I am currently attempting to connect my OpenWRT router with my modem with a CSS610-8G-2S+ Switch running SwitchOS Lite v2.14 in between.
The even numbers of the GbE ports are configured to be VLAN 1 in access mode (2, 4, 6).
The odd numbers of the GbE ports are configured to be VLAN62 in access mode (1, 3, 5, 7).
Port 8 is configured to have VLAN1 without VLAN tags and VLAN 62 accessible tagged.
My router configuration:
WAN-Interfaces: eth2 and eth1.62 (eth1 with VLAN 62 tagged)
LAN-Interfaces: eth0 and eth1 (no tagging)
Scenario 1 (works without problems):
An ethernet connection between the modem and the eth2 WAN-interface on the router.
plus
An ethernet connection between the router’s eth1 and the switch’s port 8.
Scenario 2 (Causes problems):
An ethernet connection between the modem and port 1 of the Switch
plus
An ethernet connection between the switch’s port 8 and the router’s eth1.
Scenario 3 (Causes problems too):
An ethernet connection between the modem and port 1 of the Switch.
plus
An ethernet connection between the router and port 3 of the Switch.
plus
An ethernet connection between the router’s eth1 and the switch’s port 8.
What works, what doesn’t in scenario 2 and 3:
The router is able to receive an IPv4 address via DHCP from the modem and also an IPv6 address.
Clients connected to the router are able to receive an IPv4 address via DHCP, but are not able to receive an IPv6 address using SLAAC when the router is connected to the modem with the switch in between. I tested this with a switch from Netgear that is configured the equivalently and it works without any issues.
What intrigues me here is that IPv4 just works perfectly but just the prefix delegation doesnt work here.
I triple-checked and really cannot find any indicator that the router is causing the problem here, this means that the Switch must somehow interfere with the prefix-delegation in IPv6.
Also, when coming from scenario 2, when I disconnect the cable from Switchport 1 and plug it in eth2 instead prefix delegation starts working and will keep working even when I connect the cables back into the scenario 2 setup. This will work just fine until the router is rebooted, even for new devices that are added after the cable is plugged back.
Is that a bug? Did I configure my switchos incorrectly? I’m really out of ideas here.
Thanks to you, my first interaction with this community is someone just effortlessly RTFM-ing me. A very warm welcome to the community for an MT-newbie who’s trying to set up their home network with new hardware. It’s okay we can be rude again, Christmas is over.
I’ve read the manual as thoroughly as my brain let me and could not find any references to IPv6-specifics except the Multicast flood control feature, which has the check-box enabled and, as far as I understand the manual, means that it allows all multicast traffic to go through. As far as I understand this means that it shouldn’t get in the way.
I seem to not see something that apparently is just obvious to you. Please enlighten me then?
Your VLAN setup looks wrong, there’s an example in there with Trunk and Access ports that might help you setup your VLANS properly.
The part about you having all ports with VLAN Mode “disabled” in particular.
I found this page on the Mikrotik Wiki: https://wiki.mikrotik.com/wiki/SwOS/CSS610#VLAN_and_VLANs
From this I interpret that packets will be discarded if they would exit the switch with a VLAN-tag when this is set to disabled?
This would mean that no traffic from the WAN-network would reach the router whatsover, is that right?
Interestingly IPv4 traffic works just fine with that setup nonetheless.
Just to try out what happens I set Port 1 to “strict” instead of “disable”, but V6 prefix delegation is still not working here when the device is behind the switch while IPv4 DHCP works flawlessly just as before.
From what I take here either IPv6 should work just fine OR no traffic should have gone through successfully at all. Am I on the right track here?
In case that helps I visualized the scenario 1 and 2 configurations real quick:
The router does receive an IP-address most of the time when connected to the modem/fritzbox through the switch, no matter if its connected via a vlan through a trunk or an access port.
What does NOT work is SLAAC for clients behind the firewall.
This does only work when the router is directly connected to the modem/fritzbox via ethernet, with no switch in any configuration inbetween.
