Need help with IPv6 configuration for home internet connection

RouterOS Beginner Basics
1

Hi,

For my home Internet connection, I'm using a CRS326 switch as a router, that connects via PPPoE over FTTH.
I see some strange behaviour with my Internet connection. I already did extensive search and tried many different things.

The symptoms I see are the following:

  • I cannot join Skype for Business meetings from Android phones. On Windows desktop it sometimes works, but after a long wait only.
  • Downloads on Google Play from an Android phone start after a waiting time of up to 30 seconds.
  • The problem doesn't exist, if I disable the advertisement of IPv6 prefix.
  • The problem doesn't exist on an OpenWRT router, where the WAN prefix is being announced in the LAN.

So my assumption is, that the problem is my IPv6 configuration.

Now a few details about my environment:

  • Fiber optic internet connection.
  • The connection is established via PPPoE.
  • From my provider I have 1 static IPv4, 1 static IPv6 /64 for the WAN interface, 1 static IPv6 /56, routed for my local LAN.
  • WAN: 2a01:10f:1102:1a3c::/64
  • Routed LAN: 2a01:10f:40aa:1000::/56
  • CRS326 router/switch
  • 2 x CAP AC for the wireless clients (managed by CAPsMAN)
  • 3 VLANs to seperate trusted clients, guest clients and dirty IoT devices
  • For every VLAN, a seperate /64 prefix out of the /56 pool is assigned

From the symptoms above, I guess I'm doing something wrong with the IPv6 configuration. It would be great, if someone could have a look at my configuration:
@MikroTik] > /ipv6 export hide-sensitive

dec/21/2019 10:10:23 by RouterOS 6.46.1

software id = P6J3-RK26

model = CRS326-24G-2S+

serial number = 94550xxxxxxx

/ipv6 pool
add name=OJA_LAN prefix=2a01:10f:40aa:1001::/64 prefix-length=64
add name=OJA_Gast prefix=2a01:10f:40aa:1002::/64 prefix-length=64
add name=OJA_IoT prefix=2a01:10f:40aa:1003::/64 prefix-length=64
add name=OJA_OVPN prefix=2a01:10f:40aa:1021::/64 prefix-length=64

/ipv6 address
add advertise=no comment=WAN from-pool=oja_auto interface=pppoe-OJA
add address=2a01:10f:40aa:1003:ba69:f4ff:fe8f:8ef comment="IPv6 VLAN_IoT" eui-64=yes interface="VLAN IoT"
add address=2a01:10f:40aa:1002:ba69:f4ff:fe8f:8ef comment="IPv6 VLAN_Gast" eui-64=yes interface="VLAN Gastnetzwerk"
add address=2a01:10f:40aa:1001:ba69:f4ff:fe8f:8ef comment="IPv6 VLAN_Trusted" eui-64=yes interface="VLAN Trusted"

/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-OJA pool-name=oja_auto request=prefix

/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=2a01:af8:173:21c7::/64 comment="Hetzner Server. mx0, http1" list=Hetzner_mx0-http1
add address=cloud2.mikrotik.com comment="Mikrotik DDNS update address list" list=mikrotik-cloud
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=forward comment="Accept SIP via TLS" dst-port=5061 protocol=tcp
add action=accept chain=forward comment="Accept RTP (streaming audio video)" dst-port=5004 protocol=udp
add action=accept chain=forward comment="SSH Zugriff Zentrale" dst-address=2a01:10f:40aa:1001:265e:beff:fe0b:f6c6/128 dst-port=22 protocol=tcp src-address-list=
Hetzner_mx0-http1
add action=accept chain=forward comment="SSH Solo" dst-address=2a01:10f:40aa:1001:21d:ecff:fe0e:4a9e/128 dst-port=22 protocol=tcp src-address-list=Hetzner_mx0-http1
add action=accept chain=forward comment="WebDAV Zentrale" dst-address=2a01:10f:40aa:1001:265e:beff:fe0b:f6c6/128 protocol=tcp src-address=2001:4bb8::/32
add action=accept chain=forward comment="VLAN_Trusted to anywhere" in-interface="VLAN Trusted"
add action=accept chain=forward comment="VLAN_IoT to anywhere" in-interface="VLAN IoT"
add action=accept chain=forward comment="VLAN_Gast to anywhere" in-interface="VLAN Gastnetzwerk"
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/ipv6 nd
set [ find default=yes ] advertise-dns=no

