Community discussions

 
gudvinr
just joined
Topic Author
Posts: 3
Joined: Sat Aug 31, 2019 2:07 pm

Global IPv6 prefix not delegated to clients

Sat Aug 31, 2019 6:18 pm

Hello.

I have MikroTik hAP ac² (ROS 6.45.3) and my ISP provides dynamic (I see that from the fact it changes when I manually renew the address) /56 IPv6 prefix to end user.
They use just DHCP for WAN connection establishment I guess since it requires to have zero setup. Provided IPv4 is behind NAT which is not unusual though.

So, my older OpenWRT router successfully gives me addresses both from link-local pool fe80::/16 and global prefix from ISP somewhere in 2000::/3.
hAP at first just ignored global prefix but did actually sent me link-local address. After that I manually configured ND and it started to push global address instead. After a while I tried to add link-local pool manually but now I only have only link-local address in all of the devices connected to hAP.

So, how should I configure just working IPv6 with either global and link-local addresses available with as little hardcoded settings as possible?

Here's info from /ipv6 export which you will probably ask anyway. IPv6 firewall rules pretty much default.
/ipv6 dhcp-server
add address-pool=dhcp6-lan dhcp-option="" disabled=no interface=bridge lease-time=23h59m59s name=dhcp6-lan preference=255 rapid-commit=yes route-distance=1 use-radius=no

/ipv6 pool
add name=dhcp6-lan prefix=fe80::/16 prefix-length=64

/ipv6 dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options="" disabled=no interface=ether1 pool-name=dhcp6-pd pool-prefix-length=64 prefix-hint=::/0 request=address,prefix use-peer-dns=no

/ipv6 dhcp-relay
add delay-threshold=none dhcp-server=::%ether1 disabled=no interface=bridge link-address=:: name=dhcp6-pd

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=no hop-limit=unspecified interface=ether1 managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m \
    ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified
add advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=bridge managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
    reachable-time=unspecified retransmit-interval=unspecified

/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled forward=yes max-neighbor-entries=8192

Who is online

Users browsing this forum: No registered users and 21 guests