Acording to schematics above (which is inconsistent in showing port2 being used for two distinct connections), port2 should be untagged member of VLAN 62, according to screenshots it’s part of VLAN 1. And I agree with @Znevna, VLAN mode disabled doesn’t seem to be the right one on port where switch should be performing any kind of VLAN operations (such as tagging ingress frames with PVID and untagging egress frames).
So you’re saying that when you set IPv6 address to eth1 interface (untagged part) of OpenWRT box, and set it to send out RAs, LAN client on the right side of switch doesn’t see RAs even though OpenWRT does send them out? And that without any change on CSS when you move WAN connection from OpenWRT’s VLAN interface to standalone interface (ether2), RAs start to arrive at LAN client?
What kind of LAN client is it? Some OSes, if NICs are not explicitly configured for VLANs, strip off VLAN headers on ingress. And things may work somehow until connection peer (switch) doesn’t care about VLAN tags on ingress.
To boil it down:
Putting the switch between the router’s WAN interface, however the configuration might be, and the fritzbox/modem makes the clients behind the router unable to get IPv6 addresses via SLAAC.
What I imply from this is that some kind of communication between the router’s WAN interface and the fritzbox is not properly transmitted between, but I lack the knowledge to understand what exactly happens there to be able to say more about the situation.
Edit: I did a full factory reset before the last check, but even in factory-default mode it apparently loses some IPv6 packets that would be relevant for that.
It seems to me that you somehow don’t understand how SLAAC works and what are the bounds governing it. If you actually do understand SLAAC, then I’m sorry.
However, it’s correct that Fritz’s RAs don’t reach LAN computers, OpenWRT is supposed to be between (RAs are L2 broadcasts and those don’t pass routers for a reason). And switch does it’s job correctly when it isolates Fritz’ LAN/OpenWRT WAN from your LAN. It’s up to OpenWRT to send out appropriate RAs to its LAN but depending on configuration it might not be able to (SLAAC can not be used to configure a cascade of routers, proper DHCPv6 clients are needed to delegate prefixes downstream).
I checked the traffic yesterday and re-checked how I originally configured the IPv6 setup on my Fritzbox and my OpenWRT router so that it worked for the last 12 months, I’m deeply sorry for the confusion and the inconsistencies. It’s been a full day I’ve sat in front of this thing and I tried so many things attempting to find out whats going on and I wasn’t really going at it systematically anymore after multiple hours and getting frustrated trying to chase something that seems like a ghost to me.
Please forget all the stuff I wrote above, I’ll try to set a clean table here:
Setup 1:
The Fritzbox receives a /59 IPv6 subnet from my ISP via DHCPv6. It is configured to have a DHCPv6 server running on it’s internal network aswell.
The OpenWRT router receives an IPv6 address with /64 prefix from the Fritzbox.
Also OpenWRT says that it has a /62 prefix for delegation
When the OpenWRT router is directly connected to the Fritzbox in this drawing here:
The drawn clients are able to configure an IPv6 address from that /64 respective that /59 net using SLAAC from the OpenWRT router and are able to access the internet using IPv6 using the auto-configured address.
Setup 2:
The Fritzbox receives a /59 IPv6 subnet from my ISP via DHCPv6. It is configured to have a DHCPv6 server running on it’s internal network as well just like in Setup 1.
The OpenWRT router receives an IPv6 address with /64 prefix.
OpenWRT’s overview now doesnt mention anything about a network or prefix for delegation on the IPv6 tab.
When the OpenWRT router is connected to the Fritzbox via the Switch like in this drawing here, the only thing configured right after I clicked “Reset configuration” is the password to the web-interface, the fallback IP and the hostname. Tabula rasa otherwise:
Firmware version v2.14.
All ports set to their VLAN mode to optional, VLAN receive to “any”, Default VLAN ID to 1.
Limit Unknown Unicast unchecked, Flood Unknown Multicast checked on all.
LAG on all ports set to “passive”. Port isolation set to standard settings, all ports can access all ports except themselves. No flow control configured.
Standard settings really.
I am using Port 1 for the Fritzbox and Port 2 for the OpenWRT router:
In this setup the clients behind the OpenWRT router are not able to configure an IP-address via SLAAC, for whatever reason that might be.
