Community discussions

MikroTik App
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 05, 2019 10:41 am

I have been trying to get a MikroTik router.
CRS109-8G-1S-2HnD (mipsbe) RouterOS 6.43.8
to pickup a DHCPv6 Prefix from the PRovider, with their (telus) modem set to bypass directly all control to this MikroTik router.
[It's been working great although it was hacked last year with the Socks turned out and Proxy mode enabled the warning of that was NetFlix was blocked.]

So I could easily do all the settings for the correct setup (although complicated and likely not perfected) it should be sufficient to initially (first step) get a Prefix via DHCPv6 Client.

Alright so I just was trying to use the Tools Packet Sniffer to listen to the traffic regarding ports 546 and 547

only-headers: no
memory-limit: 150KiB
memory-scroll: yes
file-limit: 1000KiB
streaming-enabled: no
streaming-server: 0.0.0.0
filter-stream: no
filter-port: 546,547
filter-direction: any
filter-operator-between-entries: or
running: yes

I do see the request going out also via the IPv6 Firewall rules with logging.
to accept input (port:547) and output (port:546) with protocol 17 (UDP)
It probes stuck "Searching" with entries like this ...
7 132.293 ether1 fe80::6e3b:6bff:fe8e:143e:546 ff02::1:2:547 udp 112 0 no

going to 547 from the local address to ff02::1:2 an expected broadcast location.

Note: I don't really wanna shutdown the entire network have the provide switch the modem on and test how it's working from there and what numbers it gets and at least trouble shoot with them what they support but I'm sure it will work fine, so it's some kind of none standard setup I guess.

The forums for the provide are basically old but say they only provide PD Prefix Discovery so I've only enabled that for now.

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=v6_pool1 request=prefix

/ipv6 pool
add name=v6_pool1 prefix-length=62

ether1 has the outside IPv4 from the provider.

Anyway normally one might use telnet (tcpdump?) to connect to a server and check their is something to talk to etc. I am uncertain how to be sure there is something listening to my DHCPv6 Client PD Requests.

Nothing is being logged incoming for the expected port. most machines are Windows and I don't really have other unix to test from either.

How can I prove to the Provider (Telus) they are not providing what they should to allow proper connection via IPV6 to this MikroTik system?
I've tried to call them a couple of times looking at this not critical but desired feature and I get essentially no help, not supported call you Modem people?!

I think the dump question is are you listening on ff02::1:2:547? cause nothings being sent? My guess is they reject the request for some reason like it's not one of their ( Actiontek ) routers.
I'm hopeful I could get a real technical person on the line one day, but it would be great to have a proof of incompetency etc.
That's why I wondering how one would properly debug this issue at this stage?
Last edited by MasterJames on Tue Mar 05, 2019 11:37 am, edited 1 time in total.
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 05, 2019 11:15 am

I've tried Pinging ff02::1:2 on the interface.
If ARP ( Address Resolution Protocol ) Ping is selected it says "arp ping supports only IPv4" in Status
Without the (No ARP) Regular Ping has timeouts.

The ARP Pings are not logged.

This is a default firewallv6 rule set I had derived from official sources (default configuration aka defconf) mostly.
Alas I've added four at the top to essentially a allow/accept all out and in plus ones for also logging the DHCP Ports specifically [ to help debug the problem and make sure nothing is blocking on the firewall side ].
/ipv6 firewall filter
add action=accept chain=output comment="Testing IPV6 but can't get DHCPv6 Client to connect" log=yes log-prefix=FirewallIPV6-OUT
add action=accept chain=input log=yes log-prefix=FirwallIPv6-IN
add action=accept chain=input comment="For DHCPv6 Server In" dst-port=547 log=yes log-prefix=DHCPv6-IN protocol=udp
add action=accept chain=output comment="For DHCPv6 Client Out" dst-port=546 log=yes log-prefix=DHCPv6-OUT protocol=udp
add action=accept chain=input comment="DHCPv6 server reply" disabled=yes port=547 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix=IPV6_acceptIn
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 05, 2019 12:41 pm

Looking at this documentation
https://wiki.mikrotik.com/wiki/Manual:T ... et_Sniffer

It is showing the v6 version for filter-ip-protocol like icmpv6 and my GUI doesn't seem to have them in the dropdown has me wondering what's going on there?
icmp - internet control message protocol
icmpv6 - internet control message protocol v6
Maybe it's just not in the dropdown and that's a bug or the documentation is old and the concepts are unified?

Oh wait this is available as Protocol 58 in the General Tab of the Firewall I was looking in the Packet Sniffer filter?! that's not there. Maybe that's a bug in the V6 Plugin?

Downloading and Installing 6.44 now...
Okay seems like that makes no difference to anything said here.

I've deleted the pool
/ipv6 pool
add name=v6_pool1 prefix-length=62
since the new version update note says it's no longer need so I thought it might be better default (or is that one above with 62 good/same)?

Well if I try to add it back in I get a prefix prompt ?
[admin@MikroTik] > /ipv6 pool
[admin@MikroTik] /ipv6 pool> add name=v6_pool1 prefix-length=62
prefix: 
Script Error: action cancelled
Somethings missing/buggy in the export there. should export ::/0 or something like the add should assume a default prefix when missing.
 
proximus
Member Candidate
Member Candidate
Posts: 113
Joined: Tue Oct 04, 2011 1:46 pm

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 05, 2019 2:20 pm

Do not configure anything under "/ipv6 pool" ... only set the pool name in the "/ipv6 dhcp-client" configuration.
 
nostromog
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Jul 18, 2018 3:39 pm

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 05, 2019 8:16 pm

This worked for my provider:
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=mypool \
    pool-prefix-length=60 request=prefix
And the dhcp client will create a dynamic /ipv6 pool that will deliver /60 networks.
ether1 is the connection to my provider.

