Need help routing ipv6 between LAN clients and WAN, everything else works

Hello,
for quite a while now I’ve been trying to set up ipv6 on my router. I tried a lot of stuff, even tried to resolve it with my ISP, but they were only able to get me so far.

I’m running RouterOS v6.34.2 on RB951G-2HnD (it has 5 gigabit LAN ports and wifi). I have been given this ipv6 prefix from my ISP: 2a00:ca8:a14:15e0::/62 and their gateway is apparently 2a00:ca8:a14:15e0::1.

What works (in terms of ipv6)

• Connecting from the router to the outside world
• Connecting from outside to the router’s WAN-facing IP
• Autoconfiguration of clients connecting to the LAN bridge
• Connecting from the router to LAN clients
• Connecting from LAN clients to any IP assigned to the router

And by connecting I mean really just pinging IPs, but that should be indicative enough. I could also only test it with a single Windows 10 laptop connected through wifi, as I currently can’t really run an ethernet cable to the router and I also have no other ipv6-capable devices to test with on hand. But it shouldn’t be caused by the client - it autoconfigures correctly (at least as far as I can tell) and it can ping the router on any assigned address (even the WAN-facing one).

Essentially the only thing that does not work is connecting from the LAN clients to the outside world and vice versa.

My configuration
The RouterBoard is pretty much in default configuration. I’m using port1 as the WAN port (interface ether1-gateway), the rest is in a switch master-slave relationship with port2 being the master. That interface is then in a bridge with my two wlan interfaces (one of those - the one my testing client is connecting to - is virtual) called bridge-local.

Firewall has no rules (for now) except for a few Log targets just so that I can see if the packets reach anything.

Neighbour Discovery uses defaults and is enabled.

I have configured the addresses as advised by the ISP like this: 2a00:ca8:a14:15e0::2/64 for ether1-gateway and 2a00:ca8:a14:15e1::1/64, 2a00:ca8:a14:15e2::1/64 and 2a00:ca8:a14:15e3::1/64 for bridge-local. Default route (::/0) has gateway set to 2a00:ca8:a14:15e0::1. I have not touched link-local addresses or the automatic route configuration.

Configuration Dump
This is my current ipv6 configuration export:

[admin@core] > /ipv6 export 
# feb/25/2016 04:38:58 by RouterOS 6.34.2
# software id = 68P0-ZF39
#
/ipv6 address
add address=2a00:ca8:a14:15e0::2 interface=ether1-gateway
add address=2a00:ca8:a14:15e1::1 interface=bridge-local
add address=2a00:ca8:a14:15e2::1 interface=bridge-local
add address=2a00:ca8:a14:15e3::1 interface=bridge-local
/ipv6 firewall filter
add action=log chain=forward in-interface=ether1-gateway
add action=log chain=input in-interface=ether1-gateway
add action=log chain=forward in-interface=bridge-local
/ipv6 route
add distance=1 gateway=2a00:ca8:a14:15e0::1

…which configures the router like this:

[admin@core] /ipv6> address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                        FROM-POOL    INTERFACE         ADVERTISE
 0  G 2a00:ca8:a14:15e0::2/64                     ether1-gateway    yes      
 1  G 2a00:ca8:a14:15e1::1/64                     bridge-local      yes      
 2  G 2a00:ca8:a14:15e2::1/64                     bridge-local      yes      
 3  G 2a00:ca8:a14:15e3::1/64                     bridge-local      yes      
 4 DL fe80::4e5e:cff:fef2:8e6f/64                 bridge-local      no       
 5 DL fe80::4e5e:cff:fef2:8e6e/64                 ether1-gateway    no       
[admin@core] /ipv6> route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     2a00:ca8:a14:15e0::1            1
 1 ADC  2a00:ca8:a14:15e0::/64   ether1-gateway                  0
 2 ADC  2a00:ca8:a14:15e1::/64   bridge-local                    0
 3 ADC  2a00:ca8:a14:15e2::/64   bridge-local                    0
 4 ADC  2a00:ca8:a14:15e3::/64   bridge-local                    0

Can you please tell me what am I doing wrong? I’ve spent countless hours on this issue already (probably about 30 or so), and I don’t know what else to try. And I believe it will end up being some minor mistake or something, because it can’t be that hard, right?

Thank you.

You have to get another ip to ether1 witch will route your /64 subnet. In my case I have a tunnel ( my ISP don’t offer ipv6) with 2001:470:xxxx::1 on my tunnel side and 2001:470:yyyy::1/64 assigned to my lab interface. So my clients get IPS from 2001:470:yyyy::1/64 and everything works like it should.

