Hello,

I am a RB newbie and currently struggling with the setup of my Hex S in order to have IPv6 to work with my FTTH connection. My ISP provides a simple ONU/media converter and a /64 prefix without prefix delegation. The steps I have taken in order to setup IPv6 are:

1. IPv6 > DHCPv6 client > Add new
- Interface ether1 (where my ONU is connected)
- Pool name "pool-ipv6"
- Pool prefix length: 64
- User Peer DNS, Add default route both checked

After step 1, the newly added DHPv6 client is stuck with status "searching".
No prefix or address is displayed for this client.

After some online search, it looks that some functionality called "RA Proxy" (which afaik does not seem available in RB yet) is needed for the RA to flow to the network. As a workaround to this, some blogs outline the following process:

2. Tools > Traceroute > Traceroute to 2001:4860:4860::8888
The output would look like this: The RA prefix is [2409:10:dead:beef::cafe] which would mean that the prefix is likely going to be [2409:10:dead:beef::/64]. From that we can set an IPv6 address like [2409:10:dead:beef::1] to the local interface with the following step:

3. IPv6 > Addresses > Add
- Address 2409:10:dead:beef::1
- Interface ether2 (local lan)
- Advertise checked

After this step, I still don't have IPv6 connectivity.

Could someone please help me with having IPv6 to work? Thanks in advance.

Also, IPv6 > Settings > Accept router advertisements is set to yes.

Bump

My ISP provides a simple ONU/media converter and a /64 prefix without prefix delegation.

It can mean two things, but I guess one is more likely. If you connect PC directly to this device and it gets IPv6 address and everything works, it means that /64 is set directly on ISP's device, it serves as gateway and it allows you to have only one IPv6 subnet connected directly to it. The other could be static config with /64 subnet routed to you, in that case PC connected to ISP's device would not get address, and they would provide you with the subnet and at least gateway.

In any case, just a single /64 is very limiting, because it doesn't allow you to create additional subnets, e.g. if you would want one for yourself and another for guests. And if it's the first case, it's not completely wrong, but far from ideal too, because it assumes that all your devices will be connected directly to ISP's router. There's no place for your router. RA proxy can solve this problem, but it's more like a workaround, and as you correctly found out, RouterOS doesn't have it.

So with current RouterOS, you'd need to have it in bridge mode, which is possible, but it will also affect IPv4 config.

Thanks for the reply and all the info!

It can mean two things, but I guess one is more likely. If you connect PC directly to this device and it gets IPv6 address and everything works, it means that /64 is set directly on ISP's device, it serves as gateway and it allows you to have only one IPv6 subnet connected directly to it. The other could be static config with /64 subnet routed to you, in that case PC connected to ISP's device would not get address, and they would provide you with the subnet and at least gateway.

Just tried connecting my PC directly to this ONU device without router. PC gets its IPv6 adress (Native IPv6) and everything seems to work (with the exception of IPv4, for which a PPPoE client is needed).

In any case, just a single /64 is very limiting, because it doesn't allow you to create additional subnets, e.g. if you would want one for yourself and another for guests. And if it's the first case, it's not completely wrong, but far from ideal too, because it assumes that all your devices will be connected directly to ISP's router. There's no place for your router. RA proxy can solve this problem, but it's more like a workaround, and as you correctly found out, RouterOS doesn't have it.

For my personal use case, I do not need multiple networks so I'm fine with that.
Taking a look at some japanese blogs, looks like there are two workarounds for my case:
1) Figure out the assigned /64 prefix by running a traceroute to an IPv6 address. The first hop would have info on which IPv6 address is assigned. Assign an address within this prefix to the WAN interface. Did not work...
2) Use IPv6 PPPoE. I made a new PPPoE client for IPv6 in the same WAN interface where I have my PPPoE IPv4 client, but still did not work...

So with current RouterOS, you'd need to have it in bridge mode, which is possible, but it will also affect IPv4 config.

Sorry, could you please give more info on this?
Does this mean that my only option is bridging this router to another router having IPv6 RA Proxy functionality ?

