I have a router which got ipv6 from the ISP and from there I can ping external ipv6 addresses.
Running the sniffer in the router shows that it is sending RAs to ff02::1. Unfortunately, no the laptop, which is connected to a vlan, no RA is received.
Oddly enough I can run
/ping ff02::1%vlan-main
and get a reply from the laptop via a link local address. I have tried setting interface=vlan-main in ipv6 nd, but that made no difference.
So, what could be blocking the RA but letting the ping pass? I have added a log to every drop in the firewall, but nothing show up.
One of the common reasons for the issue you encounter is that IGMP Snooping has been enabled on the bridge. The querier that is used when you turn it on is not compatible with VLANs. The easiest fix is to try to turn off IGMP Snooping.
If you don't need IGMP Proxy, you can try the approach with enabling PIM, like this post:
I have now even disabled vlan-filtering, but still no luck.
Looking at wireshark I can see the difference between the nd and the ping. The RA never gets a vlan frame. The pings do. In fact, I can reproduce the problem with:
/ping ff02::1%bridge
Which gets replies just from the router, versus
/ping ff02::1%vlan-main
which gets replies from everyone.
I am including my config produced with /export file=no-sensitive.rsc hide-sensitive I was hopping to produce a minimal config that reproduces the problem, but if you can spot what is wrong that would be awesome.
[Disclaimer - I’ve only been using Mikrotik for 6 months or so, so I’m by no means an expert]
I think at least part of the problem is that your bridge interface itslef isn’t a member of any of your VLANs, so any IP traffic sent on that interface won’t reach any VLAN.
where I’ve added “bridge” as tagged to both VLANs.
In addition, your current setup will use just one IPv6 subnet for both VLANs on your bridge. In my setup I add a different subnet from the dynamic pool to each VLAN, for which you would need something like the following:
Thanks a lot. The use of “bridge” to mean the cpu port always confuses me a lot, but in this particular case, router os does it automatically:
2 D ;;; added by vlan on bridge
bridge=bridge vlan-ids=10,20 tagged=bridge untagged="" mvrp-forbidden="" current-tagged=bridge current-untagged=""
But you really found something wrong on my setup! The cpu port cannot have an address, since it is a tagged port, it will just reject anything without a vlan tag. The address must be on the vlan interface.
This then fixed my IPv6:
set 0 interface=vlan-main
I have to setup vlan-local, but at least now I know the problem.
You should do like what you already did for the IPv4 /ip address counterpart, and add /ipv6 address entries for the individual vlan-local and vlan-main interfaces, not to the parent bridge. Your "fix":
only configures one of the two interfaces.
Also, you should turn on the vlan-filtering=yes flag on the bridge. And I don't know if it's intentional or not, but currently vlan-local is not in the LAN interface list, so IPv6 forwarding will not work for devices on that interface with your current FW rules.
The CRS309 has a weak CPU, you should consider enabling Fasttrack on both the IPv4 and IPv6 firewall for significantly better routing performance, see the standard defconf firewall rules for 7.22.1.
Enabling Fasttrack is also necessary when you later want to turn on L3 hardware offload. You CRS has a switch chip that supports L3HW with NAT and firewall, with help of the Fasttrack rules: L3 Hardware Offloading - RouterOS - MikroTik Documentation