Community discussions

MikroTik App
 
oreggin
Member Candidate
Member Candidate
Topic Author
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

DHCPv6 client on Vlan interface doesn't work

Mon Dec 09, 2019 5:30 pm

Hi!

I trying to get work ipv6 dhcp-client on Vlan interface on a vlan aware bridge under ros v6.46 on my RB1100AHx2.
config:
/interface bridge
add name=LAN protocol-mode=mstp region-name=LAN region-revision=1 vlan-filtering=yes
/interface bridge msti
add bridge=LAN identifier=1 vlan-mapping=1-4094
/interface bridge port
add bridge=LAN interface=ether10
/interface bridge vlan
add bridge=LAN tagged=ether10,LAN vlan-ids=808
/interface vlan
add interface=LAN name=Vlan808 vlan-id=808
/ipv6 dhcp-client
add interface=Vlan808 pool-name=ipv6pool_vlan808 request=address,prefix
The symptom is my device is sending IPv6 DHCP requests, defaultgw relaying requests for server and back to the client. I created packet capture on Vlan808 interface, and it seems my rb1100ahx2 ignore reply:
$ tshark -r dhcpv6.pcap -V
Frame 1: 112 bytes on wire (896 bits), 112 bytes captured (896 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec  9, 2019 13:48:12.612234000 CET
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1575895692.612234000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 112 bytes (896 bits)
    Capture Length: 112 bytes (896 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ipv6:udp:dhcpv6]
Ethernet II, Src: Routerbo_01:02:03 (4c:5e:0c:01:02:03), Dst: IPv6mcast_01:00:02 (33:33:00:01:00:02)
    Destination: IPv6mcast_01:00:02 (33:33:00:01:00:02)
        Address: IPv6mcast_01:00:02 (33:33:00:01:00:02)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Routerbo_01:02:03 (4c:5e:0c:01:02:03)
        Address: Routerbo_01:02:03 (4c:5e:0c:01:02:03)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::4e5e:cff:fe01:203, Dst: ff02::1:2
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
    Payload Length: 58
    Next Header: UDP (17)
    Hop Limit: 1
    Source: fe80::4e5e:cff:fe01:203
    Destination: ff02::1:2
    [Source SA MAC: Routerbo_01:02:03 (4c:5e:0c:01:02:03)]
User Datagram Protocol, Src Port: 546, Dst Port: 547
    Source Port: 546
    Destination Port: 547
    Length: 58
    Checksum: 0x9de7 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0x043f69
    Client Identifier
        Option: Client Identifier (1)
        Length: 10
        Value: 000300014c5e0c010200
        DUID: 000300014c5e0c010200
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 4c:5e:0c:5a:46:57
    Identity Association for Non-temporary Address
        Option: Identity Association for Non-temporary Address (3)
        Length: 12
        Value: 0000001c0000070800000b40
        IAID: 0000001c
        T1: 1800
        T2: 2880
    Option Request
        Option: Option Request (6)
        Length: 2
        Value: 0017
        Requested Option code: DNS recursive name server (23)
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Value: cd78
        Elapsed time: 526000ms
    Rapid Commit
        Option: Rapid Commit (14)
        Length: 0

