Hi,
I a have a Mikrotik router behind my CPE Router over which I have virtually no control.
In the interface of the CPE Router, I can see that I get an IPV6 Address and an /57 IP Prefix.
After a lot of trying different options, I reset my Mikrotik router which then configured itself as a Home AP.
I’ve activated the dhcpv6 client on the wan interface, and assigned an address on my bridge which then advertises itself.
Both a Mac and a Linux Laptop receive public IP Adresses. The laptops can reach each other and the Mikrotik router, the Mikrotik Router can reach the Laptops.
The Laptops cannot ping anything in the internet, the internet can ping the Mikrotik router, but not the other devices.
When I assign an address from the pool to the WAN interface, I can ping that address from the internet.
Reading through the forum, I added the firewall rules that got suggested multiple times. It did not change anything else.
Here is my Router config:
# apr/07/2016 23:09:20 by RouterOS 6.34.4
# software id = 8B40-V4RT
#
/interface bridge
add admin-mac=4C:5E:0C:5E:E8:55 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=austria disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=wifi wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
wpa-pre-shared-key=lalala wpa2-pre-shared-key=lalala
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ipv6 address
add address=2a02:abcd:abcd:34f0:: from-pool=ipv6pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ipv6pool request=address,prefix
/system clock
set time-zone-name=Europe/Vienna
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
Routes:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 ADS ::/0 fe80::b2c2:87ff:fedb:... 1
1 ADC 2a02:abcd:abcd:3480::/64 ether1 0
2 ADSU 2a02:abcd:abcd:34f0::/60 1
3 ADC 2a02:abcd:abcd:34f0::/64 bridge 0
The firewall I added after the export. Here is the firewall:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept connection-state=established log=no log-prefix=""
1 chain=input action=accept connection-state=related log=no log-prefix=""
2 chain=input action=accept protocol=udp in-interface=ether1 src-port=547 dst-port=546 log=no log-prefix=""
3 chain=input action=drop connection-state=invalid log=no log-prefix=""
4 chain=input action=drop connection-state=new in-interface=ether1 log=no log-prefix=""
5 chain=forward action=accept protocol=icmpv6 log=no log-prefix=""
6 chain=forward action=accept connection-state=established log=no log-prefix=""
7 chain=forward action=accept connection-state=related log=no log-prefix=""
8 chain=forward action=accept connection-state=new in-interface=!ether1 log=no log-prefix=""
9 chain=forward action=drop connection-state=invalid log=no log-prefix=""
10 chain=forward action=drop connection-state=new in-interface=ether1 log=no log-prefix=""
One other thing I tried, I added another address from the pool on the WAN interface. I was then able to ping that address from the internet and I was able to ping back from the WAN interface with that IP.
I played with the prefix hint in the dhcpv6 client, but no matter what I set, I always get the same …:34f0::/60 network, while I get an IP of …:3480::1
I am sure I make just a simple mistake somewhere, but for know I am out of ideas.