PPPoE client and IPv6: problems with values derived from MAC address of parent interface

I have observed a few problems involving PPPoE clients and IPv6 where the MAC address of the parent Ethernet interface is not taken into consideration.

First of all, I have an RB5009UG+S+IN and this is my current configuration:

/interface ethernet set [ find default-name=ether1 ] disabled=yes l2mtu=1500
/interface ethernet set [ find default-name=ether2 ] l2mtu=1504 name=ether2-wan
/interface ethernet set [ find default-name=ether3 ] l2mtu=1500 name=ether3-lan
/interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=1500
/interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=1500
/interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=1500
/interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=1500
/interface ethernet set [ find default-name=ether8 ] disabled=yes l2mtu=1500
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1500
/interface vlan add interface=ether2-wan name=ether2-wan-vlan-600 vlan-id=600
/interface list add name=change-mss-interface-list
/interface list add name=lan-interface-list
/interface list add name=masquerade-interface-list
/interface list add name=wan-interface-list
/ip pool add name=ip-dhcp-server-pool ranges=10.138.222.2-10.138.222.254
/ip dhcp-server add address-pool=ip-dhcp-server-pool disabled=no interface=ether3-lan lease-time=2d name=ip-dhcp-server
/ppp profile add change-tcp-mss=no name=ppp-profile use-ipv6=required
/interface pppoe-client add disabled=no interface=ether2-wan-vlan-600 name=ether2-wan-vlan-600-pppoe-client password=* profile=ppp-profile user=*
/ip firewall connection tracking set enabled=yes icmp-timeout=30s tcp-close-wait-timeout=1m tcp-established-timeout=5d tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-time-wait-timeout=2m udp-timeout=30s
/ip neighbor discovery-settings set discover-interface-list=lan-interface-list
/ip settings set allow-fast-path=no tcp-syncookies=yes
/interface list member add interface=ether2-wan list=change-mss-interface-list
/interface list member add interface=ether2-wan-vlan-600-pppoe-client list=change-mss-interface-list
/interface list member add interface=ether3-lan list=lan-interface-list
/interface list member add interface=ether2-wan list=masquerade-interface-list
/interface list member add interface=ether2-wan-vlan-600-pppoe-client list=masquerade-interface-list
/interface list member add interface=ether2-wan-vlan-600-pppoe-client list=wan-interface-list
/ip address add address=10.138.222.1/24 interface=ether3-lan network=10.138.222.0
/ip address add address=192.168.15.2/24 interface=ether2-wan network=192.168.15.0
/ip dhcp-server network add address=10.138.222.0/24 dns-server=10.138.222.1 gateway=10.138.222.1
/ip dns set allow-remote-requests=yes max-concurrent-queries=1000 servers=2001:4860:4860::8888,2001:4860:4860::8844
/ip firewall address-list add address=10.138.222.1 list=ip-dns-address-list
/ip firewall filter add action=accept chain=forward comment="accept \"established\" and \"related\" packets" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="accept packets from lan interfaces" in-interface-list=lan-interface-list
/ip firewall filter add action=drop chain=forward comment="drop \"invalid\" packets from wan interfaces" connection-state=invalid in-interface-list=wan-interface-list
/ip firewall filter add action=drop chain=forward comment="drop remaining icmp packets from wan interfaces" in-interface-list=wan-interface-list log=yes protocol=icmp
/ip firewall filter add action=drop chain=forward comment="drop remaining packets from wan interfaces" in-interface-list=wan-interface-list
/ip firewall filter add action=drop chain=forward comment="drop remaining packets" log=yes
/ip firewall filter add action=accept chain=input comment="accept \"established\" and \"related\" packets" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="accept packets from lan interfaces" in-interface-list=lan-interface-list
/ip firewall filter add action=drop chain=input comment="drop \"invalid\" packets from wan interfaces" connection-state=invalid in-interface-list=wan-interface-list
/ip firewall filter add action=accept chain=input comment="accept icmp echo request packets from wan interfaces" icmp-options=8:0 in-interface-list=wan-interface-list protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop remaining icmp packets from wan interfaces" in-interface-list=wan-interface-list log=yes protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop remaining packets from wan interfaces" in-interface-list=wan-interface-list
/ip firewall filter add action=drop chain=input comment="drop remaining packets" log=yes
/ip firewall filter add action=accept chain=output comment="accept all packets"
/ip firewall mangle add action=change-mss chain=forward new-mss=1452 out-interface-list=change-mss-interface-list passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall mangle add action=change-mss chain=forward in-interface-list=change-mss-interface-list new-mss=1452 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall mangle add action=change-mss chain=output new-mss=1452 out-interface-list=change-mss-interface-list passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat add action=redirect chain=dstnat dst-address-list=!ip-dns-address-list dst-port=53 in-interface-list=lan-interface-list protocol=udp