Frame 2: 178 bytes on wire (1424 bits), 178 bytes captured (1424 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec  9, 2019 13:48:12.615453000 CET
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1575895692.615453000 seconds
    [Time delta from previous captured frame: 0.003219000 seconds]
    [Time delta from previous displayed frame: 0.003219000 seconds]
    [Time since reference or first frame: 0.003219000 seconds]
    Frame Number: 2
    Frame Length: 178 bytes (1424 bits)
    Capture Length: 178 bytes (1424 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ipv6:udp:dhcpv6]
Ethernet II, Src: Cisco_03:9f:41 (8c:60:4f:03:9f:41), Dst: Routerbo_01:02:03 (4c:5e:0c:01:02:03)
    Destination: Routerbo_01:02:03 (4c:5e:0c:01:02:03)
        Address: Routerbo_01:02:03 (4c:5e:0c:01:02:03)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_03:9f:41 (8c:60:4f:03:9f:41)
        Address: Cisco_03:9f:41 (8c:60:4f:03:9f:41)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: 2001:db8:0:b00b::fff1, Dst: fe80::4e5e:cff:fe01:203
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
    Payload Length: 124
    Next Header: UDP (17)
    Hop Limit: 255
    Source: 2001:db8:0:b00b::fff1
    Destination: fe80::4e5e:cff:fe01:203
    [Destination SA MAC: Routerbo_01:02:03 (4c:5e:0c:01:02:03)]
User Datagram Protocol, Src Port: 547, Dst Port: 546
    Source Port: 547
    Destination Port: 546
    Length: 124
    Checksum: 0x66e6 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
DHCPv6
    Message type: Advertise (2)
    Transaction ID: 0x043f69
    Identity Association for Non-temporary Address
        Option: Identity Association for Non-temporary Address (3)
        Length: 40
        Value: 0000001c00000000000000000005001820010db80000b00b…
        IAID: 0000001c
        T1: 0
        T2: 0
        IA Address
            Option: IA Address (5)
            Length: 24
            Value: 20010db80000b00b11bb2c83cf2e3704000069780000a8c0
            IPv6 address: 2001:db8:0:b00b:11bb:2c83:cf2e:3704
            Preferred lifetime: 27000
            Valid lifetime: 43200
    Client Identifier
        Option: Client Identifier (1)
        Length: 10
        Value: 000300014c5e0c010200
        DUID: 000300014c5e0c010200
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 4c:5e:0c:5a:46:57
    Server Identifier
        Option: Server Identifier (2)
        Length: 14
        Value: 000100011ed5a517001999b3abf3
        DUID: 000100011ed5a517001999b3abf3
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: May 23, 2016 13:25:11.000000000 CEST
        Link-layer address: 00:19:99:b3:ab:f3
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 32
        Value: 20010db80000babe000000000053000120010db80000babe…
         1 DNS server address: 2001:db8:0:babe::53:1
         2 DNS server address: 2001:db8:0:babe::53:2
Debug output:
16:06:30 dhcp,debug,packet send Vlan808 -> ff02::1:2%13 
16:06:30 dhcp,debug,packet type: solicit 
16:06:30 dhcp,debug,packet transaction-id: 87464e 
16:06:30 dhcp,debug,packet  -> clientid:   00030001 4c5e0c5a 4657 
16:06:30 dhcp,debug,packet  -> ia_na:  
16:06:30 dhcp,debug,packet    t1: 1800 
16:06:30 dhcp,debug,packet    t2: 2880 
16:06:30 dhcp,debug,packet    id: 0x1c 
16:06:30 dhcp,debug,packet  -> oro: 23  
16:06:30 dhcp,debug,packet  -> elapsed_time: 2000 
16:06:30 dhcp,debug,packet  -> rapid_commit: [empty] 
16:06:30 dhcp,debug,packet  -> ia_pd:  
16:06:30 dhcp,debug,packet    t1: 1800 
16:06:30 dhcp,debug,packet    t2: 2880 
16:06:30 dhcp,debug,packet    id: 0x1c 
I tried to remove sensitive data from outputs.
Any idea, whats wrong?
 
kathampy
just joined
Posts: 10
Joined: Tue Apr 05, 2016 7:59 am

Re: DHCPv6 client on Vlan interface doesn't work

Sun Dec 27, 2020 10:41 am

I have the same issue on v6.48. DHCPv6 Client does not work on a VLAN interface, or the master bridge interface PVID. It's stuck on "searching".

However, I found another bug which acts as a workaround. You can create a DHCPv6 Client that runs on the S interface (ether1) PVID instead of the bridge. The downside is you must send your WAN untagged on the PVID to the S interface (ether1). This configuration is not possible with IPv4 DHCP Client as it won't let you start the client on a S interface attached to a bridge. Even if you switch off VLAN filtering, DHCPv6 Client will not work on the bridge interface PVID. You must use the S interface.
Last edited by kathampy on Sun Aug 20, 2023 7:29 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DHCPv6 client on Vlan interface doesn't work

Sun Dec 27, 2020 1:45 pm

The symptom is my device is sending IPv6 DHCP requests, defaultgw relaying requests for server and back to the client. I created packet capture on Vlan808 interface, and it seems my rb1100ahx2 ignore reply:
How does your /ipv6 firewall export look like? The DHCPv6 client sends the initial request to a multicast address but the response comes from a unicast one, so "accept established" doesn't work. And unlike the DHCPv4 client, the DHCPv6 one is not connected "closer to the wire" than the firewall filter.
 
