Community discussions

MikroTik App
  4. RouterOS
  5. General

IPv6 Advertising two ranges on one interface  [SOLVED]

Post Reply
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

IPv6 Advertising two ranges on one interface

Tue Dec 28, 2021 5:54 pm

Hi,

More IPV6 woes I'm afraid.

I have an RB5009 connected to a CRS328. No VLANs are configured on the RB5009 however the interfaces are connected to tagged ports on the CRS328. Essentially the RB5009 acts as my VLAN router.

I've configured IPV6 on two interfaces. One for the default network i.e. no VLAN and the other for VLAN101.
Code: Select all
2001:beef::1/64               CoreNetPool  sfp-sfpplus1  yes      
2001:deee::1/64               WLANPOOL     ether4        yes
ND is configured as follows:
Code: Select all
Flags: X - disabled, I - invalid; * - default 
 0  * interface=sfp-sfpplus1 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified 
      reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=yes managed-address-configuration=no 
      other-configuration=no dns=2001:beef::1252,2001:beef::1253 

 1    interface=ether4 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified 
      reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes 
      advertise-dns=yes managed-address-configuration=no 
      other-configuration=no dns=2001:beef::1252,2001:beef::1253
The issue I'm having is that devices on ether4 (VLAN101) are getting IPV6 addresses from BOTH IPV6 ranges.

Devices on the default network connected to sfp-sfpplus1 are getting only addresses from the correct IPV6 range.

I can't figure out why the IPv6 range on sfp-sfpplus1 is advertising on ether4.

Any ideas? Much thanks in advance.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11627
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 Advertising two ranges on one interface

Tue Dec 28, 2021 8:43 pm

Show complete config ... any minor misconfiguration can affect behaviour.
Top
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: IPv6 Advertising two ranges on one interface

Wed Dec 29, 2021 11:09 am

Here's the complete config:

The router serves three other VLANs in my lab as you can plainly see in the config. VLAN56 VLAN88 and VLAN999. IPV6 addresses leak to those interfaces too.
Code: Select all
# dec/29/2021 09:01:22 by RouterOS 7.1.1
# software id = 
#
# model = RB5009UG+S+
# serial number = XXXXXXXXX
/interface ethernet
set [ find default-name=ether1 ] comment=STARLINK
set [ find default-name=ether2 ] comment=VLAN56
set [ find default-name=ether3 ] comment=VLAN88
set [ find default-name=ether4 ] comment=VLAN101
set [ find default-name=ether5 ] comment=VLAN999
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
    CORESWITCH-SFP+4
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.56.2-192.168.56.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.101.50-192.168.101.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=8h name=VLAN56
add address-pool=dhcp_pool2 interface=ether4 lease-time=8h name=VLAN101
/ipv6 pool
add name=CoreNetPool prefix=2001:beef::/64 prefix-length=64
add name=WLANPOOL prefix=2001:deee::/64 prefix-length=64
/routing id
add disabled=no id=172.20.0.254 name=id-1 select-dynamic-id=""
/routing ospf instance
add name=ospf-instance-1 originate-default=never out-filter-select="" \
    redistribute="" router-id=id-1
/routing ospf area
add instance=ospf-instance-1 name=ospf-area-1
/routing table
add disabled=no fib name=VF4G
add disabled=no fib name=EIR
add disabled=no fib name=PBAR
/system logging action
set 3 remote=172.20.0.100 src-address=172.20.0.254
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether1 list=WAN
/ip address
add address=172.20.0.254/16 interface=sfp-sfpplus1 network=172.20.0.0
add address=192.168.56.1/24 interface=ether2 network=192.168.56.0
add address=192.168.101.1/24 interface=ether4 network=192.168.101.0
add address=192.168.254.1/24 interface=ether5 network=192.168.254.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.56.0/24 dns-server=172.20.1.252,172.20.1.253 domain=\
    vlan56.internal gateway=192.168.56.1 netmask=24 ntp-server=\
    172.20.1.252,172.20.1.253
add address=192.168.101.0/24 dns-server=172.20.1.252,172.20.1.253 domain=\
    vlan101.internal gateway=192.168.101.1 netmask=24 ntp-server=\
    172.20.1.252,172.20.1.253
/ip dns
set servers=172.20.1.252,172.20.1.253
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log-prefix=\
    "FORWARD_INVALID "
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input connection-state=established,related \
    in-interface=ether1
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=ether1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=172.20.0.29 routing-table=VF4G \
    suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=172.20.1.1 routing-table=EIR \
    suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=172.20.1.50 routing-table=PBAR \
    suppress-hw-offload=no
add disabled=no dst-address=192.168.193.0/24 gateway=172.20.15.1 \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=172.20.0.100 port=9001 src-address=172.20.0.254
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=sfp-sfpplus1 type=internal
/ipv6 address
add address=::1 from-pool=CoreNetPool interface=sfp-sfpplus1
add address=::/56 advertise=no from-pool=StarLink interface=ether1
add address=::1 from-pool=WLANPOOL interface=ether4
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=StarLink \
    pool-prefix-length=56 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" disabled=yes \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \
    protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\
    yes protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN log-prefix="DROPFWNOTLAN "
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ipv6 nd
set [ find default=yes ] dns=2001:beef::1252,2001:beef::1253 interface=\
    sfp-sfpplus1
add dns=2001:beef::1252,2001:beef::1253 interface=ether4
/routing ospf interface-template
add area=ospf-area-1 interfaces=sfp-sfpplus1 networks=172.20.0.0/16 priority=\
    254
add area=ospf-area-1 interfaces=ether2 networks=192.168.56.0/24
add area=ospf-area-1 interfaces=ether4 networks=192.168.101.0/24
add area=ospf-area-1 interfaces=ether5 networks=192.168.254.0/24
/routing rule
add action=lookup disabled=no dst-address=91.103.0.80/29 table=EIR
add action=lookup disabled=no dst-address=172.20.0.0/16 src-address=\
    192.168.56.0/24 table=main
add action=lookup disabled=no dst-address=192.168.101.0/24 src-address=\
    192.168.56.0/24 table=main
add action=lookup disabled=no dst-address=0.0.0.0/0 src-address=\
    192.168.56.0/24 table=EIR
/snmp
set contact=XXXXXX@XXXXXXXXX enabled=yes location=""
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Dublin
/system identity
set name=gw-core.XXX.XXXXXX.XXX
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=172.20.1.252
add address=172.20.1.253
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set authenticate=no
Last edited by elbob2002 on Thu Dec 30, 2021 9:32 am, edited 1 time in total.
Top
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: IPv6 Advertising two ranges on one interface  [SOLVED]

Wed Dec 29, 2021 1:16 pm

I believe I have resolved this issue.

Devices with the "leaked" IPV6 addresses were connected to an upstream access switch. A CRS-125 with SFP port as a trunk to the CRS-328.

Reviewing the VLAN configuration on the CRS-125 cropped up a few configuration issues where egress translation wasn't configured for ports other than the trunk port and also invalid VLAN filtering wasn't enabled on any of the VLAN ports.

Committed those changes and no longer seeing two IPv6 ranges on a single device anymore.
Top
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: IPv6 Advertising two ranges on one interface

Sun Mar 05, 2023 1:35 am

viewtopic.php?p=988242#p988242

Is your client a Windows machine connect untagged to a port which also has tagged VLANs on it?
It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11627
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 Advertising two ranges on one interface

Sun Mar 05, 2023 1:18 pm

It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets.
This is already a pretty well known fact around here ....
Top
Post Reply

Who is online

Users browsing this forum: complexxL9, sotahe9145, tdw and 219 guests
  4. RouterOS
  5. General