I also address my local network with:
/ipv6 address
  add address=::1 from-pool=mypool interface=bridge
  add address=::1 from-pool=otherpool interface=hotspot
which gives:
[admin@Mikrotik] > /ipv6 dhcp-client  print 
Flags: D - dynamic, X - disabled, I - invalid 
 #    INTERFACE            STATUS             REQUEST              PREFIX                                                          
 0    ether1               bound              prefix               my:pre:fix:20::/60, 2d23h42m53s                            
[admin@Mikrotik] > /ipv6 pool print 
Flags: D - dynamic 
 #   NAME                                            PREFIX                                      PREFIX-LENGTH EXPIRES-AFTER       
 0 D mypool                                         my:pre:fix:20::/60                                64 2d23h43m2s          
[admin@Mikrotik] > /ipv6 address print  
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE                                                     ADVERTISE
 0  G my:pre:fix:21::1/64                            mypool      bridge                                                        yes      
 1  G my:pre:fix:20::1/64                            mypool      hotspot                                                       yes      
With one /64 address, you can address a whole network, I'm splitting my /56
in /60 to be able to give subnetting ability to the vpn connections, or to use them
with VMs, docker, etc. It can be also handy for guests network or if you have a
hotspot, as seen in the example.
Last edited by nostromog on Tue Mar 12, 2019 2:12 am, edited 1 time in total.
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Thu Mar 07, 2019 3:11 am

Thanks for the feedback. So I purged the pool but the ipv6 address entries are red with a comment saying no pool found so I manually entered the pool again but with 60 length and it has prefix ::/0
Anyway dhcpv6 client still says searching...?!

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=v6_pool1 pool-prefix-length=60 request=prefix

and so the addresses eport like so...

/ipv6 address
add address=::1 from-pool=v6_pool1 interface=bridge
add from-pool=v6_pool1 interface=ether1

I guess my firewall rules were okay for testing prefix requests, right?

How do I prove to my provider (telus in BC Canada) they are not listening on ff02::1:2:547 to the requests or responding properly ? It's being logged okay.

in: (unknown 0) out: ether1 proto UDP [fe80::6f2a: .... 12ba]:546->[ff02::1:2]:547, len 58

Note: I can not select and copy text from the log entries in the log output in winbox?!

there is an entry for ICMP type 133 code 0 with a src-macand I also see a log entry for ICMP type 134, code 0)
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 12, 2019 1:39 am

I've tried adding ND (Network Discovery) Prefix and other stuff from the Manual Docs.
https://wiki.mikrotik.com/wiki/Setting_up_DHCPv6

but this is likely more for runnig the DHCPv6 Server
0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes advertise-dns=no managed-address-configuration=no 
      other-configuration=no 

1    interface=ether1 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes managed-address-configuration=yes 
      other-configuration=yes 
and the current settings in prefix are:
 0  D prefix=0:0:0:10::/64 interface=ether1 on-link=yes autonomous=yes valid-lifetime=4w2d preferred-lifetime=1w 

 1    prefix=::/64 interface=ether1 on-link=yes autonomous=no valid-lifetime=4w2d preferred-lifetime=1w
Of course nothing works because (I'm guessing after exhausting MikroTik setting possibilities) the provider has hidden the correct location for sending the DHCPv6 Client Requests.
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Tue Mar 12, 2019 2:37 am

Okay well after a number of months and finally a thirds call to the provider (TELUS) they have revealed that only static IPs Macs have the ports open to receive the DHCPv6 Client Prefix Request (on broadcast address port 547).
If we upgrade to static biz account for an extra $12/month (in 2019), follow the login only then provided through DHCPv4 via website login to get the static IPv4, then enter the static IPv4 address then that registered MikroTik router's MAC address will no longer be Port Blocked for IPv6 DHCPv6 address prefix requests and so on.

So Yup! The provider was/is blocking it as I suspected but there really is/was no way other then by using the Firewall Logging to see your outgoing requests ONLY and NO incoming response.

Eventually I think we will do this static upgrade. I guess it makes sense since IPv6 is virtually unlimited static address they want the money grab from business (I guess they're scared of something... static IPs servers etc. it's ridiculous to me they limit upload speeds, goes unused because of greed).
On their residential accounts with their router [not bridged/bypassed] IPv6 works (at home optical network speeds).
The other irony is they said you get 5 static IPs (I'm assuming IPv4) even though we only have the one MikroTik router of course. It should work to route all address within the prefix. I think we will wait. And so we see one more reason people are not fully IPv6 enabled in the world.... greed and excessive control of greedy control-freaks, both pretty bad reasons.
 
randomwalk
just joined
Posts: 7
Joined: Sun Apr 21, 2013 3:40 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Mon Mar 18, 2019 11:06 pm

Hi MasterJames,
Thanks for sharing your findings on IPv6. I'm in Alberta and share your pain on Telus/Bell/Rogers/Shaw :)
 
User avatar
MasterJames
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2019 3:52 am
Location: Canada

Re: DHCPv6 Prefix Request Response not happening. How to Trace Debug?

Fri Apr 05, 2019 1:04 pm


Hi MasterJames,
Thanks for sharing your findings on IPv6. I'm in Alberta and share your pain on Telus/Bell/Rogers/Shaw :)

You are Welcome. Taking the RB4011 back tomorrow and looking at this one (only similar) option from Cisco.
https://www.cisco.com/c/en/us/products/ ... index.html

It has only 4 LAN ports (I wanted 8 = overkill) but adding a switch might be okay if needed.

Who is online

Users browsing this forum: dave864, Google Feedfetcher, keithy, sindy, xvo and 65 guests