/ip firewall nat add action=redirect chain=dstnat dst-address-list=!ip-dns-address-list dst-port=53 in-interface-list=lan-interface-list protocol=tcp
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=masquerade-interface-list
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=ether2-wan-vlan-600-pppoe-client routing-table=main suppress-hw-offload=yes
/ipv6 route add disabled=no dst-address=::/0 gateway=ether2-wan-vlan-600-pppoe-client routing-table=main
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set strong-crypto=yes
/ipv6 address add address=::4b4a:51ee:4d7e:247a from-pool=ipv6-dhcp-client-pool interface=ether3-lan
/ipv6 dhcp-client add interface=ether2-wan-vlan-600-pppoe-client pool-name=ipv6-dhcp-client-pool request=prefix use-peer-dns=no
/ipv6 firewall address-list add address=fe80::/10 list=dhcpv6-address-list
/ipv6 firewall address-list add address=fe80::4aa9:8aff:fed2:85e1/128 list=ipv6-dns-address-list
/ipv6 firewall filter add action=accept chain=forward comment="accept \"established\" and \"related\" packets" connection-state=established,related
/ipv6 firewall filter add action=accept chain=forward comment="accept packets from lan interfaces" in-interface-list=lan-interface-list
/ipv6 firewall filter add action=drop chain=forward comment="drop \"invalid\" packets from wan interfaces" connection-state=invalid in-interface-list=wan-interface-list
/ipv6 firewall filter add action=accept chain=forward comment="accept icmpv6 echo request packets from wan interfaces" icmp-options=128:0 in-interface-list=wan-interface-list protocol=icmpv6
/ipv6 firewall filter add action=drop chain=forward comment="drop remaining icmpv6 packets from wan interfaces" in-interface-list=wan-interface-list log=yes protocol=icmpv6
/ipv6 firewall filter add action=drop chain=forward comment="drop remaining packets from wan interfaces" in-interface-list=wan-interface-list
/ipv6 firewall filter add action=drop chain=forward comment="drop remaining packets" log=yes
/ipv6 firewall filter add action=accept chain=input comment="accept \"established\" and \"related\" packets" connection-state=established,related
/ipv6 firewall filter add action=accept chain=input comment="accept packets from lan interfaces" in-interface-list=lan-interface-list
/ipv6 firewall filter add action=drop chain=input comment="drop \"invalid\" packets from wan interfaces" connection-state=invalid in-interface-list=wan-interface-list
/ipv6 firewall filter add action=accept chain=input comment="accept icmpv6 echo request packets from wan interfaces" icmp-options=128:0 in-interface-list=wan-interface-list protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="accept icmpv6 router advertisement packets from wan interfaces" icmp-options=134:0 in-interface-list=wan-interface-list protocol=icmpv6
/ipv6 firewall filter add action=drop chain=input comment="drop remaining icmpv6 packets from wan interfaces" in-interface-list=wan-interface-list log=yes protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="accept dhcpv6 packets from wan interfaces" dst-port=546 in-interface-list=wan-interface-list protocol=udp src-address-list=dhcpv6-address-list src-port=547
/ipv6 firewall filter add action=drop chain=input comment="drop remaining dhcpv6 packets from wan interfaces" dst-port=546 in-interface-list=wan-interface-list log=yes protocol=udp
/ipv6 firewall filter add action=drop chain=input comment="drop remaining packets from wan interfaces" in-interface-list=wan-interface-list
/ipv6 firewall filter add action=drop chain=input comment="drop remaining packets" log=yes
/ipv6 firewall filter add action=accept chain=output comment="accept all packets"
/ipv6 firewall mangle add action=change-mss chain=forward new-mss=1432 out-interface-list=change-mss-interface-list passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1433-65535
/ipv6 firewall mangle add action=change-mss chain=forward in-interface-list=change-mss-interface-list new-mss=1432 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1433-65535
/ipv6 firewall mangle add action=change-mss chain=output new-mss=1432 out-interface-list=change-mss-interface-list passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1433-65535
/ipv6 firewall nat add action=redirect chain=dstnat dst-address-list=!ipv6-dns-address-list dst-port=53 in-interface-list=lan-interface-list protocol=udp
/ipv6 firewall nat add action=redirect chain=dstnat dst-address-list=!ipv6-dns-address-list dst-port=53 in-interface-list=lan-interface-list protocol=tcp
/ipv6 nd set [ find default=yes ] dns=fe80::4aa9:8aff:fed2:85e1 hop-limit=64 interface=ether3-lan mtu=1492 ra-lifetime=1h15m ra-preference=high
/ipv6 nd prefix default set preferred-lifetime=1h valid-lifetime=12h
/system clock set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system ntp client set enabled=yes
/system ntp client servers add address=a.ntp.br
/system ntp client servers add address=b.ntp.br
/system ntp client servers add address=c.ntp.br
/tool mac-server set allowed-interface-list=lan-interface-list
/tool mac-server mac-winbox set allowed-interface-list=lan-interface-list