You can figure out used /64 easily, when you connect a device directly to ISP's router and see what it got (bot you have not guarantee that it's static). In fact, even RouterOS can get address from RA, but it won't help you with getting packets through your router.

With bridge I mean bridging ports connected to ISP's router and to your LAN. It would make the router transparent and IPv6 for devices in LAN would work as if they were connected directly to ISP's router. Problem is, it would mess up your IPv4 config, for which you want the router in router mode. I'm sure that it's possible to do something with either bridge filters or bridge IP firewall, but I rarely use it, so I'm not able to give you the right config from top of my head.

Another router with RA proxy would help you only if you had it as main router and current router would not be doing any routing, otherwise you'd have the same problem. Unfortunately, what your ISP chose is not the best way how to give IPv6 to users.

1. IPv6 > DHCPv6 client > Add new
- Interface ether1 (where my ONU is connected)
- Pool name "pool-ipv6"
- Pool prefix length: 64
- User Peer DNS, Add default route both checked[/code]

Instead of ether1 try pppoe interface. Not seperate one but this one you have.

You can figure out used /64 easily, when you connect a device directly to ISP's router and see what it got (bot you have not guarantee that it's static). In fact, even RouterOS can get address from RA, but it won't help you with getting packets through your router.

With bridge I mean bridging ports connected to ISP's router and to your LAN. It would make the router transparent and IPv6 for devices in LAN would work as if they were connected directly to ISP's router. Problem is, it would mess up your IPv4 config, for which you want the router in router mode. I'm sure that it's possible to do something with either bridge filters or bridge IP firewall, but I rarely use it, so I'm not able to give you the right config from top of my head.

Another router with RA proxy would help you only if you had it as main router and current router would not be doing any routing, otherwise you'd have the same problem. Unfortunately, what your ISP chose is not the best way how to give IPv6 to users.

Thanks. Some japanese blogs state that one alternative to the RA proxy issue could be connecting IPv6 via PPPoE instead of IPoE. Do you think this would work? I attempted it without success (perhaps my sertings were not correct?)

It's really disappointing that I can't get IPv6 to work because of the way my ISP provides IPv6. I wish I could change to another ISP but I am stuck in a 2y contract. I wish Mikrotik could inplement RA proxy someday too...

Instead of ether1 try pppoe interface. Not seperate one but this one you have.

Thanks, but this did not work

Honestly, I've never used IPv6 with PPPoE, so I don't know if it needs anything special. I'd expect it to just be there as IPv4 is. So far your ISP's config seems to be a strange mix, IPv6 available directly, but PPPoE required for IPv4...

Anyway, if you want to experiment, my quick test says that the following config works. It bridges two ports and allows only IPv6 traffic between them, everything else is blocked. So for IPv6 it's as if the router isn't there at all. Access to IPv4 internet is using PPPoE client and it's standard config, PPPoE interface is WAN, bridge is LAN.

First there's the magic WAN-LAN bridge (ether1 is connected to ISP, ether2 is your LAN): PPPoE for IPv4 internet:
Standard LAN config:
Basic firewall:
It's possible that there may be better way, if anyone has any idea, don't keep it for yourself.

Honestly, I've never used IPv6 with PPPoE, so I don't know if it needs anything special. I'd expect it to just be there as IPv4 is. So far your ISP's config seems to be a strange mix, IPv6 available directly, but PPPoE required for IPv4...

Anyway, if you want to experiment, my quick test says that the following config works. It bridges two ports and allows only IPv6 traffic between them, everything else is blocked. So for IPv6 it's as if the router isn't there at all. Access to IPv4 internet is using PPPoE client and it's standard config, PPPoE interface is WAN, bridge is LAN.