/ipv6 settings
set accept-redirects=no
[holo@MikroTik] >The config for the PPPoE connection is:
[holo@MikroTik] > /interface pppoe-client export hide-sensitive

dec/21/2019 10:15:08 by RouterOS 6.46.1

software id = P6J3-RK26

model = CRS326-24G-2S+

serial number = 94550xxxxxxx

/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan OJA" keepalive-timeout=disabled name=pppoe-OJA user=xxxxxxxxxx@xxxx
[holo@MikroTik] >The resulting IPv6 route is:
[holo@MikroTik] > /ipv6 route print terse
0 ADS dst-address=::/0 gateway=pppoe-OJA gateway-status=pppoe-OJA reachable distance=1 scope=30 target-scope=10
1 DS dst-address=::/0 gateway=fe80::222:bdff:fe52:9c1b%pppoe-OJA gateway-status=fe80::222:bdff:fe52:9c1b%pppoe-OJA reachable distance=1 scope=30 target-scope=10
2 ADC dst-address=2a01:10f:1102:1a3c::/64 gateway=pppoe-OJA gateway-status=pppoe-OJA reachable distance=0 scope=10
3 DSU dst-address=2a01:10f:1102:1a3c::/64 type=unreachable distance=1
4 ADC dst-address=2a01:10f:40aa:1001::/64 gateway=VLAN Trusted gateway-status=VLAN Trusted reachable distance=0 scope=10
5 ADC dst-address=2a01:10f:40aa:1002::/64 gateway=VLAN Gastnetzwerk gateway-status=VLAN Gastnetzwerk reachable distance=0 scope=10
6 ADC dst-address=2a01:10f:40aa:1003::/64 gateway=VLAN IoT gateway-status=VLAN IoT reachable distance=0 scope=10The resulting address list is:
[holo@MikroTik] > /ipv6 address print terse
0 G comment=WAN address=2a01:10f:1102:1a3c::/64 from-pool=oja_auto interface=pppoe-OJA actual-interface=pppoe-OJA eui-64=no advertise=no no-dad=no
1 G comment=IPv6 VLAN_IoT address=2a01:10f:40aa:1003:ba69:f4ff:fe8f:8ef/64 from-pool="" interface=VLAN IoT actual-interface=VLAN IoT eui-64=yes advertise=yes no-dad=no
2 G comment=IPv6 VLAN_Gast address=2a01:10f:40aa:1002:ba69:f4ff:fe8f:8ef/64 from-pool="" interface=VLAN Gastnetzwerk actual-interface=VLAN Gastnetzwerk eui-64=yes advertise=yes no-dad=no
3 G comment=IPv6 VLAN_Trusted address=2a01:10f:40aa:1001:ba69:f4ff:fe8f:8ef/64 from-pool="" interface=VLAN Trusted actual-interface=VLAN Trusted eui-64=yes advertise=yes no-dad=no
4 DL address=fe80::ba69:f4ff:fe8f:8ee/64 from-pool="" interface=bridge actual-interface=bridge eui-64=no advertise=no no-dad=no
5 DL address=fe80::ba69:f4ff:fe8f:8ee/64 from-pool="" interface=ether1 actual-interface=ether1 eui-64=no advertise=no no-dad=no
6 DL address=fe80::1e/64 from-pool="" interface=pppoe-OJA actual-interface=pppoe-OJA eui-64=no advertise=no no-dad=no
7 DL address=fe80::ba69:f4ff:fe8f:8ee/64 from-pool="" interface=vlan OJA actual-interface=vlan OJA eui-64=no advertise=no no-dad=no
8 DL address=fe80::ba69:f4ff:fe8f:8ef/64 from-pool="" interface=VLAN Gastnetzwerk actual-interface=VLAN Gastnetzwerk eui-64=no advertise=no no-dad=no
9 DL address=fe80::ba69:f4ff:fe8f:8ef/64 from-pool="" interface=bridge1 actual-interface=bridge1 eui-64=no advertise=no no-dad=no
10 DL address=fe80::ba69:f4ff:fe8f:8ef/64 from-pool="" interface=VLAN IoT actual-interface=VLAN IoT eui-64=no advertise=no no-dad=no
11 DL address=fe80::ba69:f4ff:fe8f:8ef/64 from-pool="" interface=VLAN Trusted actual-interface=VLAN Trusted eui-64=no advertise=no no-dad=no
12 DL address=fe80::c6ad:34ff:fe2f:6fa4/64 from-pool="" interface=cap25 actual-interface=cap25 eui-64=no advertise=no no-dad=no
13 DL address=fe80::c4ad:34ff:fe2f:6fa4/64 from-pool="" interface=cap26 actual-interface=cap26 eui-64=no advertise=no no-dad=no
14 DL address=fe80::c4ad:34ff:fe2f:6fa5/64 from-pool="" interface=cap27 actual-interface=cap27 eui-64=no advertise=no no-dad=no
15 DL address=fe80::c4ad:34ff:fe2f:6fa6/64 from-pool="" interface=cap29 actual-interface=cap29 eui-64=no advertise=no no-dad=no
16 DL address=fe80::c4ad:34ff:fe2f:6fa7/64 from-pool="" interface=cap30 actual-interface=cap30 eui-64=no advertise=no no-dad=no
17 DL address=fe80::c6ad:34ff:fe2f:6fa5/64 from-pool="" interface=cap28 actual-interface=cap28 eui-64=no advertise=no no-dad=no
18 DL address=fe80::764d:28ff:fedb:cc72/64 from-pool="" interface=cap31 actual-interface=cap31 eui-64=no advertise=no no-dad=no
19 DL address=fe80::744d:28ff:fedb:cc73/64 from-pool="" interface=cap33 actual-interface=cap33 eui-64=no advertise=no no-dad=no
20 DL address=fe80::744d:28ff:fedb:cc72/64 from-pool="" interface=cap32 actual-interface=cap32 eui-64=no advertise=no no-dad=no
21 DL address=fe80::744d:28ff:fedb:cc74/64 from-pool="" interface=cap35 actual-interface=cap35 eui-64=no advertise=no no-dad=no
22 DL address=fe80::744d:28ff:fedb:cc75/64 from-pool="" interface=cap36 actual-interface=cap36 eui-64=no advertise=no no-dad=no
23 DL address=fe80::764d:28ff:fedb:cc73/64 from-pool="" interface=cap34 actual-interface=cap34 eui-64=no advertise=no no-dad=no