Given that, the first problem I’m seeing is in the “PPP IPv6 Control Protocol”, an odd “00:00:00:00:00:00:00:0b” interface identifier is sent in one of those exchanges.

The second problem I’m observing is in the DHCPv6 Solicit, where an also odd “IAID” is sent.

Finally, the third problem I see is that if I set “use-interface-duid=yes” in the “/ipv6 dhcp-client” an odd DUID is also sent. This one has already been mentioned in this topic: http://forum.mikrotik.com/t/issue-with-dhcpv6-client-use-interface-duid-on-pppoe-interfaces/168983/1

I expected these values to be derived from a valid MAC address.

What could happen if another Mikrotik router with the same behaviour (bug?) connects to the same Access Concentrator as mine? Perhaps there could be a potential conflict of Interface Identifiers, IAIDs and/or DUIDs? I lack the knowledge to know the answer to that, so I’ll leave it to the experts. Anyway, I felt important to report the behaviours I observed.

My understanding is that:

1. PPP’s initial Interface Identifier you observe is a tentative one and is only unique within the PPP link between these two peers
2. DHCPv6’s IAID is only used within DHCPv6 client to differentiate between multiple prefixes are requested

In other words you should be fine as long as RouterOS picks some other values for additional PPP links and DHCPv6 prefixes within aforementioned constraints.

However, it does seem odd that the values are not derived from the any of the MAC addresses available. Have you reach to Mikrotik support yet, what did they say?

Hi,
it seems that Interface ID is currently based on internal number of interface on Mikrotik router.
(see first column in /interface/print/)
Do you have any technical problems with that?
BNG/Access Concentrator usually identify connection based on PPP MAC addresses and session ID.

Thank you guys for the information and references.

I have not reached out to Mikrotik support yet. Given that your responses so far don’t point to any silly mistake on my part, I’ll go ahead and do a proper bug report.

Up to this time, I have not seen any technical problems that could be blamed on this, but it is somewhat weird/frightening because my router assigns itself a link-local address based on the EUI-64 of this “almost blank” MAC address, so I end up with an “fe80::b” address. Again, what if another router uses the ether2 port and its self-assigned link-local address is the same as mine?

BTW, I forgot to mention that I’m on the latest stable version for my router (7.11.2)

Thank you guys once again. If I get any updates after the bug report is filed, I’ll make sure to post here.

Under what circumstances do you expect additional equipment in the PPP link? One possible scenario is that if another router is also a Mikrotik. But in this case PPP negotiation will either correct identifiers or reject the connection.

In general, there is Duplicate Address Detection mechanism built into IPv6, but I think in case of PPP it never comes to that because of how the connection in established (unless IPv6 address is manually set to be conflicting).

You’re right. Given your hint, and upon further research, I now understand that the “point-to-point” nature of the connection should void the chances of problems with having an “fe80::b” address in particular.