Sent from my Lenovo K50-t5 using Tapatalk

First off
Awesome job posting your problem in a very readable, easy-to-follow explanation.

Offhand, the question in my mind is this: how does the ISP’s router know that your router is the destination for the remainder of the /62 prefix?
Are they pointing a static route at you, expecting you to use dhcpv6-pd, or have they just configured the entire /62 directly on their router’s LAN interface and expect your router to use proxy-ND? (this last choice is what I suspect, and that’s totally lame IMO)

Just for giggles, I’m sure you’re aware that Windows won’t learn the DNS server address automatically from the Mikrotik’s RA packets. (Apple and Linux devices will, if you have an iPhone/iPad to test with - they also use IPv6 quite happily). Make sure your issue isn’t just a DNS problem. (pretty sure you’ve covered that base already, but I just thought I’d throw that out there just-in-case).

Have you tried using dhcpv6-client on your WAN interface?

/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ISP prefix-hint=::/62 request=prefix use-peer-dns=yes

If that works, you’ll have a prefix pool of size /62 called ISP, which you can use to assign prefixes to interfaces:

/ipv6 address
add address=::1 from-pool=ISP interface=ether1-gateway
add address=::1 from-pool=ISP interface=bridge-local

Other thoughts:
I’ve seen two or three posts like yours where the ISP is apparently just dumping a block of prefixes off on the front porch.
Obviously, I’ve never actually interacted with these people’s ISPs to find out what’s going on - I can only see things through the lens of the posters’ perspectives / knowledge… But without prefix delegation or static routes, I wonder what they’re expecting users to do…

I threw together a quick GNS3 lab with Cisco routers just to see if Cisco can ‘automagically’ pick up a /62 on the wan and chop it up into internal /64 prefixes… my first attempt has failed… I’m going to try another method or two and post back here, but I thought I’d go ahead and submit what I had so far.

A quick googling session hasn’t led to any method to enable nd-proxy on an interface in Cisco, and I’m really sure there’s no such thing in Mikrotik.
All the hits pointed to a configuration in Linux that does it, but this isn’t helpful for router owners. (I wonder if consumer-grade Netgear-type stuff somehow does this… doubtful)

Without using ND, I’ve only ever gotten success by using static routes on the ISP side - with the client router’s address (link local or global public) as the next hop. If I specify /62 on the ISP router, then the static route doesn’t work (the connected route takes precedence).
If I configure the link with /62, then the client router won’t even let me assign /64 subnets from it on other interfaces (which is pretty much expected - you can’t do that in typical IPv4 configs either).

Of course RA / SLAAC is broken if the wan link uses the /62 directly… not germane to Mikrotik users, but I thought I’d throw that out there since it’s something I tested anyway to see if it’s what the ISP might be expecting from their users…

I’m still pretty green with IPv6 myself, so if there’s some basic way that “normally” works for most people/devices in a situation where the ISP’s router’s LAN interface has a block prefix configured directly, I’d love to hear what that might be. Personally, this reminds me of the old days when ISPs didn’t have mass IPv4 management down to a science yet… v6 being so new, it seems logical to me that ISPs might be going through some growing pains on the learning curve.

First of all, thanks you both for the replies.

I believe that this is pretty much exactly what I’m doing - I have set up one /64 block for my ether1-gateway, the “WAN” port (which is essentially my “tunnel”), and then I have another /64 prefix on the LAN side on the bridge interface. And it’s not enough to make it work.

Just for fun I tried to assign an address (without advertise) to every single physical interface of the router. They are reachable, but don’t solve my issue.

I didn’t know why, but I did notice that Windows didn’t get the DNS server address. It’s not an issue though as I was pinging directly IPs. And when not AAAA DNS records get resolved over IPv4 DNS servers just fine.

You are right, I should’ve probably mentioned this - if I understand my ISP’s configuration paper thingy correctly (there is not much information about ipv6 there), they use “Autoconf (SLAAC+RDNSS)” (so pretty much just stateless autoconf and ND, right?). Or that I should use it(?). There is no mention of dhcpv6 anywhere.

And while it is perhaps odd, I believe that there is not an error on their end as I am able to ping the router’s WAN-facing ipv6 address just fine. So they route something to me, most likely statically (that is a thing, right? Just like I can set static routes in my ipv6 route table).

I have tried your suggestion to add the edhcpv6 client, but it just keeps searching and never finds anything, so no luck there. I believe they want me to go the ND way.

Yeah, the information I got from them was sparse. Originally they didn’t even tell me that their gateway was on the first address in the /62 block and I couldn’t figure out why that address didn’t work for my WAN interface. I learned that only through their support which was… supportive, but not much of a help. Definitely not a word about how they are set up. I guess I will ask them again in a while if we can’t get it resolved here.