kathampy
just joined
Posts: 10
Joined: Tue Apr 05, 2016 7:59 am

Re: DHCPv6 client on Vlan interface doesn't work

Sun Dec 27, 2020 6:07 pm

How does your /ipv6 firewall export look like? The DHCPv6 client sends the initial request to a multicast address but the response comes from a unicast one, so "accept established" doesn't work. And unlike the DHCPv4 client, the DHCPv6 one is not connected "closer to the wire" than the firewall filter.
I have disabled all IPv6 Firewall rules. Even with the default quick setup IPv6 Firewall rules enabled, using the S interface PVID for IPv6 DHCP Client does work. It does not work only on the bridge interface PVID (same as S interface PVID) and VLAN interface. You should not be able to run a DHCP Client on the S interface when it's part of a bridge, right? But, changing bridge to ether1 in IPv6 DHCP Client makes it work.

Both LAN and WAN and trunked to the switch. LAN is the untagged PVID, and WAN is tagged. When making WAN the untagged PVID and using the S interface for IPv6 DHCP Client, it works through the switch, as well as with the modem directly connected to the router. It does not work through the bridge interface PVID in any situation, even with VLAN filtering disabled.
Last edited by kathampy on Sun Aug 20, 2023 7:31 am, edited 3 times in total.
 
kathampy
just joined
Posts: 10
Joined: Tue Apr 05, 2016 7:59 am

Re: DHCPv6 client on Vlan interface doesn't work

Sun Dec 27, 2020 6:48 pm

Another interesting observation:
When IPv6 DHCP Client is working on the S interface PVID, it obtains a prefix but the entry is marked as invalid and is shown in red.
[admin@MikroTik] > ipv6 dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid 
 #    INTERFACE      STATUS             REQUEST       PREFIX                                                          
 0  XI wan1           stopped            address      
                                        prefix       
 1  I ether2         bound              address       2601:XXXX:XXXX:XXXX::/60, 3d15h14m56s                            
                                        prefix       
wan1 is is VLAN interface I use when WAN is tagged, which does not work.

Similarly if I change from the S interface ether2 back to the bridge PVID, it stops working.
[admin@MikroTik] > ipv6 dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid 
 #    INTERFACE      STATUS             REQUEST       PREFIX                                                          
 0  XI wan1           stopped            address      
                                        prefix       
 1    bridge2        searching...       address      
                                        prefix       
Last edited by kathampy on Sun Aug 20, 2023 7:31 am, edited 2 times in total.
 
kathampy
just joined
Posts: 10
Joined: Tue Apr 05, 2016 7:59 am

Re: DHCPv6 client on Vlan interface doesn't work

Mon Dec 28, 2020 2:36 am

I did a simple test connecting ether2 (without a bridge) directly to my PC and running Wireshark. I created an IPv4 DHCP Client and IPv6 DHCP Client on ether2. I am able to see IPv4 DHCP packets, but there are no DHCPv6 (or any IPv6) packets captured in Wireshark. I also ran the RouterOS internal Packet Sniffer on ether2, and it did not capture any packets on DHCPv6 ports 546 & 547.

On my live setup, sfp-sfpplus1 is an S interface on bridge. When running the IPv6 DHCP Client on a VLAN, the internal Packet Sniffer shows the same packet on port 546 on the VLAN, bridge, and sfp-sfpplus1, but Wireshark does not capture any packets leaving the router.

It seems the IPv6 DHCP Client is non-functional on my router. The only situation where packets leave the router is when incorrectly running IPv6 DHCP Client on the S interface on a bridge. It's able to obtain a prefix but the line is red and marked as invalid.
Last edited by kathampy on Sun Aug 20, 2023 7:31 am, edited 3 times in total.
 
breizyann
just joined
Posts: 8
Joined: Wed Jul 24, 2019 5:11 pm

Re: DHCPv6 client on Vlan interface doesn't work

Wed Jan 20, 2021 7:06 pm

Hello @all,

Today i did a simple test to capture dhcpv6-client traffic from my routerboard Mikrotik hex_s (https://mikrotik.com/product/hex_s).
Router OS = 6.48 (stable)

1- i installed the dhcpv6-dibbler-server on ubuntu 20.04 (sudo apt update + sudo apt install dibbler-server) homepage: https://klub.com.pl/dhcpv6/
when it's installed → modify the /etc/dibbler/server.conf to setup/configure the listening interface you want for dhcpv6 server function.

2- i installed the wireshark tool to capture traffic on my ubuntu 20.04 linux box (listening on the interface configured above) with the filter → udp portrange 546-547.

