DHCPv6 from cable co. now what

Xymox · Wed Dec 04, 2013 3:05 am

So I have my DHCPv6 client getting a set of addresses from the cable co. It sets up a pool. The DHVPv6 server is set to the pool... Firewall is all open...

Clients dont get IPv6 addresses.

Im a IPv6 noob. What else do I need to do ? I must need to advertise my cable co provided pool but I dont have that option..

biomesh · Wed Dec 04, 2013 6:32 am

Try something like


/ipv6 dhcp-client
add add-default-route=yes interface=external pool-name=ipv6_pool 
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=external protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=external
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!external
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=external
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=internal mtu=1480 other-configuration=yes \
    ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

:local ipv6curaddress [/ipv6 address get [/ipv6 address find global =yes] address ]
:local ipv6newaddr {[:pick  [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =external] prefix]] 0 [:find [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =external] prefix]] "/64" ]] . "1/64"}
:if ( $ipv6curaddress = $ipv6newaddr ) do={ :log info "IPv6 prefix not updated."; } else={ :log info "IPv6 prefix updated. Changing IPv6 address."; /ipv6 address set address=$ipv6newaddr numbers=[/ipv6 address find global =yes]; }

This will use a dhcp client, setup some firewall rules, setup prefix delegation inside your network, and will assign an address to your internal interface.

The last few lines can be saved as a script to be run on a regular basis.

You really won't use the ipv6 dhcp server in most cases and do the pool will not be used either.

Sent from my Nexus 7 using Tapatalk 4

ranpha · Wed Dec 04, 2013 7:44 am

So I have my DHCPv6 client getting a set of addresses from the cable co. It sets up a pool. The DHVPv6 server is set to the pool... Firewall is all open...

Clients dont get IPv6 addresses.

Im a IPv6 noob. What else do I need to do ? I must need to advertise my cable co provided pool but I dont have that option..

Advertise it at /ipv6 address', preferably on the interface where your DHCPv4 server is running. Of and do not forgot the firewall rules in the post above.

janisk · Wed Dec 04, 2013 8:53 am

biomesh why not use from-pool feature to set up ipv6 address?

biomesh · Wed Dec 04, 2013 4:08 pm

It was for personal preference, (to use a ::1/64 address as the router address) but I found that if I did use the from-pool option and removed that address, it also removed the pool. This is not good since it was a /60 pool handing out /64 prefixes.

I will stick with my setup for now. I am running ROS version 6.7 also.

Xymox · Wed Dec 04, 2013 5:42 pm

Biomesh, nice, thanks ! Well at least i dont feel so noob after all.

It might be good to massage this into something for the wiki. Lots of people, home users, now have access to native IPv6 DHCP via thier ISP. Im working at a clents in LA and Time Warner cable is doing DHCPv6.

Thanks again for a well thought out solution.

biomesh · Wed Dec 04, 2013 6:09 pm

If you have comcast (or another provider that supports prefixes larger than a /64) then you can add the prefix-hint option to the /ipv6 dhcp-client command like

/ipv6 dhcp-client
add add-default-route=yes interface=external pool-name=ipv6_pool prefix-hint=::/60

This option was added in ROS 6.5 and currently is command line only.

Xymox · Wed Dec 04, 2013 6:43 pm

Hmmmm.....

Again I may be missing something here.. I changed the above to be my correct interfaces and pasted in.. All looks OK.. Ran the script. It says "IPv6 prefix updated, ching prefix" and I still doing get anything on the client side. I also noticed that none of the rules got any bytes.

If I put a accept for input/output/forward those see bytes.

It gets a /64 from the ISP. Creates a pool..

Im using os 6.6 and for testing im using a win 7 machine.

