Hi,
I'm sure I'm missing something basic, but I've beat my head against this for a week now and am begging for help.
I have a hAP running RouterOS 7.23.1 serving as a gateway for my Comcast connection. IPv4 works fine, the wifi L2 bridge to the lab works, all that stuff is great. But IPv6 isn't. Disabling the firewall makes no difference. I've done IPv6 before, but only on Cisco back in the early 2010s.
I can ping and traceroute ipv6.google.com from the hAP's external interface (ether1). I cannot from the hAP's bridge interface.
[admin@hAP] /ipv6/dhcp-client> /ping ipv6.google.com interface=bridge
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
sent=2 received=0 packet-loss=100%
Traceroutes from LAN hosts go to the router and star out.
If I ping or traceroute from a host inside the LAN, torch on the bridge shows traffic. Torch on ether1 shows nothing. I think that means the router isn't forwarding those packets? (Unsure of the details on what torch shows.)
Here's my IPv6 config, minus the default firewall stuff.
/ipv6 address
add address=2603:3015:2a05:d601::1 interface=bridge
add address=2603:3015:2a05:d600::1 interface=ether1
/ipv6 dhcp-client
add interface=ether1 request=address use-peer-dns=no
/ipv6 nd
set [ find default=yes ] interface=bridge
/ipv6 settings
set accept-router-advertisements=yes accept-router-advertisements-on=WAN
Any suggestions appreciated!
Where are the two hardcoded addresses on bridge and ether1 coming from?
You have a DHCPv6 client instance enabled, but you are only requesting a single address. That's not normally how one should do it if you have more interfaces (such as bridge) that also need public GUA prefixes.
You should modify the DHCPv6 client to request prefix, and give a pool name, example:
/ipv6 dhcp-client
add interface=ether1 pool-name=wan-pool pool-prefix-length=64 \
prefix-hint=::/56 request=prefix use-peer-dns=no
Then, remove the two existing static entries you added under /ipv6 address. You don't need to add any entry for ether1, only an entry for bridge is needed. But don't hardcode the full address, only the suffix part. The prefix will come from the pool with the name above:
/ipv6 address
add address=::1 from-pool=wan-pool interface=bridge
You can also set from-pool-policy=strict if the ISP provides a prefix larger than /64, such as /60 or /56 to pin the subnet id 0. The ::1 network id part can be anything else random like ::cafe:babe:dead:beef if you want one more layer of protection against scanning attempts.
That should do it. Also, don't forget that if you use the default IPv6 firewall configuration from MikroTik (defconf), then the bridge interface must be member of the interface list LAN (already the case if your configuration is based on the default configuration).
Thank you!
My config is now:
/ipv6 address
add address=::1 from-pool=wan-pool interface=bridge
/ipv6 dhcp-client
add interface=ether1 pool-name=wan-pool pool-prefix-length=64 prefix-hint=::/56 request=prefix use-peer-dns=no
/ipv6 nd
set [ find default=yes ] interface=bridge
/ipv6 settings
set accept-router-advertisements=yes accept-router-advertisements-on=WAN
Firewall config is pure defconf, and bridge is in the LAN interface group. The only firewall change I'm making is to occasionally disable it entirely for testing.
ether1 has IPv6 connectivity.
[admin@hAP] > /ping ipv6.google.com
SEQ HOST SIZE TTL TIME STATUS
0 2607:f8b0:4009:812::200e 56 115 17ms672us echo reply
1 2607:f8b0:4009:812::200e 56 115 17ms195us echo reply
sent=2 received=2 packet-loss=0% min-rtt=17ms195us avg-rtt=17ms433us max-rtt=17ms672us
The bridge still does not.
[admin@hAP] > /ping ipv6.google.com interface=bridge
SEQ HOST SIZE TTL TIME STATUS
0 no route to host
1 no route to host
2 no route to host
sent=3 received=0 packet-loss=100%
The "no route to host" seems bizarre. Either the router has a route or it doesn't? I'm not doing any VRFs, this is a boring gateway for my office. I checked with traceroute:
[admin@hAP] > /tool/traceroute interface=bridge ipv6.google.com
Columns: LOSS, SENT, LAST
LOSS SENT LAST
0 100% 1 timeout
1 100% 1 timeout
2 100% 1 timeout
3 100% 1 timeout
4 0% 1 0ms
Its as if the bridge has no default route? Clients do get a default route, though, pointing to the bridge's link-local address.
I've read a few blog posts on how to get ipv6 going with comcast, and it doesn't seem like any special magic is needed. I did experiment with adding add-default-route=yes to the DHCP client, but no change.
Any thoughts?
It is normal that this command does not work and shows no route to host. When you specify the interface here (interface=bridge), you tell the :ping command to use the bridge as outgoing interface for the destination. But to go to Google's server, the outgoing interface must be ether1. The bridge interface only has routes for destination with the /64 subnet of the address you assigned to it, and the link-local fe80::/64 subnet destination.
Similar to when you assign 192.168.88.1/24 under /ip address to the interface bridge, you can try to ping a 192.168.88.x host while specifying interface=bridge and that works; but this following will not work (will timeout):
/ping google.com interface=bridge
Again, specifying interface=bridge in the :ping command forces the ping command to send the packet out of the bridge interface, but that interface is towards your LAN, not towards the internet. Same with the /tool/traceroute command.
It's like you are in the living room, and trying to go to the mall not by going out of the front door but by entering your bedroom. You won't arrive at your destination (the mall).
For your LAN clients, imagine them as being your wife, who is currently in the bedroom. If she wants to go to the mall, she does have to first go out of the bedroom by using the bedroom door (the bridge), then the front door (ether1). That's why those LAN clients have their gateway set to the link-local address of the bridge (they need to use the bedroom door first).
You PC and phones connected to the bridge should have no problem accessing internet IPv6 resources with the setup above.
Ah, thank you! What I really want is the "src-address=" option to ping and traceroute.
Which explains my problem, and I think it has nothing to do with the router.
/tool/traceroute ipv6.google.com src-address=2603:3015:2a05:d6a0::1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
ADDRESS LOSS S LAST AVG BEST WOR S
0 2603:3015:2a05:d600:7213:1ff:fe1b:7a3b 0% 1 0.5ms 0.5 0.5 0.5 0
1 100% 1 timeout
2 100% 1 timeout
Hop 0 is Comcast's gateway.
Hop 1 is Comcast's next hop, which can't route packets back to me.
In IPv4-land I would say: 2603:3015:2a05:d00/64 is routed to me, but not 2603:3015:2a05:d6a0/64. I think I need to poke Comcast.
Thank you for your help! Much appreciated.
For folks looking for a clue: turns out Comcast packet filtered all of my /56 except the first /64. They don't tell you. You must call to get the filter deactivated.
Nothing to do with the Mikrotik, at all.