SLAAC route with wrong distance, how can I fix it?

RouterOS General
1

Pretty much what the title says. I have 2 WANs, and I need RA (AFAIK) to use ipv6 in the network I’m interested in, pppoe-out1. My routes:

[lunks@MikroTik] /ipv6/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS               GATEWAY                               DISTANCE
DAd+ ::/0                      fe80::62d7:55ff:fecf:5c9b%pppoe-out1         1
DAg+ ::/0                      fe80::62d7:55ff:fecf:5c9b%pppoe-out1         1
DAv+ ::/0                      pppoe-out1                                   1
D d  ::/0                      fe80::201:5cff:fe6e:2a46%ether2              2
D d  ::/0                      fe80::201:5cff:fe6e:2a46%ether2              2
DAg+ ::/0                      fe80::201:5cff:fe6e:2a46%ether2              1
DAc  ::1/128                   lo                                           0
DAc  2804:14d:5c57::12da/128   ether2                                       0
DAc  2804:14d:5c57:87ac::/64   bridge                                       0
D d  2804:14d:5c57:87ac::/64                                                2
DAc  2804:1b3:7042:4870::/64   pppoe-out1                                   0
DAc  2804:1b3:7081:6bc7::/64   ether1                                       0
DAc  2804:1b3:7081:87da::/64   bridge                                       0
D d  2804:1b3:7081:87da::/64                                                1
DAc  fdfe:a9b1:e260:af4e::/64  bridge                                       0
DAc  fe80::%ether1/64          ether1                                       0
DAc  fe80::%ether2/64          ether2                                       0
DAc  fe80::%bridge/64          bridge                                       0
DAc  fe80::%wg1/64             wg1                                          0
DAc  fe80::%pppoe-out1/64      pppoe-out1                                   0

I’ve tried things like

/ipv6 route remove [find distance=1 slaac dynamic]

but that didn’t work.

2

Probably you need to explain what your ISP is expecting from you and how you have configured RouterOS.
Because the two do not seem to match.

3

I have two WANs, one is connected to ether1/ppoe-out1, other is on ether2.

I want to use IPv6 on them, and after trying a lot of things, the best setup I could find is to allow RAs, which let my router clients get proper IP addresses.

My IPv6 section is as follows:

# 2024-06-06 19:26:08 by RouterOS 7.15
# software id = VNJQ-YI7I
#
# model = RB750Gr3
# serial number = ****
/ipv6 address
add address=::7a9a:18ff:fec0:c8b eui-64=yes from-pool=vivo_ipv6 interface=\
    bridge
add from-pool=claro_ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=vivo_ipv6 \
    prefix-hint=::/64 request=prefix
add add-default-route=yes default-route-distance=2 interface=ether2 \
    pool-name=claro_ipv6 request=address,prefix
/ipv6 dhcp-server
add address-pool=vivo_ipv6 disabled=yes interface=bridge lease-time=2h name=\
    vivo_dhcpv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=output
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ipv6 firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=\
    2804:1b3:7081:550c:7a9a:18ff:fec0:c8a/128 dst-port=42422 \
    in-interface-list=WAN protocol=udp to-address=\
    2804:1b3:7081:550d::8080/128 to-ports=42422
/ipv6 nd
set [ find default=yes ] advertise-dns=no hop-limit=64 interface=bridge mtu=\
    1420 ra-interval=20s-40s ra-lifetime=20m ra-preference=high
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=4h
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes

And the current status is:


[admin@MikroTik] > ipv6/address/print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE, VALID
 #    ADDRESS                                   FROM-POOL   INTERFACE   ADVERTISE  VALID
 0 DL fe80::eead:ad7:6976:3eb8/64                           wg1         no
 1 D  ::1/128                                               lo          no
 2 DL fe80::7a9a:18ff:fec0:c8b/64                           bridge      no
 3 DL fe80::7a9a:18ff:fec0:c8b/64                           ether2      no
 4 DG 2804:14d:5c57::12da/128                               ether2      no
 5 DL fe80::7a9a:18ff:fec0:c8a/64                           ether1      no
 6 DG 2804:1b3:7081:6bc7:7a9a:18ff:fec0:c8a/64              ether1      no
 7  G 2804:1b3:7081:9e51:7a9a:18ff:fec0:c8b/64  vivo_ipv6   bridge      yes
 8  G 2804:14d:5c57:87ac::/64                   claro_ipv6  bridge      yes
 9 DG 2804:14d:5c57:87ac::/64                               bridge      no
10 DL fe80::5f52:4e9d:0:a/64                                pppoe-out1  no
11 DG 2804:1b3:7042:17b8:5f52:4e9d:0:a/64                   pppoe-out1  no         2d19h55m15s
[admin@MikroTik] > ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS              GATEWAY                               DISTANCE
DAd+ ::/0                     fe80::62d7:55ff:fecf:5c9b%pppoe-out1         1
DAg+ ::/0                     fe80::62d7:55ff:fecf:5c9b%pppoe-out1         1
DAv+ ::/0                     pppoe-out1                                   1
D d  ::/0                     fe80::201:5cff:fe6e:2a46%ether2              2
D d  ::/0                     fe80::201:5cff:fe6e:2a46%ether2              2
DAg+ ::/0                     fe80::201:5cff:fe6e:2a46%ether2              1
DAc  ::1/128                  lo                                           0
DAc  2804:14d:5c57::12da/128  ether2                                       0
DAc+ 2804:14d:5c57:87ac::/64  bridge                                       0
DAc+ 2804:14d:5c57:87ac::/64  bridge                                       0
D d  2804:14d:5c57:87ac::/64                                               2
DAc  2804:1b3:7042:17b8::/64  pppoe-out1                                   0
DAc  2804:1b3:7081:6bc7::/64  ether1                                       0
DAc  2804:1b3:7081:9e51::/64  bridge                                       0
D d  2804:1b3:7081:9e51::/64                                               1
DAc  fe80::%ether1/64         ether1                                       0
DAc  fe80::%ether2/64         ether2                                       0
DAc  fe80::%bridge/64         bridge                                       0
DAc  fe80::%wg1/64            wg1                                          0
DAc  fe80::%pppoe-out1/64     pppoe-out1                                   0

