Posting in the beginner area, as I am a newbie, so hopefully the fix is easy. Please ignore missing firewalls etc, this is an experimental setup and I want to make sure the current part works before I continue.
So I got RouterOS 17.16.1 installed on x86 hardware acting as a router, plus CRS309-1G-8S+ switch.
Router config:
Router and Switch are connected via ether4 port on both devices that act as a trunk.
My ISP have allocated a static /48 IPv6 prefix, and I want each of 10, 11 and 12 VLANs to have their own /64 IPv6 subnet.
I have tried to plug several different devices (Linux and MacOS) into respective ports in my router, and everything works exactly as I expect (e.g. a device plugged into ether2 port would get a 2a02:aaaa:bbbb:11:ab:cd:ef/64 IPv6).
But plugging the same device into any port in my switch would result in a device getting 3 IPv6 addresses (not counting link local ones), one from each range I defined, e.g. 2a02:aaaa:bbbb:10:aa:bb:cc/64, 2a02:aaaa:bbbb:11:dd:ee:ff/64 and 2a02:aaaa:bbbb:12:ii:jj:kk/64.
How can I make devices connected to the switch to only get IPv6 addresses they are supposed to?
ingress-filtering=yes is the default [at least in the current RouterOS version], this is why it isn’t there. I have added it to my config to make it explicit. I have also updated trunk related comments as it is more clear that way.
I do not have trusted/untrusted VLANs for now as this is an experimental setup that is not going to be really used, but following your advice to split one /interface bridge vlan
config line into 3 distinct lines helped to resolve the issue, and also makes total sense now that I see it from the new perspective. Appreciate your help.
Now, I got a stretch question if you don’t mind.
Assume I have a WiFi access point that is not VLAN aware, connected to let’s say ether2 on Switch. I want to use switch rules on Mikrotik to separate Trusted and Guest devices to different VLANs based on their MAC addresses [I know this is a bad security practice, but this is the hardware I have; consider it a convenience not security] by assigning Trusted devices to let’s say VLAN 13.
That will make the respective part of the Switch config to look like this:
That will in turn make both Trusted and Guest devices to receive IPv6 addresses with both 11 and 13 prefixes, kind of similar to the original issue, but now we actually need two VLANs on the same port.
I didn’t manage to get IPv6 addresses not leaking across VLANs when using SLAAC to assign addresses. I ended up creating dhcpd6 containers for every VLAN, and those would assign addresses correctly even when there are several VLANs assigned on an access port.
Did you fix the switch VLAN settings according to @anav’s instructions?
If port is untagged member of multiple VLANs, then broadcasts of all VLANs will egress through that port (and being untagged on the way). And router advertisements (RAs) as instrumental part of SLAAC are broadcasted. It’s normal for a host, which receives RAs for multiple IPv6 prefixes, to end up configured with multiple IPv6 addresses from all those prefixes.
And after you fix switch config, hosts will keep being configured with those stray IPv6 addresses for quite a while, it’s as per IPv6 standards as well. You can get rid of those by disabling (and re-enabling) IPv6 on those hosts … or by restarting hosts.
Yes, I realized that any host on untagged port will receive multiple RAs when multiple VLANs are configured, but I did not want for hosts to receive multiple IPv6 addresses (because subnet isolation won’t work in that case) – and I still wanted several VLANs untagged on the same port (because my WiFi APs are not VLAN aware).
I solved it by disabling SLAAC address allocation (by setting M flag and unsetting A flag), and created a DHCPv6 servers in containers separately for every VLAN. This way every host only gets one IPv6.
It does, I use switch rules to assign VLAN tags based on MAC addresses. I understand this is not a security feature and is easy to work around; in my case it is a convenience one without strict security requirements.