[holo@MikroTik] >
Thanks,
Michael

2

I’m getting internet over PPPoE as well. The difference is that I’m getting my /56 prefix via DHCPv6. However, I don’t need any specific IPv6 address on WAN interface (pppoe-out1), it is using a link-local address. I only assign global routable addresses (from pool) to the various LAN interfaces.

3

I don’t know, why this provider did it that way. Normally the provide a /64 prefix only. I asked them for a /56 prefix and they provided it in addition. But according to a couple post in this forum, this seem to be quite common.

You are saying, on the pppoe interface you have a link local address only? How does the communication with the gateway work then? That part seem to be different to IPv4.
Via DHCP I’m only getting the /64 prefix. The other one I need to set manually.

Michael

4

Since PPPoE is a point-to-point type of connection, it doesn’t really matter what the other end’s address is. Default route is set to use interface, in my case it is like this:

/ipv6 route print terse
 0 ADS  dst-address=::/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=1 scope=30 target-scope=10
 1  DS  dst-address=::/0 gateway=fe80::2e1:ff:fe07:66%pppoe-out1 gateway-status=fe80::2e1:ff:fe07:66%pppoe-out1 reachable distance=1
scope=30 target-scope=10

That IPv6 address in route #1 seems to be link-local address of ISP’s MSAN … it doesn’t look like any of addresses local to router. And everything is set up by DHCPv6 client, the prefix I get goes directly to address pool. I don’t configure nothing other than DHCPv6 client on PPPoE interface … (well, apart from firewall that is)

Your config is no different … if you look at /ipv6 route … first two entries (#0 and #1) are with link local addresses just like in my case. The third one (#2) is the one configured by you (add interface=WAN address from pool ) and I don’t think you need it … I’d disable it and try if it works.

BTW, I don’t think that the basic /64 prefix is used to route the /56 towards your router. If it was used for that, you’d either have to set a particular IPv6 address to WAN interface (so that ISP’s router could use it as a gateway) or you’d have to set advertise=yes so that the same information would get broadcasted to ISP’s router using RAs … you have neither …

5

You are right. I just removed the v6 address from the PPPoE interface, that I got from DHCP on the PPPoE link and it still works. Now I assigned it to the Guest network for testing with “Advertise=yes” and everything still works like before, just another v6 address prefix on the Guest VLAN. But that also means, that the issues are still there.

Correct. Works also without this address on the PPPoE interface.

Really strange, that we seem to have the same config, but for me downloads on Google Play are a lot delayed and MS Skype for Business isn’t working as well.
But all fine on the same connection, but with OpenWRT router.
You really have the same essential v6 firewall configs that I have?

Thanks,
Michael

6

I’m not in the mood to check every firewall rule you’ve got … my IPv6 firewall is default with some added allow rules for my servers (in the line with NAT rules for IPv6). Don’t try to block ICMPv6, it is essential in IPv6 (e.g. for path MTU discovery) … and blocking (any kind of) ICMP IMHO doesn’t make your LAN better protected.

You may want to check if you can actually use IPv6 for e.g. web browsing … visit some IPv6 test pages, there are a few. Delays while browsing internet might indicate that IPv6 is not used at all and that browser falls back to IPv4 after timeout. Try it both using the DHCPv6-provided prefix as well as using the static /56 prefix to see if there’s some difference.

7

I’m not blocking ICMPv6. Also browsing, SSH and ping6 from the clients work fine. No matter if they are connected with a cable or wireless.
It makes no difference, if I use the /64 prefix from the DHCP assignment or the /56 prefix.

I think best is to reset the device and start over with the configuration from scratch during the Christmas holidays. I’m out of ideas.

Thanks for your help!

Michael