First there's the magic WAN-LAN bridge (ether1 is connected to ISP, ether2 is your LAN):

Code: Select all

/interface bridge
add name=bridge1 protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge filter
add action=accept chain=forward mac-protocol=ipv6
add action=drop chain=forward
add action=jump chain=input in-interface=ether1 jump-target=input-wan
add action=accept chain=input-wan mac-protocol=pppoe-discovery
add action=accept chain=input-wan mac-protocol=pppoe
add action=drop chain=input-wan
add action=jump chain=output jump-target=output-wan out-interface=ether1
add action=accept chain=output-wan mac-protocol=pppoe-discovery
add action=accept chain=output-wan mac-protocol=pppoe
add action=drop chain=output-wan
add action=jump chain=output jump-target=output-lan out-interface=ether2
add action=drop chain=output-lan mac-protocol=pppoe-discovery
add action=drop chain=output-lan mac-protocol=pppoe
add action=accept chain=output-lan

PPPoE for IPv4 internet:

Code: Select all

/interface pppoe-client
add add-default-route=yes disabled=no interface=bridge1 name=pppoe-out1 \
    service-name=test use-peer-dns=yes user=test

Standard LAN config:

Code: Select all

/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes

Basic firewall:

Code: Select all

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=bridge1
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=bridge1
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

It's possible that there may be better way, if anyone has any idea, don't keep it for yourself.

Wow, thank you for letting me know the whole config!
Just set the router following your instructions and voila! works perfectly for both IPv4 and IPv6.
Here is a screenshot of the test result (I seem to have ICMP untested, no idea why...):


Now time for me to understand all the bits of the config.
Many many thanks again for your time and patience!

It bridges two ports and allows only IPv6 traffic between them, everything else is blocked. So for IPv6 it's as if the router isn't there at all. Access to IPv4 internet is using PPPoE client and it's standard config, PPPoE interface is WAN, bridge is LAN.

One last question about the bridged ports: I see that ethernet ports 1 and 2 are bridged. Does that mean that they are switched, i.e. share the same 1Gbps line bandwidth? (Hex S)

Ideally, in order to have symmetrical gigabit wan, I would prefer having ethernet 1 (wan) on one 1Gbps line, and the rest of ports 2-5 in another 1Gbps line.
For this, I guess would I need to bridge ports 2-5 and leave 1 unbridged? How should I connect the bridged ports 2-5 to the port 1?

Thanks!

If you want to add other LAN ports, just add them to bridge. Only special handling required is for the one connected to ISP. You can drop whole "output-lan" chain in bridge filters, it was to prevent PPPoE requests from being sent to LAN, but since you most likely don't have any PPPoE server there, it shouldn't matter.

I'm not sure about switching. Generally yes, it does work that way in current RouterOS, but it depends also on other used options and I think it won't go well together with bridge filters. I don't have Hex S to test with, but I guess it's likely that it will use software instead of hardware. I'm not sure if only for the port connected to ISP (referenced by bridge filters) or for all. And whether software bridging would be fast enough for full gigabit, I don't know that either.

If you want to add other LAN ports, just add them to bridge. Only special handling required is for the one connected to ISP. You can drop whole "output-lan" chain in bridge filters, it was to prevent PPPoE requests from being sent to LAN, but since you most likely don't have any PPPoE server there, it shouldn't matter.

I'm not sure about switching. Generally yes, it does work that way in current RouterOS, but it depends also on other used options and I think it won't go well together with bridge filters. I don't have Hex S to test with, but I guess it's likely that it will use software instead of hardware. I'm not sure if only for the port connected to ISP (referenced by bridge filters) or for all. And whether software bridging would be fast enough for full gigabit, I don't know that either.

Thanks again for all the advice! For Hex S, and according to these block diagrams:




If I use switching (=bridge?) and I want to set port 1 as non-switched and the rest as switched so that 1 uses a dedicated line, I would need to:
- In the current bridge1 add ports 3,4,5 (LAN) and remove port 1 (WAN) to have only ports 2-5 bridged
- In bridge1 filters remove "input" (ether1) and "output" (ether1), and add these filters as IP firewall filters directly for ether1?
- In bridge1 filters remove "output-lan" chain and I guess "output" (ether2) too as there is no pppoe servers (following your advice)
- Perhaps remove the "forward" chain in the bridge filter since an IP firewall for "forward" is already set?

https://wiki.mikrotik.com/wiki/Manual:I ... Offloading

My guess is that you should keep all 5 ports bridged together (otherwise Sob's magic for separating IPv6 from PPPoE won't work), but just to be sure set hw=no for WAN ether port (that's in /interface bridge port) ... my non-educated guess is that this should be enough to reconfigure your hEX S according to top block diagram. Set hw=yes on the rest of ether ports if they aren't already.