Everything is fine, except for the distance on this route:


DAg+ ::/0                     fe80::201:5cff:fe6e:2a46%ether2              1

…and perhaps I could remove the duplicate routes, but the issue I want to fix is the distance on ether2, it should be 2. Can I do it somehow?

4

If you’re doing RA, you most likely want add-default-route=no on the DHCPv6 client. RouterOS will add the proper default route based on the RA. Not sure how to deal with PPPoE, the config does not seem to allow to selectively disable add-default-route for IPv6.

RouterOS does not seem to support setting distance on the default route learned from the RA, maybe support can give you a solution.

Perhaps a scheduled script would be an appropriate workaround?

5

Another idea: put each interface into a separate VRFs and add appropriate routes / routing rules to prioritize one default route over another. However you will have to adjust the IPv4 configuration as well.

6

The DHCPv6 client and PPPoE do allow me to set a custom distance and the ether2 interface does support DHCPv6 (hence the duplicate routes), but I was only able to setup ppoe-out1 with RA. Clients don’t have the right IP/connectivity if I don’t use it. But then I also get the route from ether2. And given RA is also enabled for ether2, I get the route with distance 1.

What would I automate with a script? I tried changing the distance but it doesn’t allow me to change a dynamic route.

Ideally I should be able to set a distance for a route from RA depending where it’s coming from, but I’m open to ideas or workarounds.


I’ll give that a try and report back, thank you. One of the things that I don’t know how to do is add a static route with a script to the dynamic IPs from the gateways, updating it on reconnect, etc.

7

In general add-default-route via DHCPv6 client is wrong, that is why it is off by default. In IPv6 proper default route should be learned from RA.

There are examples on this forum where add-default-route=yes in DHCPv6 backfired.

8

What is written above is correct. You do not want add-default-route on the DHCPv6 client, it is a hack (not standard) that probably was added to cope with some broken ISP configuration a client encountered.
It IS possible to disable add-default-route on the PPPoE client! It is on the “Dial Out” tab, but the default size of the window is too small to show it. Increase the window size to see the option.
But again, you do not want to disable that unless you have very specific requirements.

9

Thanks for the heads up, I have disabled the default route for DHCP clients on both ipv4 and ipv6, but I still have the problem where the RA route from ether2 is set to distance 1. Is there a way I can fix it? Changing the route is not allowed since it’s dynamic. I have yet to try different VRFs.

10

Well, using only RA is not going to bring you much anyway. It is not intended for a router. It is intended for client devices to receive an address.
You need to have an address on your LAN as well, and the address and subnet received from RA cannot be used for that.
It will only be the link address between your ISP(s) and your router.
You further complicate things by having 2 ISPs. That isn’t going to work with 1 routing table.

I think first you need to make a plan on how you are going to use IPv6. What addresses are used, and how is the traffic going to be routed.
Because there (normally) is no NAT in IPv6, the simple failover mechanisms where you have 2 ISP connections and just NAT everything to the active ISP’s address are not going to work.

11

Interesting point. Assuming you advertise multiple prefixes via RA to the downstream hosts (i.e. your hosts are multi-homed), you can encourage their address selection via the ra-preference property in /ipv6/nd.

However, will RouterOS actually prefer the gateway that corresponds to the location of the upstream DHCPv6 Server that delegated the prefix before forwarding it to the internet? Might be a case for the policy routing set and updated by DHCPv6 Client’s script.

@lunks This document might be of interest to you: RFC 8678 Enterprise Multihoming using Provider-Assigned IPv6 Addresses without Network Prefix Translation: Requirements and Solutions.

12

I have experimented with that (announcing multiple IPv6 prefixes on the LAN) and as usual, the results were:

  • with Linux clients it works perfectly
  • with Windows clients it causes strange problems

So I abandoned it. That is also how I noticed that IPv6 RA keeps announcing deprecated prefixes indefinately.

13

Did you try RFC 7078 Distributing Address Selection Policy Using DHCPv6?

14

No.