[SOLVED] Implementing IPv6 from scratch on v7.1.3 - concepts and questions

Colm · August 18, 2023, 4:52pm

I’m trying to manually set up IPv6 on my MT device (routerOS v7.1.3 stable). I suppose maybe it would “just work” if I just reset the configuration, but I want to do it manually for learning purposes (and avoid wiping many other settings I have*). But I think I am misunderstanding either some IPv6 concepts, or misunderstanding how RouterOS manages it.

Before I delve into specific settings, I want to make sure I understand the “big picture” correctly. Here goes:

Make sure IPv6 is enabled in /ipv6 settings (that tripped me up for a while )
The default IPv6 firewall configuration (which I did copy from a reset configuration) has been set up, making sure DHCPv6 traffic is not blocked on the WAN side
in /ipv6 dhcp-client, create a new client (on sfp1, in my case), set it to request a prefix, and assign a name to the pool. My ISP gives me a /56 prefix. (Success)
in /ipv6 address, add an IP address to the WAN interface (again, sfp1), from the pool. This will be a ::/64 address. But, I shouldn’t assign an address to the bridge, correct? (fail: I can assign an address to sfp1, but not to anything else. For some reason, RouterOS won’t let me assign more than 1 address, says “pool exhausted” after the first assignment. I thought the point of IPv6 is you never run out of addresses, lol)

(4.b. If I want to set up wireguard at some point, should I add an address for the wireguard interface in this place, too?)

then in /ipv6 dhcp-server, create an entry, on the “bridge” interface, using my designated pool. With a /56 delegation I should be able to accommodate 256 addresses, right? (Fail: My devices are not picking up IPv6 addresses from the MT device.)

Are these generally the right steps? I will get to some more specific questions, but first I wanted to check my overall understanding.

Could someone kindly validate or educate me, point-by-point? I can share config, but figured that would be useless until I understand what needs to happen. Thank you!!!
Colm

(*yes I backed them up)

Kentzo · August 18, 2023, 6:46pm

How are you connected to the ISP, is it a cellular connection? Does your ISP provide IPv6 configuration instructions?

Would be a good idea to upgrade RouterOS, quite a few ipv6-related issues were resolved.

Colm · August 18, 2023, 7:43pm

Ah, good point, I updated to 7.11 stable (without changing anything else). Though nothing has really seemed different yet. Could you critique my overall conceptual understanding?

I have a fiber connection to my ISP. They were not very detailed on connection instructions, but with

/ipv6 dhcp-client
add add-default-route=yes interface=sfp1 pool-name=pool6 pool-prefix-length=56 request=prefix
/ipv6 nd
set [ find default=yes ] dns=2620:fe::fe,2606:4700:4700::1111,2001:4860:4860::8888 interface=bridge managed-address-configuration=yes ra-interval=20s-1m

I get

/ipv6/dhcp-client> print 
Columns: INTERFACE, STATUS, REQUEST, PREFIX
# INTERFACE  STATUS  REQUEST  PREFIX                        
0 sfp1       bound   prefix   2605:XXXX:XXXX:6400::/56, 41m13s

Now, one difference is that when I try to ‘/ipv6 address add’ an entry for sfp1 from the pool, it says “duplicate address detected” despite being the only non-link-local address.

If I change the dhcp-client config to “request=prefix,address” it just says “searching…” forever, so I figured that was incorrect.

Kentzo · August 18, 2023, 7:50pm

The delegated prefix you request and receive via DHCPv6 Client is intended for the LAN only*. Don’t use “add-default-route=yes”, instead enable /ipv6/nd on the WAN interface (/ipv6/nd/add interface=sfp1 ra-lifetime=none advertise-mac-address=yes) and set “accept-router-advertisements=yes” in /ipv6/settings
RouterOS cannot use DHCPv6 Server to distribute addresses. Only SLAAC, so use “managed-address-configuration=no”, the hosts on your LAN then will self-configure IPv6 addresses

Note that changes may take some time to propagate as there are configuration intervals and timeouts involved.

* There is one exception for cellular networks and another is not supporter by RouterOS)

Colm · August 18, 2023, 8:02pm

Thanks, after making those changes, my current config is: (excluding the lengthy firewall rules)

/ipv6 dhcp-server add address-pool=pool6 interface=bridge name=DHCPv6-lan-server
/ipv6 dhcp-client add interface=sfp1 pool-name=pool6 pool-prefix-length=56 request=prefix
/ipv6 nd set [ find default=yes ] dns=2620:fe::fe,2606:4700:4700::1111,2001:4860:4860::8888 hop-limit=64 interface=sfp1 ra-interval=20s-1m
/ipv6 settings set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192

I’ll give it some time for the new config to percolate through. I have to leave this site for now anyway, but I might be able to check on it later tonight. Thanks for the help so far, maybe this will make some progress!

