Newbie Configuration-RB3011UiAS

Hello, fellow forum users
I hope I am welcomed here, as I just got a used RB3011UiAS for free.
I have been trying to configure it but a few problems I have seen.
Firstly the fact that my devices do not get an internet facing ipv6 address., instead opting for a ::xxxx:xxxx:xxxx:xxxx and an fe80 local address, none of them facing the internet.
I have hopefully correctly set up the dhcp client as I do get a /56 prefix that shows up on the pool page as a prefix length of 64 and is dynamic.
I also setup a DHCP server from the pool to the bridge interface. I have tracerouted from the router and apparently it works but with a ton of packet loss
Additionally I upgraded the software to 7.16rc4 but my RouterBOARD shows that the current firmware is 7.16rc4 but the upgrade firmware is 3.41? It does not allow me to “upgrade”, apparently because its below the factory firmware of 6.46.8. The error it gives me is Couldn’t perform action - ERROR: can not change firmware to this version, please try newer one (1).
Also for some reason even though I have added a default route for my provider’s incoming telephony vlan on the dhcpclient option and the routes in the ip/routes menu do seem to include the ip I am trying to traceroute and it seems to take the right route but it never reaches anything

Here are the traceroutes

[admin@MikroTik] /tool> traceroute  2606:4700:4700::1001
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS                   LOSS   SENT  LAST     AVG  BEST  WORST  STD-DEV
1  fe80::be5a:56ff:fea9:e1c  0%        3  5.1ms    5.1  5.1   5.2          0
2  2a02:2148:2:c7::22        66.7%     3  timeout  5.8  5.8   5.8          0
3  2a02:2148:2:ae::11        50%       3  timeout  5.4  5.4   5.4          0
4                            100%      2  timeout
5  2606:4700:4700::1001      0%        2  5.7ms    5.7  5.7   5.7          0

[admin@MikroTik] /tool> traceroute  10.50.131.150
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
 #  ADDRESS        LOSS  SENT  LAST     AVG  BEST  WORST  STD-DEV
 1  10.255.128.1   0%       1  4.8ms    4.8  4.8   4.8          0
 2  213.16.250.21  0%       1  5.7ms    5.7  5.7   5.7          0
 3  62.1.117.110   0%       1  5.1ms    5.1  5.1   5.1          0
 4                 100%     1  timeout
 5                 100%     1  timeout
 6                 100%     1  timeout
 7                 100%     1  timeout
 8                 100%     1  timeout
 9                 100%     1  timeout
10                 100%     1  timeout
11                 100%     1  timeout
12                 100%     1  timeout
13                 0%       1  0ms

Any help would be appreciated!

Post full config .. from terminal window execute /export filename=anynameyouwish, fetch resulting file, open it in your favourite text editor, redact any renaining srbsitivevdara (serial number, passwords, etc.) and post it inside [__code] [/code] tag pair.

Also post output of /system/routerboard/print for us to see what’s up with firmware version.

Here it is and thank you

[admin@MikroTik] > /system/routerboard/print
       routerboard: yes
             model: RB3011UiAS
          revision: r2
     serial-number: 
     firmware-type: ipq8060
  factory-firmware: 6.46.8
  current-firmware: 7.16rc4
  upgrade-firmware: 3.41
# 2024-09-01 16:45:18 by RouterOS 7.16rc4
# software id = 
#
# model = RB3011UiAS
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface vlan
add comment=voipvlan interface=ether1 name=voip837 vlan-id=837
add comment=wanvlan interface=ether1 name=wan835 vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan835 name=wan user=\
    
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wan list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=clientid interface=\
    voip837
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=bridge type=internal
add interface=wan type=external
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=wan type=external
/ipv6 dhcp-client
add interface=wan pool-name=pool request=address,prefix
/ipv6 dhcp-server
add address-pool=pool interface=bridge name=dhcpv4wan
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.grnet.gr
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Is there perhaps a .fwf file lying around in files area? It’s either this or a bug in firmware handling in 7.16rc4 … I don’t have any other explanation for the routerboard anomaly.
In any case, having “current firmware” version same as running ROS version js a good sign and you should not go overboard to "fix"it.

You are correct there was a .fwf file in the files thing, any idea why ipv6 is not working?

