[Solved] Need help adding IPv6 to existing Guest network

RouterOS General
1

Having successfully set up IPv6 on my router, using the default settings and following this guide, I now want to add my guest network into the mix. However, I’m having problems once I’ve set up the address and ND settings:

> ipv6/address print
Flags: X - DISABLED; D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
#     ADDRESS                       INTERFACE         ADVERTISE
;;; IPv6-Home
0   G 2406:5a00:xxxx:xxxx::1/64     bridge            yes      
1  DL fe80::1fc2:xxxx:xxxx:xxxx/64  back-to-home-vpn  no       
2  D  ::1/128                       lo                no       
;;; back-to-home-vpn
3  DG fc00:0:0:216::1/64            back-to-home-vpn  yes      
4  DL fe80::4aa9:xxxx:xxxx:xxxx/64  bridge            no       
5  DL fe80::48a9:xxxx:xxxx:xxxx/64  IoT_LAN           no       
6  DL fe80::48a9:xxxx:xxxx:xxxx/64  Guest_LAN         no       
7  DL fe80::4aa9:xxxx:xxxx:xxxx/64  ether2            no       
8  DL fe80::4aa9:xxxx:xxxx:xxxx/64  vlan10-DHCP       no       
;;; IPv6-Guest
9 X G 2406:xxxx:xxxx:xxxx::2/64     Guest_LAN         yes

and…

> ipv6 nd/print
Flags: X - disabled, I - invalid; * - default 
 0  * interface=bridge ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified 
      advertise-mac-address=no advertise-dns=yes managed-address-configuration=no other-configuration=yes dns=2a07:a8c0::fd:a4c2,xxxx:xxxx::xx:xxxx 

 1 X  interface=Guest_LAN ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified 
      advertise-mac-address=no advertise-dns=yes managed-address-configuration=no other-configuration=yes dns=2a07:a8c0::fd:a4c2,xxxx:xxxx::xx:xxxxx

I have both entries currently disabled. I suspect I might need to add some firewall rules? But that’s something I have no knowledge about and would love some guidance.

Here’s the IPv6 Firewall & Nat rules:

/ipv6/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=srcnat action=masquerade in-interface=back-to-home-vpn 

 1    ;;; NextDNS-TCP
      chain=dstnat action=dst-nat to-address=2a07:a8c0::fd:a4c2/128 to-ports=53 protocol=tcp dst-port=53 log=no log-prefix="" 

 2    ;;; NextDNS-UDP
      chain=dstnat action=dst-nat to-address=2a07:xxxx::xx:xxxx/128 to-ports=53 protocol=udp dst-port=53 log=no log-prefix="" 

 3    ;;; NextDNS-DoT
      chain=dstnat action=dst-nat to-address=2a07:xxxx::xx:xxxx/128 to-ports=853 protocol=tcp dst-port=853 log=no log-prefix="" 

/ipv6/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=forward action=drop src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN 

 1  D ;;; back-to-home-vpn
      chain=input action=accept protocol=udp dst-port=46233 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; defconf: accept ICMPv6
      chain=input action=accept protocol=icmpv6 

 5    ;;; defconf: accept UDP traceroute
      chain=input action=accept protocol=udp port=33434-33534 

 6    ;;; defconf: accept DHCPv6-Client prefix delegation.
      chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546 

 7    ;;; defconf: accept IKE
      chain=input action=accept protocol=udp dst-port=500,4500 

 8    ;;; defconf: accept ipsec AH
      chain=input action=accept protocol=ipsec-ah 

 9    ;;; defconf: accept ipsec ESP
      chain=input action=accept protocol=ipsec-esp 

10    ;;; defconf: accept all that matches ipsec policy
      chain=input action=accept ipsec-policy=in,ipsec 

11    ;;; defconf: drop everything else not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

12    ;;; defconf: accept established,related,untracked
      chain=forward action=accept connection-state=established,related,untracked 

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

14    ;;; defconf: drop packets with bad src ipv6
      chain=forward action=drop src-address-list=bad_ipv6

Filter is MT default, with no changes (that I’m aware of)

Any help would be much appreciated!

2

I want to do the same, but I am holding off for a while. I want to replicate my ipv4 setup by having a subnet on a vlan and isolating with firewall rules. As I understand it, ipv6 subnetting is not mature on mikrotik. You need better than a /64 from your ISP, because the difference between what you get and 64 is the number of subnets you can have according to the standards for ipv6 - ie the subnet prefix is outside the lower 64 bits. I am not following closely but I believe that 7.21.0 will have the requisite facilities.

3

So, they release a partially useful feature. Go figure.

My guest network doesn’t use a vlan, but does use a different bridge, address, pool and client isolation - all IPv4. Works well. I guess it doesn’t need IPv6 for now anyway, still works fine with IPv4.