Kentzo · August 18, 2023, 8:15pm

/ipv6 dhcp-client add interface=sfp1 pool-name=pool6 pool-prefix-length=56 request=prefix

Unless you do know that you need /56, I’d change “pool-prefix-length=56” to “pool-prefix-length=64 prefix-hint=::/48”

/ipv6 dhcp-server add address-pool=pool6 interface=bridge name=DHCPv6-lan-server

Remove the DHCPv6 server.

/ipv6 nd set [ find default=yes ] dns=2620:fe::fe,2606:4700:4700::1111,2001:4860:4860::8888 hop-limit=64 interface=sfp1 ra-interval=20s-1m

I rather meant

/ipv6/nd/add interface=sfp1 ra-lifetime=none

/ipv6/address/add advertise=yes eui-64=yes from-pool=pool6 interface=bridge
/ipv6/nd/set dns=2620:fe::fe,2606:4700:4700::1111,2001:4860:4860::8888 [/ipv6/nd/find interface=bridge]

/ipv6 settings set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192

also “forward=yes”

Colm · August 18, 2023, 10:05pm

Thank you, I’ll try these. But could you please explain the purpose of these changes? I have some theories but more often than not, I find that my intuition is wrong in IPv6.

Kentzo · August 18, 2023, 10:19pm

Basics are covered in Mikrotik’s IPv4 and IPv6 Fundamentals (and subsections). For in depth see RFC 4861 and RFC 8415.

I can help with specific questions, but otherwise it’s hard to elaborate in few words.

Colm · August 19, 2023, 2:26am

Those changes seem to have finally made it work. Thank you so much. I appreciate the help fixing it, but I still feel like I have a ways to go in terms of truly understanding WHY it fixed it, even after reading your links. The Mikrotik documentation never explains things enough for me, and the RFCs are often too much that I get overwhelmed, so I often struggle to find a middle ground.

Unless you do know that you need /56, I’d change “pool-prefix-length=56” to “pool-prefix-length=64 prefix-hint=::/48”

I still specifically don’t understand this fully. Is there any harm in leaving it at /56? (I opened a support ticket with my ISP a few days ago to confirm the prefix length, but I happen to know they are pretty busy and have bigger fish to fry) And, I thought the prefix hint was supposed to match the actual prefix supplied? What is the underlying principle behind setting ‘48’ in this context? I thought that setting a prefix hint like this could cause a host to generate an address for itself that was potentially in the wrong network segment, thus making itself unroutable… no?

There’s some weird guidance (or at least the way I interpreted it) floating around in forums, saying that if you get a ::/64 prefix that MT can only make a pool of size 1, i.e. you can’t have other IPv6 address on the same network segment, unless you got a more generous prefix like a ::/60 or a ::/56 (which of course now seems silly that I understand what SLAAC is a little bit better, and that current RouterOS does not really serve stateful IPv6 addresses apparently. that [mis]understanding had really been hindering me)

I had another follow-up question. You mentioned that

The delegated prefix you request and receive via DHCPv6 Client is intended for the LAN only*

There is one exception for cellular networks and another is not supporter by RouterOS)

I have another (totally separate) network employing a Chateau LTE6 on a Google Fi SIM. My next project was to set up IPv6 for that. Should I be cognizant of the “exception” you mentioned for that?

I really appreciate the help, I think I am gradually understanding.
Colm

Kentzo · August 19, 2023, 4:28am

You want to take a look at RFC 3513, section 2.5 to get an understanding of IPv6 addressing.

The “pool-prefix-length” property is a configuration property used by RouterOS when it subnets delegated prefix, i.e. it will create subnets with prefixes of this length whenever you use its DHCPv6 Server for prefix delegation or assign an address via the “from-pool” property. Thus the number of subnets is determined by bits between delegated prefix length and pool-prefix-length.

The idea is to request from ISP the shortest possible prefix which is realistically /48. Likely they will give you a longer one, e.g. in my area Comcast Xfinity gives only /60 (disregarding ::/48 hint) which leaves only 4 bits for custom subnets since the trailing 64 bits are reserved for Interface ID to uniquely identifies a node and are required for SLAAC.

See RFC 7278. However, I’m not sure how you can configure RouterOS to allocate the same address of different prefix lengths (/128 for WAN and /64 for LAN) from the same pool, perhaps there is a specific configuration option for devices with builtin LTE modem.

Colm · August 19, 2023, 9:15pm

I appreciate how you have balanced recommendations, explanations, and references in your replies. Thanks for your help here. I’ll mark this thread solved.