3- In the Mikrotik router i removed the sfp-fiber module and replaced it with a sfp-rj45 → Model Number: JT-C1GE-R01 (from JT-COM).
I did that to have a direct rj45 connection between the Mikrotik router and my linux box (unbuntu 20.04) running the dhcp server.

4- My dhcpv6-client configuration is in the following steps (physical interface sfp-rj45 + vlanxyz + bridge)

/interface vlan add interface=sfp1 loop-protect-disable-time=00:05:00 loop-protect-send-interval=00:00:05 name=VLANxyz vlan-id=xx
/interface bridge add name=bridge-wan
/interface bridge port add bridge=bridge-wan interface=VLANxyz
/interface bridge filter add action=set-priority chain=output dst-port=547 ip-protocol=udp log=yes log-prefix="Set CoS on DHCP request" mac-protocol=ipv6 new-priority=x out-interface=VLANxyz passthrough=yes (x, xx, xyz, must be replaced by numerical of your needs).
/ipv6 firewall filter add chain=input comment="allow dhcpv6 replies on WAN" action=accept protocol=udp src-address=fe80::/10 in-interface=bridge-wan dst-port=546 log=no log-prefix=""
/ipv6 settings set accept-router-advertisements=yes


I also add 3 more lines (not displayed here) for my ISP specific mandatory options (option xx, option yy, option zz).

finally i add the dhcpv6-client:

/ipv6 dhcp-client add interface=bridge-wan dhcp-options=authentication,user-class,vendor-class request=prefix pool-name=pool_TEST_6 pool-prefix-length=64 add-default-route=yes disabled=no

Now everything is ready/setup for the wireshark capture:

1. On Mikrotik router set your dhcpv6-client to disable status
2. On the linux box start the dibbler-server (i start it with sudo dibbler-server start) → verify with ps -ef|grep dibbler if the daemon is running.
3. On the linux box start wireshark capture tool (i start it with sudo wireshark &). Apply the filter → udp portrange 546-547 on the listening interface.
4. Assuming that a direct rj45 cable is connected between your sfp-rj45 module and your linux box.
5. on Mikrotik router set your dhcpv6-client to enable status and keep an eye on wireshark at the same time.

The traffic should appear very quickly as in attachment below:
You can see the first action "Solicit" coming from the router fe80::764d:28ff:xxxx:xxxx with a destination to the server ff02::1:2 (my linux box will answer in this case).

ps: I have not fully configured my dhcp-server config file to emule all my ISP mandatory behavior as this post is just for initiate the dhcpv6-client traffic in wireshark.

In a full working environment you shoud have at least tree more lines in the wireshark dhcpv6 client-server communication exchange:
1. Solicit (client to server)
2. Advertise (server to client)
3. Request (client to server)
4. Reply (server to client)

Hoping this tuto may help someone.

Kind regards,
Yann
You do not have the required permissions to view the files attached to this post.
 
kathampy
just joined
Posts: 10
Joined: Tue Apr 05, 2016 7:59 am

Re: DHCPv6 client on Vlan interface doesn't work

Wed Jan 20, 2021 8:35 pm

DHCPv6 client has started working on the VLAN interface. I didn't change anything.
 
breizyann
just joined
Posts: 8
Joined: Wed Jul 24, 2019 5:11 pm

Re: DHCPv6 client on Vlan interface doesn't work

Tue Feb 09, 2021 6:45 pm

hello,

I did setup the isc-dhcp-server on my linux box and added a vlan interface on the nic.
enp0s25 is the physical nic interface card
enp0s25.xxx is the vlan added on this interface
dhcp client is my windows10 host

As my previous post i remove the sfp optical fiber from the mikrotik hex_s and replace it with an sfp rj45 instead (JT-C1GE-R01 from JT-COM)
I do that to be able to wireshark/capture the traffic between my windows host (dhcpv6 client) and my linux box (dhcpv6 server).
I set a direct ethernet cable between the client and the server.
The wireshark capture is done on the server side (linux box).

Regards,
Yann

First capture is done on enp0s25 (the physical nic of my linux box/server side) → you can see the the frame: 802.1q for the vlan)
enp0s25.png
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The second capture is done inside the vlanxxx → no more 802.1q
enp0s25.xxx.png
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The last capture is the testing bound satus that i got on mikrotik hex_s dhcpv6-client from my isc-dhcp-server
mikrotik_dhcpv6_client.png
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 62 guests