/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ipv6_pool
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-gateway
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=bridge-local mtu=1480 other-configuration=yes \
    ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

:local ipv6curaddress [/ipv6 address get [/ipv6 address find global =yes] address ]
:local ipv6newaddr {[:pick  [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =ether1=gateway] prefix]] 0 [:find [:tostr [/ipv6 dhcp-client get [/ipv6 dhcp-client find interface =ether1-gateway] prefix]] "/64" ]] . "1/64"}
:if ( $ipv6curaddress = $ipv6newaddr ) do={ :log info "IPv6 prefix not updated."; } else={ :log info "IPv6 prefix updated. Changing IPv6 address."; /ipv6 address set address=$ipv6newaddr numbers=[/ipv6 address find global =yes]; }

Xymox · Wed Dec 04, 2013 6:52 pm

A export of ipv6

The first 3 rules in the firewall I just added to allow anything for testing.

# dec/04/2013 08:51:00 by RouterOS 6.6
# software id = 6ATR-3FLU
#
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ipv6_pool
/ipv6 firewall filter
add chain=forward
add chain=input
add chain=output
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp \
src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=\
ether1-gateway
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=bridge-local mtu=1480 other-configuration=yes \
ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

biomesh · Wed Dec 04, 2013 7:11 pm

Try this first (adjust the interface to match your internal interface name)

/ipv6 address add from-pool=ipv6_pool interface=ether2 advertise=yes

This is using the method Janisk mentioned.

Xymox · Wed Dec 04, 2013 7:20 pm

Yep that worked..

But I liked your method and I like why you decided to use it.

Xymox · Wed Dec 04, 2013 7:23 pm

Whoops.. No DNS server.. Almost worked..

biomesh · Wed Dec 04, 2013 7:39 pm

My script should work - it works on a few devices I have here.

As for DNS, you can set the option

use-peer-dns=yes

on the dhcp-client command.

Xymox · Wed Dec 04, 2013 8:34 pm

Of course thank you for your effort on this

Yea use peer DNS is default on the client. I played with it all again, still not handing out DNS. So does that mean the ISP is not handing out a IPv6 DNS server IP ? The DHCPv6 client does not seem to have a status that shows if it got DNS from the ISP..

But cleints get gateway and a address just no DNS server.

Export of ipv6

# dec/04/2013 10:25:16 by RouterOS 6.6
# software id = 6ATR-3FLU
#
/ipv6 address
add address=2605:e000:1412:15e:: from-pool=ipv6_pool interface=bridge-local
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-gateway pool-name=ipv6_pool
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp \
    src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-gateway
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=\
    ether1-gateway
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=bridge-local mtu=1480 other-configuration=yes \
    ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

biomesh · Wed Dec 04, 2013 8:54 pm

Of course thank you for your effort on this

Yea use peer DNS is default on the client. I played with it all again, still not handing out DNS. So does that mean the ISP is not handing out a IPv6 DNS server IP ? The DHCPv6 client does not seem to have a status that shows if it got DNS from the ISP..

But cleints get gateway and a address just no DNS server.

Most likely the DNS server is not being provided. The only way to tell 100% is to get a packet trace from the IPv6 DHCP request.

Xymox · Wed Dec 04, 2013 9:37 pm

Hmmm... That sounds annoying to do. Well ok not that hard, but still. There should be a way to see the status of what DHCPv6 is pulling from the ISP.

So I plugged the Win 7 machine into the modem directly..

ipconfig

and then into the router

I also tried just putting in the google IPv6 DNS directly into the network settings on the Win 7 machine. Still no go..

IPv6 is annoying..

So plugging in the WIn 7 machine directly to the modem works great. No issues. Can reach IPv6 site no issues.

Its entirely possible that Time Warner is doing something weird.. Well this is all good tho as im learning IPv6.

biomesh · Wed Dec 04, 2013 10:13 pm

Have you tried a ping -6 ipv6.Google.com to see if that works?
You don't have to have a DNS server on ipv6 to actually resolve aaaa records.
Disable your firewall rules temporarily to see if things start to work then.