Having a “dumb” switch instead of the MikroTik Switch does not break it. Also using a managed Netgear switch at complete default settings works just fine.
Only the MikroTik switch seems to interfere here and I unfortunately cannot see why it would do that in that state configuration.
Edit: Fixed some inaccuracies regarding my general assumptions on IPv6.
If the chart represents actual topology and configuration (there are not cross-connections that might bleed traffic here or there, configuration of OpenWRT and Fritz is correct, etc.) then I don’t see how it can be CSS’ fault if it’s not in the way of traffic at all. And I doubt you’l get to the bottom of it without some dilligent troubleshooting, e.g. taking wireshark traces to see where RAs get blocked. And which interfaces emit them in the first place. Etc. I have feeling that you’re “barking at wrong moon” (and I hope you don’t get offended by this last sentence).
There is an endless line of sub 10 post count’ers who have proven to be nothing more than fly-bys taking help but giving nothing back. Prove yourself different. As you say, you’re a “member of the community” now. Znevna’s link to the manual was an act of kindness.
ROS, like all vendors and products out there, does have bugs. Perhaps you have unfortunately found one. Do let us know. The diagrams help everyone.
Both these scenarios depict a wrongly configured network.
you can’t have a /64 prefix on wan and the same /64 prefix on lan without looking for trouble.
from the /59? how?
What if you take the OpenWrt router out of the picture and leave the switch between the clients and the Fritz? are your clients getting anything ?
Plus the details that you gave on IRC are not found in your diagrams and I can’t get them out of my head
Okay so for whatever reason when I connect my openwrt router to the fritzbox with this mikrotik switch inbetween IPv6 PD doesnt seem to work?
[…]
Well the switch supports some VLAN-shenanigans and > I’m trying to use exactly that to have WAN and LAN connection on a single cable
Regarding 1 & 2) I see what’s wrong here and cannot overstate that I’m deeply sorry that I keep presenting seemingly incorrect info here - I’m trying to make my best guesses from this situation at that point.
I’m certainly no expert on IPv6, and I was just happy that OpenWRT just “made it work” in my setup before here. I found what’s wrong with the info I gave and have edited the post that you quoted. Thanks so much for putting up with my up until now.
Regarding your closing question: I am able to configure an IPv6 address with my laptop when connected to the Fritzbox via the MikroTik switch. My assumption at that point would be that SLAAC is working through it and my next assumption here would be that the OpenWRT device also got ahold of the /64 address using SLAAC. Am I far off here?
Regarding the single-cable thing: I see that it might be bad practice and to have both WAN and LAN connection for the router on the same cable just disconnected via VLANs here.
I didn’t just come up with that idea for craps and giggles - my current home situation doesn’t make it fun to lay alot of cables in my home as I cannot just drill through walls etc.
I figured that the only applications that would actually be able to come close to filling up Gigabit line-rate would be inside the internal LAN network, not actually going through the router, so the possible performance hit from that setup would actually be negligible, my internet access is slower anyway and the devices on other networks also managed by the router (e.g. esp32 based wifi devices) wouldn’t be in need of higher bandwidth anyway. This is why I originally came up with the solution to have both connections on a single cable. And it works just fine with my managed Netgear switch here lol, even though that probably sounds hella cursed…
And don’t assume anything, verify. As I explained, OpenWRT can get WAN IPv6 address from Fritz via SLAAC, but can’t forward it to LAN side. So did you configure OpenWRT to fetch a prefix from Fritz? Did you assign OpenWRT’s LAN interface with address from received prefix? Router needs different prefixes on routed interfaces (so OpenWRT needs two different prefixes on its WAN and LAN interfaces).
That’s all part of IPv6 and unless/until you get a grip on those “details”, don’t assume some switch misbehaves (or that the other one behaves for that matter). And verify things … on all devices … every time you plug/unplug cables.
I did configure an IPv6 address using SLAAC (Stateless address Autoconfiguration, hence the “configure”).
Yes, OpenWRT is configured by default to fetch a prefix from the Fritzbox and sends RAs into the LAN by default if it has received a prefix.
Funnily enough I found the solution to my problem: “Add information option” under “System” has to be unchecked, then it’ll just work how I want it to.