As I wrote, I can't test it, but I'm affraid that playing with bridge filters may ruin hardware switching for all ports.

And yes, the magic depends on bridge. Bridge filter and IP firewall filter are not interchangable like this. If you remove port connected to ISP from bridge, IPv6 will no longer transparently pass through router and you'll be back where you started.

What can I say, life is sometimes hard for early adopters. Although "early adopter of IPv6" in 2019... ... but that's how it is.

What can I say, life is sometimes hard for early adopters. Although "early adopter of IPv6" in 2019... ... but that's how it is.

Reading this thread I'd say I'm lucky to have the misery of DSL line ... my ISP is delivering both IPv4 and IPv6 over PPPoE, eliminating need for IPv6 on WAN interface. Meaning that I can actually use all 256 /64 subnets that I have, none are wasted
I'd gladly trade one /64 subnet for fibre access (I'm not picky, either FTTH or GPON would do) though.

At home, I have my trusty 6to4, which I got it in 2001 as a temporary way to get IPv6, until ISP brings native connectivity. It still works. I mean, it has to. Fortunately, it's enough for my needs, but it's crazy.

As I wrote, I can't test it, but I'm affraid that playing with bridge filters may ruin hardware switching for all ports.
And yes, the magic depends on bridge. Bridge filter and IP firewall filter are not interchangable like this. If you remove port connected to ISP from bridge, IPv6 will no longer transparently pass through router and you'll be back where you started.

Thanks again. Just tried removing ether1 out of the bridge and adding some firewall filters like those of the bridge, but IPv6 stopped working. Better leave the bridge as is.

However, there are a couple of things I am a bit curious about:
1) Are bridge filters needed? If I remove all bridge filters, IPv4 and IPv6 still seem to work, speed/ipv6 test results do not seem to change at all...
2) Is there any difference between setting filters for the bridge in chains forward/input vs setting filters in ip firewall for the same chains?

Thanks!

My guess is that you should keep all 5 ports bridged together (otherwise Sob's magic for separating IPv6 from PPPoE won't work), but just to be sure set hw=no for WAN ether port (that's in /interface bridge port) ... my non-educated guess is that this should be enough to reconfigure your hEX S according to top block diagram. Set hw=yes on the rest of ether ports if they aren't already.

Thanks. Just tried that, I seem to get 300 Mbps download / 160Mbps upload regardless of the hw setting.
Just curious, what is the rationale behind setting hw to false for the wan port? I believe HW offload is something you don't want to lose...

It's possible that it can work without bridge filters. My idea was to make it safe, i.e. keep your LAN completely separated from ISP's device (except for IPv6, of course), as is with regular router. So even if for example ISP's device had own DHCPv4 server, it would not conflict with yours. Or if ISP wanted to connect to any of your LAN devices, they couldn't (I don't know why they would want to, but in theory...).

If none of this is a problem, you can remove all filters, just make one big bridge with all ports (which should give you hardware switching for sure) and use that.

And yes, bridge filters and IP firewall filters are two completely different things. They can both block packets, but on different level.

My guess is that you should keep all 5 ports bridged together (otherwise Sob's magic for separating IPv6 from PPPoE won't work), but just to be sure set hw=no for WAN ether port (that's in /interface bridge port) ... my non-educated guess is that this should be enough to reconfigure your hEX S according to top block diagram. Set hw=yes on the rest of ether ports if they aren't already.

Just curious, what is the rationale behind setting hw to false for the wan port? I believe HW offload is something you don't want to lose...

