Mikrotik ignores RA (IPv6)

olegon · March 2, 2018, 1:51pm

Hello, dear gurus

I tried to setup IPv6 on dynamic prefixes, given by ISP and it make me crazy
ISP - Linux router - Mikrotik - LAN
I got prefix and right IPv6 on both interfaces of Linux router by wide-dhcpv6.
I sent RA by radvd through LAN interface

interface enp3s0
{
AdvSendAdvert on;

Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump

AdvManagedFlag on;
AdvOtherConfigFlag off;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;

prefix 2a02:2168:d88:201::/64
{
AdvValidLifetime 86368;
AdvPreferredLifetime 14368;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
}; # End of prefix definition

prefix 2a02:2168:d88:201::/64
{
AdvValidLifetime 86368;
AdvPreferredLifetime 14368;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
}; # End of prefix definition

}; # End of interface definition

and … Mikrotik ignores it at all… I see local IPv6 in Neighbor section, but how to setup global?

/ipv6 nd> print
Flags: X - disabled, I - invalid, * - default
0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified
reachable-time=unspecified retransmit-interval=unspecified
ra-lifetime=none hop-limit=unspecified advertise-mac-address=yes
advertise-dns=no managed-address-configuration=no
other-configuration=no

/ipv6 settings print
forward: yes
accept-redirects: yes-if-forwarding-disabled
accept-router-advertisements: yes
max-neighbor-entries: 1024

/ipv6 neighbor print
Flags: R - router
0 R address=fe80::f66d:4ff:fe94:4e62 interface=wan

Is any way to setup Mikrotik interfaces using RA from Linux router? The main problem is dynamic prefixes from ISP, so, I can’t wrote fixed IPv6 on Mikrotik

olegon · March 2, 2018, 5:35pm

Please, confirm, that “Accept Router Advertisements” is working now… May be this is incomplete, as DHCPv6?

Sob · March 3, 2018, 2:42am

Last time I checked, unconditional accept-router-advertisements=yes worked correctly. Well, if the “special silent mode” of operation where you won’t see neither the address nor default route anywhere in RouterOS counts as “correctly”. But it was there and router could use it.

olegon · March 3, 2018, 5:35am

Sorry, but how to check this silent mode? I mean, that if I sent this RA from Linux router, all Mikrotik clients must receive correct IPv6 with this prefix too, isn’t it?

pe1chl · March 3, 2018, 11:09am

You would have to check if your device has IPv6 connectivity, e.g. by trying to ping an IPv6 address on internet.

olegon · March 3, 2018, 3:21pm

You mean, from Mikrotik? Unfortunately unsuccesful

[olegon@router] > ping 2a00:1450:4010:c05::66
SEQ HOST SIZE TTL TIME STATUS
0 fe80::f66d:4ff:fe94:4e62 104 64 0ms destination un…
1 fe80::f66d:4ff:fe94:4e62 104 64 0ms destination un…
2 fe80::f66d:4ff:fe94:4e62 104 64 0ms destination un…
sent=3 received=0 packet-loss=100%

Sob · March 3, 2018, 4:25pm

It works here (tested with current RouterOS 6.41.2). If you enable radvd logging, you should see the advertisement from other router:

18:08:25 radvd,debug received Router Advertisement on  interface=test2 
18:08:25 radvd,debug received prefix 2001:db8:dead::/64

And then ping works:

[sob@CHR2] > ping 2001:db8:dead::1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 2001:db8:dead::1                           56 255 1ms   echo reply
    1 2001:db8:dead::1                           56 255 1ms   echo reply
    2 2001:db8:dead::1                           56 255 1ms   echo reply
    3 2001:db8:dead::1                           56 255 0ms   echo reply
    sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms

You can also check Torch to see if router tries to use the address:

[sob@CHR2] > /tool torch src-address6=::/0 dst-address6=::/0 test2
MAC-PROTOCOL SRC-ADDRESS       DST-ADDRESS                            TX      RX TX-PACKETS RX-PACKETS
ipv6         2001:db8:dead::1  2001:db8:dead:0:20c:29ff:fe48:4c4  512bps  512bps          1          1

What is fe80::f66d:4ff:fe94:4e62? If it’s the Linux router, maybe it’s blocking traffic from RB?

pe1chl · March 3, 2018, 4:43pm

fe80::f66d:4ff:fe94:4e62 is the local address of an Asustek computer/board so that is where the problem is, not in the router.

olegon · March 3, 2018, 5:38pm

I’m confused at all… After switching on/off ND, router can ping external IPv6, sorry… I suppose it’s problem with RA intervals, but I’ll solve it later…
Nowadays problem in absense of dynamic prefix on bridge interface
/ipv6 nd prefix> print
Flags: X - disabled, I - invalid, D - dynamic
so ROS don’t send RA to clients

If I setup it manually, RA sended to clients, but it’s unroutable adresses
/ipv6 nd prefix> print
Flags: X - disabled, I - invalid, D - dynamic
0 prefix=::/64 interface=bridge on-link=yes autonomous=yes valid-lifetime=4w2d preferred-lifetime=1w

pe1chl · March 3, 2018, 6:09pm

Of course. There is no way a RA advertised address will be further propagated to clients.
You need to add a static /64 (different from the one you use between the two systems now)
to your LAN side and add a route in your Linux router to route that to the MikroTik.
Then the MikroTik will further advertise that to the clients (when that is enabled).