PPPoE is a bit nifty for IPv6. One thing is that you don’t need to request address from DHCPv6 server, only prefix. (Doesn’t hurt requesting one, but it’s useless)

Another thing is that DHCPv6 server on ROS is not very useful, it can’t hand out addresses (only prefixes). Alas, in IPv6 there are Router Advertisements, which announce correct prefix to clienrs on same L2 subnet (and they select their IPv6 address using SLAAC). So you may disable DHCPv6 server until you determine that it’s actually necessary in your setup.

I don’t see assignment of IPv6 address to LAN interface (which is bridge). You do it like this:

/ipv6/address
add address=::1 from-pool=pool interface=bridge

If IPv6 doesn’t start behaving afterwards, post output of

/ipv6/address/print
/ipv6/route/print

(obfuscate first 4-letter group of public addresses … but in a meaningful way … e.g. replace it with xxxx or yyyy or zzzz snd use sane repkacement string on all addresses where original value is the same … helps determining is things look right or wrong)

So apparently that fixed it as I observed, I was also able to disable the DHCPv6 server. Now the only non operational thing is the VOIP telephony over the 837 vlan. Traceroutes do work to the end server until a certain point, similar to other equipment but SIP packets do not work and are not seen by the packet sniffer on the vlan837 interface, here are routes and addresses for such interfaces. Setting a classless or default route result to same behavior even if I tried to use it as my main wan interface routing all traffic to it.

[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS       GATEWAY  DISTANCE
DAv 0.0.0.0/0         wan             1
DAc 10.126.0.0/17     voip837         0
DAc 192.168.1.0/24    bridge          0
DAc 213.16.246.21/32  wan             0
[admin@MikroTik] > /ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK        INTERFACE
;;; defconf
0   192.168.1.1/24     192.168.1.0    bridge
1 D 10.126.0.241/17    10.126.0.0     voip837
2 D validpublicipv4/32  213.16.246.21  wan

Server I am trying to reach is at 10.50.131.150 and should be accessed over the voip837 interface by bridge clients

10.50.131.150 does not fit into 10.126.0.0/17 (this one covers range 10.126.0.1 - 10.126.127.254) but you don’t have any specific router which would match better than default via pppoe internet interface.
You can try to add a route towards 10.50.131.150. Ideally you’d use some gateway address (which hapoens to fall into said range). Did your ISP give you any instructions about VoIP settings?

Well the gateway could change every 10 minutes, the ISP has horrible and basically non existent documentation, here is what openwrt has https://openwrt.org/docs/guide-user/network/wan/isp-configurations#nova
Enabling classless routes end up in these routes

[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS       GATEWAY     DISTANCE
DAv+ 0.0.0.0/0         wan                1
DAd+ 0.0.0.0/0         10.126.0.1         1
DAd  10.23.52.11/32    10.126.0.1         1
DAd  10.24.52.11/32    10.126.0.1         1
DAd  10.50.131.150/32  10.126.0.1         1
DAc  10.126.0.0/17     voip837            0
DAc  192.168.1.0/24    bridge             0
DAc  213.16.246.21/32  wan                0
[admin@MikroTik] >

However when it renews it switches to the voip837 interface so the internet becomes inaccessible?
Additionally sip packets still dont get forwarded to the interface
(ftr here is the official documentation whatever is in greek is usually parameters and define what is sent by them to you https://nova.gr/upload/editor/pdf-documents/diepafes/byod-final-_13-2.pdf )

It seems that DHCP parameters are not meant to be received from both VLANs by the same routing instance.

So now the question: what’s the intended layout of your LAN devices (including VoIP devices)?

I don’t have VoIP, but my ISP delivers IPTV over tagged and multicast. It is possible to terminate that on router and deliver multicast streams to LAN devices … but for me it was much easier to switch the IPTV into LAN infrastructure (retaining VLAN ID) for IPTV boxes to get multicasts and only replace the internet part with one of VLANs provided by my router. Which works great as IPTV set-top boxes expect to access multicasts via tagged ethernet and interbet via untagged ethernet.
And the related config on my router is more or less the same as what ISP-provided router does.

What I know has worked is SIP ALG and a custom route with a dynamic gateway, maybe using the /17 allocation and giving it out over dhcp could work but you would need to dynamically change the lease period since the IPs expire every 530 seconds, as for the layout probably I would want a pbx accessible by lan interface and to setup a few wireguard clients for remote connection into the lan generally to allow not specially configured clients to run softphones and the such. Ideally all clients could get a SIP registration for debugging purposes