Community discussions

MikroTik App
  4. RouterOS
  5. General

HAP AC2 ipv6 Routes list show bridge unreachable

Post Reply
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Topic Author
Posts: 891
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:
Contact mozerd

HAP AC2 ipv6 Routes list show bridge unreachable

Mon Apr 13, 2020 8:10 pm

ipv6 is configured on the hap ac2 and ether1 [WAN] gets an ipv6 address and the bridge gets an ipv6 address but the bridge is unreachable so non of the attached laptops are getting an ipv6 address.

By looking at the config below can anyone please advise why the bridge is unreachable?

Redacted Config:
Code: Select all
# apr/13/2020 12:06:07 by RouterOS 6.46.5
# software id = URZF-KQ5I
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = RRRRRRRRRRRRR
/interface bridge add admin-mac=CC:2D:E0:EB:61:0F auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether1 ] speed=100Mbps
/interface ethernet set [ find default-name=ether2 ] speed=100Mbps
/interface ethernet set [ find default-name=ether3 ] speed=100Mbps
/interface ethernet set [ find default-name=ether4 ] speed=100Mbps
/interface ethernet set [ find default-name=ether5 ] speed=100Mbps
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=zzzzzzzzzzzzzzzzzzzz
/interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" management-protection=allowed management-protection-key=raven........ mode=dynamic-keys name=UplandsDen supplicant-identity="" wpa-pre-shared-key=ghghghghghghghg. wpa2-pre-shared-key=qqqqqqqqqqqqqqqqqqqq
/interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=20/40mhz-Ce country=canada disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge name=wlanA security-profile=UplandsDen ssid=UplandsDen wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=canada disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge name=wlanB security-profile=UplandsDen ssid=UplandsDen-5G wireless-protocol=802.11
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/system logging action set 1 disk-file-name=disk2/log
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=wlanA
/interface bridge port add bridge=bridge comment=defconf interface=wlanB
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set accept-router-advertisements=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface wireless connect-list add interface=wlanA security-profile=UplandsDen
/interface wireless connect-list add interface=wlanB security-profile=UplandsDen
/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud set update-time=no
/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease add address=192.168.88.230 client-id=1:0:24:d6:9b:b5:ec comment="J Lap" mac-address=00:24:D6:9B:B5:EC server=defconf
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall address-list add address=224.0.0.0/3 list=blacklist
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=input comment="INPUT DROP FireHOL Blacklist" in-interface=ether1 log-prefix="FireHOL Blacklist" src-address-list=blacklist
/ip firewall filter add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2d chain=input comment="INPUT Telnet Port Scans" dst-port=23 in-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="Drop TELNET port scaners" in-interface=ether1 src-address-list="Port Scanners"
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh port=2200
/ip service set api disabled=yes
/ip service set winbox address=192.168.88.0/24
/ip service set api-ssl disabled=yes
/ip ssh set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 address add from-pool=rogers-ipv6 interface=bridge
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=rogers-ipv6 request=address,prefix use-peer-dns=no
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment=" defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd set [ find default=yes ] advertise-dns=no interface=ether1 mtu=1500 ra-lifetime=none reachable-time=5m
/ipv6 nd add advertise-dns=no hop-limit=64 interface=bridge
/ipv6 nd prefix default set preferred-lifetime=4h valid-lifetime=4h
/system clock set time-zone-name=America/Toronto
/system clock manual set time-zone=-04:00
/system identity set name=ravensden
/system logging set 0 action=disk
/system logging set 1 action=disk
/system logging set 2 action=disk
/system logging set 3 action=disk
/system ntp client set enabled=yes server-dns-names=time.google.com,0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool sniffer set filter-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 memory-limit=10KiB
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11597
Joined: Thu Mar 03, 2016 10:23 pm

Re: HAP AC2 ipv6 Routes list show bridge unreachable

Mon Apr 13, 2020 10:22 pm

What happens if you set it like this:

Code: Select all
/ipv6 address=::1 add from-pool=rogers-ipv6 interface=bridge
... or something else instead of ::1?


In addition, how big is address prefix, received from ISP? (/ipv6 pool print)
Top
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Topic Author
Posts: 891
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:
Contact mozerd

Re: HAP AC2 ipv6 Routes list show bridge unreachable

Mon Apr 13, 2020 11:03 pm

What happens if you set it like this:
Code: Select all
/ipv6 address=::1 add from-pool=rogers-ipv6 interface=bridge
... or something else instead of ::1?

In addition, how big is address prefix, received from ISP? (/ipv6 pool print)
i cannot /ipv6 pool print now as the unit is in another jurisdiction and I will regain access to it remotely morrow

the address prefix is /64

will give your suggestion a try and report back tomorrow

Thanks mkx
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11597
Joined: Thu Mar 03, 2016 10:23 pm

Re: HAP AC2 ipv6 Routes list show bridge unreachable

Mon Apr 13, 2020 11:38 pm

If prefix, received from ISP, is indeed /64 ... and one of addresses out of that prefix is immediately used for WAN IPv6 address on ether1, then you're out of luck. Check that scenario.

Yes, some ISPs are that cheap to only assign /64 to a home user (it should be something larger, e.g. /60 or /56). My ISP is giving out a /56 .. and that's over PPPoE, so no prefix wasted for WAN interface.

And .. my subggestion should actually be

Code: Select all
/ipv6 address add address=::1 from-pool=rogers-ipv6 interface=bridge
Top
 
User avatar
bgp4
just joined
Posts: 22
Joined: Thu Nov 07, 2019 3:48 am
Location: Singapore

Re: HAP AC2 ipv6 Routes list show bridge unreachable

Tue Apr 14, 2020 11:38 am

/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=rogers-ipv6 request=prefix use-peer-dns=no
You can try to request prefix only ."address" here means WAN side address I think, it's not necessary.
Top
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Topic Author
Posts: 891
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:
Contact mozerd

Re: HAP AC2 ipv6 Routes list show bridge unreachable

Tue Apr 14, 2020 12:47 pm

And .. my subggestion should actually be
Code: Select all
/ipv6 address add address=::1 from-pool=rogers-ipv6 interface=bridge
The address=::1 generated an error condition stating it must be a 64

The good news is that after Router Reboot the bridge unreachable condition became reachable.
I switched to a hint ::/56 and all laptops got their ipv6 addresses
Now the only issue that remains is that none of the win 10 laptops can in a command window
ping -6 google.com ... no reply .... another mystery.

Thanks mkx

@bgp4 .... thank you for your suggestion ... will give that a try and see what happens
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], ilyav3, ronmik and 95 guests
  4. RouterOS
  5. General