Thanks for your reply. Much appreciated.

I guess I should look out for changes in the /ipv6 changelog when 7.21.1 comes out?

4

After some more digging, it seems that this was the answer:

/ipv6 firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=Guest_LAN

I hope this helps @DuctView

Happy days!!

5

If you use the IPv6 firewall rules from defconf then you only need to add Guest_LAN to the interface list LAN and won't need that extra accept rule.

Unlike IPv4 defconf, there is a action=drop chain=forward rule for in-interface-list=!LAN for the IPv6 part.

6

Amazing. Thank you! I disabled

and checked the guest network. Still works using IPv6.

Thanks again @CGGXANNX

All part of the learning process. :wink:

7

Thanks, yes. It looks like Mikrotik ipv6 is more mature than I understood

8

They’re almost there. Still can’t set up the DHCP-Server to show leases and thus create static IPs.

9

For DHCPv6 server the "leases" are in the "Bindings" table. And you can create/convert static binding entries from there too.

But due to the requirement of the pool used for DHCPv6 address assignment (not prefix assignment) it requires more work (scripting) if your ISP only gives you dynamic prefixes.

If you only use DHCPv6 to assign addresses with fixed prefixes (manually chosen ULA prefixes are ok too) then no extra scripting is required.

10

Good to know. Thanks @CGGXANNX. When I get permanently settled I’ll find this info from my provider and then, if necessary post back for help with scripting. Much appreciated, as always!

11

Have you considered that perhaps, hypothetically,
given that a subnet contains 1,152,921,504,606,846,975 possible IPv6 addresses,
and that scanning everything is a lot... of time (365,589,010 years for 100IPv6/sec "scan" and for "scan" all IPv4 on 10./8 ~2 days suffice...),
given that they're also assigned fairly randomly,
and perhaps the IPv6 address used had already been tried in the past...
is it "simply" enough, for simple setups, to block traffic between the ports of two different Ethernets/VLANs?

In short, assign Guest/Office/IoT/etc devices IPv6 from the same pool, and simply block traffic between ethernets/VLANs

12

That’s a good point, but considering the end goal would be to make whatever IP’s are already on the network static (in the same manner as IPv4), then you’ll only have a handful of IP addresses as opposed to gazillions. I’m making the assumtion of course that at any one time there will only be one or two IPv6 IPs connected to any one device on the network? I’m still learning IPv6 and am happy to be wrong, but this seems logical.

13

??? OK, so how does stuff get routed between vlans if the address space is spread out evenly? Or have I missed something?

14

Some considerations:

The main goal of use multiple VLAN in a Home/Office is to separate networks between IoT, NVR, Guests, Home, Office, etc.

But then someone wants to control the "IoT"-connected television from the smartphone connected to the "Home" network, and perhaps print to the "Office" network printer, or see cameras on "NVR", or play music with speaker on "IoT" network, all without ever changing the smartphone's Wi-Fi network...

So, someone first takes care to separate everything, and then struggles to find ways to make the devices see each other anyway...

Think about it...

Reply for @DuctView :
Blocking comunications between different ports on same LANs [bridge with same horizion ports, for example]
do not preclude that each LAN part can use same WAN/Gateway...

Or i do not understand the question...

15

In my opinion, not all IPv4 paradigms should be applied to IPv6 as well.

2 Likes
16

I think my problem arises from thinking about it, but perhaps not necessarily in the right way ...

I can fully see the argument for the 64 address bits making a user's network space into a large haystack in which a very small number of needles is hidden, to the extent that vlans could be superfluous, but then you say

So I am confused

  • Are you proposing to still use vlans? If No, then I get it
  • If Yes, then you would still need inter vlan routing, so how would you do it, if addressing is not subnetted?
17

VLANs or different Ethernet ports, and other features, are used to prevent devices of different "classes" (IoT, Office, etc.) from communicating with each other,
but they can all share the same IPv6 space.

The concept remains, because IPv4 continues to exist.

I, as (W)ISP, provide /56 to my customers (with MTU of 1500) and is possible to create 256 subnet /64...
or 16 subnet /60 with 16 sub-subnet /64 each...

I just can't understand any ISP who only provides a /64 segment, there are billions upon billions of addresses available,
and here too the IPv4 paradigms stupidly apply "the less you give, the better is"...

18

I agree. This is one of my requirements if I ever have to change ISP

So you vlan segregate the different classes. But having these ipv6 subnets available, would you not use them on the vlans? Which to my mind is using different [but related] ipv6 spaces.

19

I think you misunderstood me, perhaps.
I was only referring to the case where a user is given only a /64 by less than competent ISP, with all that entails...
If I had "at least" a /60, I'd create full separate subnets, not a shared unique subnet...