Thanks, I mean I do hope that it will help me resolve the issue faster, I started being quite desperate especially since this was supposed to be a fun learning experience, not a nightmare. Thank god I am actually doing this to learn something, I don’t strictly need it.

Oh and by the way my only other experience with IPv6 setup is just with a server where the host would simply give me ffff /64 blocks to assign them to the server’s network interface and that was it.

The important thing is what they are doing. If they just have 2a00:ca8:a14:15e0::1/62 configured on their side, you can’t really do much with it, because it assumes their router can talk directly to all hosts in that /62. But it can’t, because they are behind your router.

The right way is to have one subnet just for link between their and your router and then another subnet for your use routed to you, so that it’s all yours and ISP expects it to be behind your router.

If you realy want ipv6 to work subscribe to he.net. It will be a tunnel but it work great for me.

Nothing against HE, but if ISP offers working native IPv6, I’d prefer to use that. You can say that this is not working, but it must be just some misunderstanding. It’s a little strange that support would not know how is their config supposed to work, but I’m sure they will eventually find some employee who knows.

That’s bad news for you because ROS doesn’t support configuring it to use SLAAC to obtain an interface address/gateway/dns.

I wonder if the ISP even tested this with routers before they rolled it out -
1: SLAAC only works on links with /64 prefix.
2: SLAAC doesn’t create routes to devices that appear on the network

Out of curiosity - does your Mikrotik router have a public IPv4 address or a private one on its WAN interface?

maaaaybe they’ve configured their CPE router to accept RIPv6… it seems highly unlikely though…

Maybe ISP expects to connect with windows computer not router. In that case, maybe it is working, not sure, Im new with ipv6 myself, only tests made so far was to my mikrotik using a he.net tunnel and only with /64 prefixes. Maybe prefix is routed by the isp itself i this case i dont know if there is posible to use a router.

Update!

You were right, it was because the ISP assumed only clients would connect to it. Which doesn’t make much sense, as for a working ipv4 network with more than one device you’d need a router (I assume at least that they wouldn’t let you connect more than one device).

But I talked to them and they reconfigured their end to act as a dhcpv6 server, and I am able to negotiate one /64 block and save it to a pool with dhcpv6 client on my Mikrotik.

However, my question is now - how do I assign the addresses from the pool to my clients (ideally dynamically with static as an option)? I tried setting up a dhcpv6 server for the bridge-local interface but I think that the Windows (10) client doesn’t really support that.

If I could set it up just so that the ipv6 addresses were rerouted to any of the local device adresses (and back) that would be totally fine too (as in I dont really require to have the outside-facing ipv6 adresses assigned directly to the end clients - doing something NAT-like is perfectly fine).

I tried to look up some resources but everything seems to deal with just tunnels and stuff and never really with assigning pool addresses like this.

It’s not Windows’ fault, getting address from DHCPv6 is supported and enabled by default since Vista. It’s DHCPv6 server in RouterOS, it can’t give out addresses yet. So unless you use external DHCPv6 server, you’re stuck with SLAAC. You can use RouterOS DHCPv6 server only for giving out DNS resolver in stateless mode.

To use subnet from received pool, add address with from-pool parameter:

/ipv6 dhcp-client
add add-default-route=yes interface=<wan> pool-name=<pool name> request=prefix
/ipv6 address
add address=::1/64 from-pool=<pool name> interface=<lan>

The address will automatically change to use correct prefix. Also make sure that other parameters are set to allow autoconfiguration (they’re like this by default, but you probably changed them when trying to get working DHCPv6 server):

/ipv6 nd
set [ find default=yes ] managed-address-configuration=no other-configuration=no
/ipv6 nd prefix default
set autonomous=yes

If you want to give out DNS resolver to Windows clients, you can set:

/ipv6 nd
set [ find default=yes ] managed-address-configuration=no other-configuration=yes
/ipv6 dhcp-server
add interface=<lan> name=server1

It will take IPv6 resolvers from /ip dns (if there are any) and send them to clients. But unless you’re setting up IPv6-only subnet (with dual-stack, IPv4 resolvers will resolve AAAA queries just fine), I probably wouldn’t do it, because currently there are few limitations. For example, I don’t know about reliable and good-for-all-scenarios way how to give router’s IPv6 address to clients as resolver (useful if you want to set some static DNS records).

Huge thanks! This was the last bit I needed. I didn’t try the DNS server announce as I don’t need it, but it works great now, local clients are getting their IPs.