Sent from my SAMSUNG-SGH-I747 using Tapatalk

Xymox · Wed Dec 04, 2013 10:50 pm

Have you tried a ping -6 ipv6.Google.com to see if that works?

hehehe.. I do feel like a noob...

It did look it up properly. So thats not the issue apparently. 2607:f8b0:4003:c03::93

But then dest not reachable. With firewall rules in/out/fwd set to accept.

HMmMMmMmmm....

Yea the router shows unreachable gateway.. Well that explains it.. But hmmmm... It should be you would think...

OK well its a test config and its on a temp IP so I created a lonin thats read only if anyone wants to look.. WInbox.. I will of course be discarding the IP shortly but its up for now and can be accessed from outside.

172.251.43.192 user readonly pass readonly..

yes admins I will delete this info after a day or so from this post. Yes I realize its exposing the router, its ok..

biomesh · Thu Dec 05, 2013 12:49 am

Looking at your router - the default gateway is unreachable.

Not sure if there is anything you can do - comcast will provide a /60-/64 prefix as well as a /128 for the external wan interface. It could be that your provider is doing something different than comcast.

Xymox · Thu Dec 05, 2013 1:24 am

Yea weird.. Weird that a client on Win 7 can get allocated but not the router. They are getting really different addresses you can see from my screen shots from ipconfig.. Weird..

Yea.. I will do some reasearch on Time Warner doing IPv6 and see what I can find out..

I REALLY appreciate you assistance and your taking the time to connect to the router

I will research more..

I suppose I should put in 6.7 just to be on the safe side.

Xymox · Thu Dec 05, 2013 2:44 am

Hmmm this does not seem that hard.. Have DHCPv6 get the pool, put the pool in the pool and then use ND to advertize the pool.

My earlier attempts messed up something so I cleared everything and started again. So my gateway is reachable and things look fine now..

But nothing. This seems to work as I am getting addresses assigned. The clients get addresses and gateway info. No problem. If I do a ping -6 ipv6.google.com the client looks up the google iupv6 address. But I cant get to anything. No ipv6 site.. Sorta like firewall rules are blocking it. BUT the ONLY rules now are all accept.

I see some traffic on those rules.

If I plug the client diretly into the modem, it gets addresses and works perfectly fully IPv6. Just not thru the router.

Like there is some disconnect internally.

My LAN side is a bridge ? does that matter ?

My router should still be avaliable via the above link if anyone wants to look... Its perplexing.. I think I sorta understand whats going on and i see how we are getting the pool from the ISP and advertizing it and my clients get the addresses, I dont understand why i dont get any data thru it. My routes show reachable..

cwachs · Fri Sep 26, 2014 6:52 pm

This has been the most helpful post so far but I'm still failing the IPv6 tests. I am connected to Comcast and I pass the tests if I hook my Mac directly to the modem. When I'm connected to the router, I get an IPv6 address on my computer but I fail IPv6 tests.

I'm fairly certain I have done something wrong or missed a step. My IPv6 code is below. I am using Ethernet-5 as my WAN port.

# sep/26/2014 09:48:17 by RouterOS 6.19
# software id = NXY9-ILQF
#
/ipv6 address
add from-pool=Comcast interface=ether2-master-WachsNet
/ipv6 dhcp-client
add add-default-route=yes comment=Comcast interface="ether5-WAN Comcast" \
    pool-name=Comcast
/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=547 in-interface="ether5-WAN Comcast" protocol=udp \
    src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=\
    "ether5-WAN Comcast"
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface="!ether5-WAN Comcast"
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=\
    "ether5-WAN Comcast"
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=ether2-master-WachsNet mtu=1480 \
    other-configuration=yes ra-delay=5s ra-interval=5s-30s ra-lifetime=none
/ipv6 route
add distance=1 gateway="ether5-WAN Comcast"

janisk · Tue Sep 30, 2014 3:15 pm

try to set up firewall rule to accept MLD packets too as multicast is a serious part of IPv6 internal auto-management.

cwachs · Sun Nov 16, 2014 11:59 pm

After a few weeks of working on getting IPv6 working, I'm still not up despite other success stories.