Sob · March 3, 2018, 9:40pm

Or use DHCPv6. RouterOS can’t yet use it to give addresses to clients, but it can use it to receive prefix from upstream router and then automatically take /64s from that for use on other interfaces and advertise those to clients using RA.

olegon · March 4, 2018, 8:56am

Excuse me, I don’t understand… So, if ROS give clients fake adresses, how clients can access Internet hosts? IPv6 don’t support NAT…
As I wrote before, ISP give me dynamic prefix, so I “forward” it to Mikrotik by wide-dhcp6 and radvd. Mikrotik accesses Internet IPv6 hosts whithout any problems… But what can I do with ROS clients, which needed Internet hosts too? Can you provide some example, please?

pe1chl · March 4, 2018, 9:43am

When you get only a single /64 from your provider, there is nothing you can do.
(except from removing the Linux router from the network)

When you get more than a /64, e.g. a /60 or a /56 or a /48, you should take a single /64 from that range and use it on the network behind your MikroTik.
When the prefix is dynamic, you should configure a DHCPv6 client on your MikroTik that requests a prefix, and a DHCPv6 server on your Linux router.
On the Linux router there would have to be a method to get the prefix from the provider, maybe also a DHCPv6 client requesting a prefix.

All in all, the existence of that Linux router makes everything more complicated. Try to get rid of it.

mkx · March 4, 2018, 10:43am

I have a question regarding prefix delegation. My ISP is giving me /56 prefix. They agreed to give me static prefix and so far it’s working fine. However: I have some services accessible from internet and I have to make some allow filters in my FW. Therefore I manually set the /64 prefix which RB is giving to my internal hosts … and the server which serves external services is configured with static IPv6 address.

Now my concern: if ISP ever decides to screw me up and changes the /56 prefix they are delegating me, how can I delegate a right /64 prefix to my internal hosts? The thing with prefixes is that RB seems to choose randomly which one it will use if left to its own will. It happened that after a reboot of RB, /64 prefix for internal hosts changed and my statically configured host lost IPv6 connectivity to the rest of world (inclding other LAN hosts). So I had to manually configure also the IPv6 address of RB’s LAN interface.

As I understand, RB doesn’t support proper IPv6 DHCP server (yet), so I can not set the static address of the server on RB itself (that was true a year ago), but how about the rest of clients? So that they don’t loose IPv6 internet connectivity in such a case? Yet another thing is updating the DNS mappings (AAAA and PTR to IPv6 records), so I really hope my ISP doesn’t screw things …

olegon · March 4, 2018, 11:12am

Unfortunately, I can’t remove Linux router, because it’s webserver too. ISP give me /56… Are you know any DHCP-server, which can take dynamic prefix to provides it to clients (ROS)? I’m too lazy to write complicated script to rewrite config and restart DHCPv6 server May be, some ideas, how to do it?
Nowadays I request /56 from ISP and send /64 to ROS (as I wrote RA packet above).

pe1chl · March 4, 2018, 12:03pm

In that case, put the MikroTik on the line and the Linux machine behind it. Then it will just work, I have a similar config.
(MikroTik requests the prefix and uses RA to announce it to the Linux system)

olegon · March 4, 2018, 12:34pm

Unfortunately again, but in Mikrotik too weak CPU and security functions, so I can’t place it before all devices…

Sob · March 4, 2018, 4:05pm

Then don’t be lazy and reconfigure your Linux server. Add DHCPv6 server, tell it to send a portion of /56 to internal network, where it will be picked by RB. It’s a one-time operation and then everything will work correctly.

@mkx: It’s a combined problem. One thing is RouterOS being “creative” (I didn’t test it lately, but I’m going to believe you). Only way to properly fix it is for MikroTik to make it behave reliably and predictably. The whole dynamic nature of DHCPv6 is different story. You’re basically always at ISP’s mercy. You can either trust their word about keeping the prefix same, or to configure everything dynamically, including DNS updates, which can be a lot of (wasted) work. Or try to get all-static config from them. If nothing else, it would send a message that you really don’t want the prefix changed under any circumstances.

olegon · March 5, 2018, 1:37pm

I’m create configuration to tell ROS IPv6 config

 /ipv6> address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
 #    ADDRESS                                     FROM-POOL INTERFACE                                                  ADVERTISE
 0 DL fe80::6e3b:6bff:fe12:29f9/64                          bridge                                                     no
 1 DL fe80::6e3b:6bff:fe12:29f8/64                          wan                                                        no
 2 DG 2a02:2168:d83:9e19:626c:a251:c42e:8d93/64             wan                                                        no

/ipv6> dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid
 #    INTERFACE             STATUS        REQUEST               PREFIX
 0    wan                   bound         address               2a02:2168:d83:9e00::/56, 1h49m6s
                                          prefix

ROS ping hosts very well, but how to automatically transmit this config to clients on other interfaces in bridge?

pe1chl · March 5, 2018, 1:43pm

Add an address to each internal interface and specify from-pool.
That pool name is the pool you also specified in the DHCPv6 client.
Set RA advertisement so this address is advertised to the clients on that interface.