To make bridge filters work it's necessary to force traffic through SW bridge (a.k.a CPU). Sob's idea (and I agree with it) requires that WAN traffic should be subject to bridge filters, hence need to pass through CPU. The rest of traffic (that is traffic between LAN ports) can safely evade bridge filters so it can be left to HW to deal with it.

You can actually check if any of ports is HW offloaded ... command /interface bridge port print shows the status ... any HW-offloaded port should have a 'H' shown in status column between serial number and port name.

It's possible that it can work without bridge filters. My idea was to make it safe, i.e. keep your LAN completely separated from ISP's device (except for IPv6, of course), as is with regular router. So even if for example ISP's device had own DHCPv4 server, it would not conflict with yours. Or if ISP wanted to connect to any of your LAN devices, they couldn't (I don't know why they would want to, but in theory...).

If none of this is a problem, you can remove all filters, just make one big bridge with all ports (which should give you hardware switching for sure) and use that.

And yes, bridge filters and IP firewall filters are two completely different things. They can both block packets, but on different level.

Understood, thanks for all the support, Sob! I wouldn't have been able to properly use (and understand) this router if it wasn't for you. I really appreciate all your time and patience.

My guess is that you should keep all 5 ports bridged together (otherwise Sob's magic for separating IPv6 from PPPoE won't work), but just to be sure set hw=no for WAN ether port (that's in /interface bridge port) ... my non-educated guess is that this should be enough to reconfigure your hEX S according to top block diagram. Set hw=yes on the rest of ether ports if they aren't already.

Just curious, what is the rationale behind setting hw to false for the wan port? I believe HW offload is something you don't want to lose...

To make bridge filters work it's necessary to force traffic through SW bridge (a.k.a CPU). Sob's idea (and I agree with it) requires that WAN traffic should be subject to bridge filters, hence need to pass through CPU. The rest of traffic (that is traffic between LAN ports) can safely evade bridge filters so it can be left to HW to deal with it.

You can actually check if any of ports is HW offloaded ... command /interface bridge port print shows the status ... any HW-offloaded port should have a 'H' shown in status column between serial number and port name.

I see, thanks for the clarification!
I couldn't see any difference with simple speed tests when I disabled HW offload for the WAN port (both with or without bridge filters) though.

In your case, HW offload can possibly do anything only for IPv6, because that's bridged/switched. IPv4 has PPPoE as WAN, so it's regular routing. In case it's slow, you can try fasttrack, it can speed things up, but I have zero experience with that.

One more thing, with IPv6 bridged, all your devices with IPv6 addresses are accessible from anywhere. I don't see any problem with that, being accessible is the idea behing public adresses. But usually there's firewall on router that blocks new incoming connections, which you don't have now. Still no big deal, since all devices should have own firewalls. So just be aware of that and make sure your devices are configured correctly and don't open dangerous port to whole world. Alternatively it would be possible to enable bridge IP firewall, but it would interfere even with IPv4 traffic between LAN ports.

In your case, HW offload can possibly do anything only for IPv6, because that's bridged/switched. IPv4 has PPPoE as WAN, so it's regular routing. In case it's slow, you can try fasttrack, it can speed things up, but I have zero experience with that.

One more thing, with IPv6 bridged, all your devices with IPv6 addresses are accessible from anywhere. I don't see any problem with that, being accessible is the idea behing public adresses. But usually there's firewall on router that blocks new incoming connections, which you don't have now. Still no big deal, since all devices should have own firewalls. So just be aware of that and make sure your devices are configured correctly and don't open dangerous port to whole world. Alternatively it would be possible to enable bridge IP firewall, but it would interfere even with IPv4 traffic between LAN ports.

Thanks. Sorry, not really sure if I understand... In the configuration you provided I can see some basic firewall rules for the bridge, does it mean that these rules only apply to IPv4 and not to IPv6?

Also, is there any big difference between these rules and the ones you could find in most consumer routers? I do have one automation server accessible from the internet with https, and one openvpn server for which I can set up firewalls though. Do you recommend any other rules for home usage in this bridge setup?