2001:<snip>:1be8:2::/64
/ipv6 nd
set [ find default=yes ] disabled=yes dns=:: hop-limit=64
add advertise-mac-address=no dns=fd9d:7a72:44eb:c::1 hop-limit=3 interface=KubeProd managed-address-configuration=yes ra-interval=10s-1m40s ra-preference=high
add advertise-mac-address=no disabled=yes dns=fd9d:7a72:44eb:e::1 hop-limit=64 interface=IoT managed-address-configuration=yes
add advertise-mac-address=no dns=fd9d:7a72:44eb:a::1 hop-limit=64 interface=MainLAN ra-interval=30s-1m40s
add advertise-mac-address=no dns=fd9d:7a72:44eb:d::1 hop-limit=64 interface=KubeDev managed-address-configuration=yes ra-interval=30s-1m40s

It’s unclear from what you say where you are seeing this prefix, but from the config you have both

/ipv6 settings
set accept-router-advertisements=yes

And

/ipv6 dhcp-client
add interface=ether1 pool-name=delegated-wan rapid-commit=no request=address,prefix use-interface-duid=yes use-peer-dns=no

so either of those could be the reason

On your client devices, are the addresses with that prefix listed as “deprecated”? For Windows, run ipconfig /all, for Linux run ip addr, for *BSD (probably macOS too) run ifconfig, and see if deprecated is shown next to the address.

If that’s the case, then it’s the normal behavior for the current version of RouterOS. Sometime after the last reboot, that prefix used to be part of the pool obtained with DHCPv6 PD and advertised on your LAN interface(s). Since then, the DHCPv6 client has obtained newer and different prefix(es), but the old prefix will still be announced for weeks, but as “deprecated”. Clients in your network won’t use the addresses with that deprecated prefix for new connections, so you can ignore it. Reboot the router if you want to get rid of that old prefix.

@kryptonian; this is most likely coming from an Apple device on your network. Apple HomeKit/Thread devices (especially early builds) can accidentally leak IPv6 prefixes via RA, like the 2103::/64 you’re seeing. It’s not intentional, but it’s a known quirk that’s been brought up in IPv6 and HomeKit dev circles.

You can try using Torch or /tool/sniffer to capture ICMPv6 Type 134 (RA) packets and see which MAC is sending them. Then unplugg the Apple device temporarily to confirm it.

If this becomes a real issue, you can block traffic from that prefix with something like this:

/ipv6 firewall address-list
add address=2001:xxxx:xxxx:2103::/64 list=rogue_ipv6

/ipv6 firewall filter
add chain=forward src-address-list=rogue_ipv6 action=drop comment="Block traffic from rogue prefix"

They show as deprecated, but even when toggling the nic, I get it again as it’s part of the advertisement. Is there no way to get rid of it? Restarting router is not the way.

Connections state table does show that nothing appears to be using the prefix

Unfortunately, if the prefix is the deprecated one as I wrote, then you either need to wait for about a month (the default “valid lifetime” setting value) since the last time that prefix was really “preferred” (non-deprecated) or reboot the router .

Reducing /ipv6 nd prefix default valid-lifetime has no effect. My routers have the value set to only 10 minutes, but devices still get the old prefixes for weeks until reboot.

Like i wrote, no devices will use the addresses with the deprecated prefixes to make new connections, so it’s normal that you don’t see any connections with the prefix in the firewall connection table. The devices however are all still able to accept incoming connections to the addresses with the old prefix. The mechanism is for keeping existing connections alive when the network gets new IPv6 prefixes.

The Apple TV is sending out an advertisement, but it’s advertisement is only about a route to an

fdf7:ffab:feed::/64

prefix despite my router advertising

fd9d:7a72:44eb:a::/64

.

The actual problem I’m trying to troubleshoot, is the fact that Apple TV’s Home app seems to sometimes work, but most of the times it stops talking to Home Assistant’s HomeKit bridge and to my understanding, this most of the times uses IPv6 ULA?

It seems you’re running into a weird issue caused by multiple RA ULA prefixes being advertised on the same network. Your Mikrotik is advertising fd9d:…, but your Apple TV is also sending out RAs for fdf7:… Devices like Home Assistant, the Apple Home app, and the HomeKit bridge might end up using different ULAs, which breaks local IPv6 communication and might be the reason why the HomeKit bridge and the app works sometimes and fails other times.

Just thinking out loud here, but in a typical flat LAN, even if the Apple TV briefly advertises its own ULA (like fdf7:…) for discovery or health checks, it shouldn’t override the router’s ULA (fd9d:…) as long as your Mikrotik is consistently handling RAs (see PS below). Fiy, the Apple TV might send out RAs as part of captive portal detection or general network probing, just to assess the environment, not to act as a router. It’s weird behavior, and Apple doesn’t document it well.

So unless your Apple TV and Home Assistant are actually using different ULA prefixes, or routing between them is broken, this might just be a red herring…

Have you checked how often the Apple TV sends out its own RAs after restarted the device? Might also be worth isolating it in a separate VLAN to prevent its RAs from affecting the rest of the LAN if that turns out to be the root cause of everything.

Ps..
If you’re curious, you can also use /tool/sniffer or Wireshark to inspect the RA packets directly and see if they contain actual Prefix Information Options (PIOs), whether the A or L flags are set, and what the lifetimes are. If the Apple TV is including those in its RAs, then LAN clients might really be assigning themselves addresses from that rogue ULA — and that would definitely be a real killer for who actually owns the default route.

@Larsa I think OP posted the screenshot above your post. Router lifetime is 0, which means other devices will not use the Apple TV as default router, and there is no advertise prefix. I think the Apple TV only announces the route so that it becomes default target for the fdf7:ffab:feed::/64 subnet.

Other devices won’t pick up that prefix for SLAAC and won’t use the Apple TV as default gateway. The Apple TV will not affect their network connectivity.

Ah, but of course, I totally missed that screenshot detail, good catch!
That clears it up then. The connectivity issue clearly has nothing to do with that, so yep, looks like it was just a red herring.

It seems that bad_ipv6 address rules where dropping useful traffic..