ISP: Comcast in Colorado.

I am doing the following steps with ROS 6.2:

/ipv6 dhcp-client
add add-default-route=yes interface=ether1-WAN pool-name=IPv6 use-peer-dns=yes

It binds and shows a prefix consistent with Comcasts IPs. Then I modify ND:

/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes hop-limit=64 interface=ether2-master-WachsNet other-configuration=yes
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

Then I set the firewall filter rules:

/ipv6 firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-WAN protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-WAN
add chain=forward protocol=icmpv6
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new in-interface=!ether1-WAN
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-WAN

Lastly:

/ipv6 address
add address=::/64 from-pool=IPv6 interface=ether2-master-WachsNet

When I print my routes:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0  DS  ::/0                     fe80::201:5cff:fe65:5...        1
 1 ADC  2601:1:9700:16ea::/64    ether2-master-WachsNet          0
 2  DSU 2601:1:9700:16ea::/64                                    1

Two of those are unreachable. If I try to add a static route (below), it is also unreachable:

add distance=1 gateway=ether1-WAN

#      DST-ADDRESS              GATEWAY                  DISTANCE
 0  DS  ::/0                     fe80::201:5cff:fe65:5...        1
 1   S  ::/0                     ether1-WAN                      1
 2 ADC  2601:1:9700:16ea::/64    ether2-master-WachsNet          0
 3  DSU 2601:1:9700:16ea::/64                                    1

I'm doing my best to educate myself on IPv6 but am clearly missing a key point...

janisk · Fri Nov 21, 2014 4:29 pm

IPv6 works completely different if compared to ipv4 and you cannot just go and drop all the incoming stuff on your WAN interface. Or else, nothing will work as you need MLD working for IPv6 to function properly. Via MLD IPv6 is negotiating stuff with neighbors, list statuses, neighbour statuses etc.

And as a bonus - you do not need ARP anymore

cwachs · Thu Oct 01, 2015 5:21 am

I've been playing off and on with IPv6 on my router for about a year. I have also swapped out my Mikrotik with a Ubiquiti EdgeRouter for a while while I was testing it. I am able to get IPv6 working fine with the Ubiquiti router, as well as computers hooked directly to the Comcast modem. So, it seems to be an issue in the way I am configuring the Mikrotik but I can't figure out why.

I am running RouterOS 6.32.2 with Comcast in Denver (which hands out a ::/64 as best as I can tell). Ether1 is my WAN port and ether2 is my LAN port.

I enable IPv6 and go to IPv6/client:

add add-default-route=yes interface=ether1-WAN pool-name=IPv6

This sets up the pool and I see it bind to a Comcast range. So far so good.

I then go to ND and enter:

set [ find default=yes ] disabled=yes
add advertise-dns=yes advertise-mac-address=no hop-limit=64 interface=\
    ether2-master-WachsNet mtu=1480 other-configuration=yes ra-delay=5s \
    ra-interval=5s-30s ra-lifetime=none
/ipv6 nd prefix default
set autonomous=no preferred-lifetime=4h valid-lifetime=4h

Last step is the IPv6 firewall:

add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=546 in-interface=ether1-WAN protocol=udp \
    src-port=547
add chain=input in-interface=ether1-WAN protocol=icmpv6
add action=drop chain=input in-interface=ether1-WAN
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

At this point, I have reboot the router, rebooted the Comcast modem - nothing ever works. My clients do not receive IPv6 addresses but I feel like they should. Disabling all the firewall rules have no effect. I have done this exact same procedure on another Mikrotik hooked to another Comcast modem in another state and it works. However, other routers hooked to this location in Colorado work fine so I tend to rule out a Comcast issue.

Anything obvious?

DHCPv6 from cable co. now what

DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Re: DHCPv6 from cable co. now what

Who is online