Community discussions

MikroTik App
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

IPv6 DNS (though DHCP) for Windows devices

Fri May 26, 2023 9:45 pm

Good afternoon

I have IPv6 running since a couple of months using RA + SLAAC. It works great except Windows devices do not get the DNS server from the RA. It's a know "bug"?. Till now I just set the DNS manually on my Windows 11 devices.

Today, I wanted to look a bit more into it and the workaround seems to enable the IPv6 DHCP to announce the DNS servers to the windows machines.... I followed the few guides I found but I have no idea what I am doing wrong. My Windows 11 machine is not getting any DNS from it.

In the RA/ (ND in Mikrotik) I have enabled the "other configuration" check box. The DHCP client is set on the right interface and I added option 23 with with DNS IPv6. I also tried a few other options numbers but I don't remember which ones. Everyone seems to be saying its 23.
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: IPv6 DNS (though DHCP) for Windows devices

Fri May 26, 2023 9:59 pm

/interface bridge
add admin-mac=2C:C8:1B:FD:72:F8 auto-mac=no comment=defconf name=bridge pvid=900 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-proximus user=user
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_Roadwarrior
/interface vlan
add interface=bridge name=Guest_vlan vlan-id=40
add interface=bridge name=IoT_vlan vlan-id=20
add interface=bridge name=Server_vlan vlan-id=30
add interface=bridge name=Trusted_vlan vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=pool_trusted ranges=10.0.1.100-10.0.1.254
add name=pool_IoT ranges=10.0.2.100-10.0.2.254
add name=pool_guest ranges=10.0.4.100-10.0.4.254
/ip dhcp-server
add address-pool=pool_trusted interface=Trusted_vlan lease-time=1w name=DHCP_trusted
add address-pool=pool_IoT interface=IoT_vlan lease-time=1w name=DHCP_IoT
add address-pool=pool_guest interface=Guest_vlan lease-time=1d name=DHCP_guest
/ipv6 dhcp-server option
add code=23 name=dns value="'2606:4700:4700::1001'"
/port
set 0 name=serial0
/queue type
add cake-rtt-scheme=internet kind=cake name=CakeQueue
/queue tree
add limit-at=90M max-limit=90M name=Download parent=bridge queue=pcq-download-default
add limit-at=30M max-limit=85M name="1 - D Pegasus" packet-mark=D_Pegasus parent=Download priority=1 \
    queue=CakeQueue
add limit-at=28M max-limit=28M name=Upload parent=pppoe-proximus queue=pcq-upload-default
add limit-at=12M max-limit=18M name="1 - U Pegasus" packet-mark=U_Pegasus parent=Upload priority=1 \
    queue=CakeQueue
add limit-at=30M max-limit=85M name="2 - D Infinity" packet-mark=D_Infinity parent=Download priority=1 \
    queue=CakeQueue
add limit-at=20M max-limit=85M name="3 - D Others" packet-mark=D_Others parent=Download priority=2 \
    queue=CakeQueue
add limit-at=12M max-limit=18M name="2 - U Infinity" packet-mark=U_Infinity parent=Upload priority=1 \
    queue=CakeQueue
add limit-at=4M max-limit=18M name="3 - U Others" packet-mark=U_Others parent=Upload priority=2 queue=\
    CakeQueue
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4 pvid=900
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=sfp1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether5,ether3,ether2 vlan-ids=10
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=40
/interface list member
add interface=pppoe-proximus list=WAN
add interface=Trusted_vlan list=LAN
add interface=IoT_vlan list=LAN
add interface=Guest_vlan list=LAN
add interface=Server_vlan list=LAN
/interface wireguard peers
add allowed-address=10.178.68.6/32 interface=WG_Roadwarrior public-key=\
    "myplublickey"
/ip address
add address=10.0.1.1/24 interface=Trusted_vlan network=10.0.1.0
add address=10.0.2.1/24 interface=IoT_vlan network=10.0.2.0
add address=10.33.3.1/24 interface=Server_vlan network=10.33.3.0
add address=10.0.4.1/24 interface=Guest_vlan network=10.0.4.0
add address=10.178.68.5/30 interface=WG_Roadwarrior network=10.178.68.4
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.0.1.254 client-id=1:3c:7c:3f:27:f7:e0 mac-address=3C:7C:3F:27:F7:E0 server=DHCP_trusted
add address=10.0.1.253 mac-address=74:56:3C:6C:4D:E2 server=DHCP_trusted use-src-mac=yes
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.1.1
add address=10.0.2.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.2.1
add address=10.0.4.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.4.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow trusted vlan" in-interface=Trusted_vlan
add action=accept chain=input comment="Allow wireguard" dst-port=13231 in-interface-list=WAN protocol=\
    udp
add action=drop chain=input comment="Drop any"
add action=accept chain=forward comment="accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Accept LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Accept Roadwarrior to internet" in-interface=WG_Roadwarrior \
    out-interface-list=WAN
add action=drop chain=forward comment="Drop any"
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark Other WAN connections" connection-state=new \
    new-connection-mark=C_Others_WAN out-interface-list=WAN passthrough=yes
add action=mark-connection chain=forward comment="Mark Infinity Connections" connection-state=new \
    new-connection-mark=C_Infinity_WAN out-interface-list=WAN passthrough=yes src-mac-address=\
    74:56:3C:6C:4D:E2
add action=mark-connection chain=forward comment="Mark Pegasus WAN connections" connection-state=new \
    new-connection-mark=C_Pegasus_Wan out-interface-list=WAN passthrough=yes src-mac-address=\
    3C:7C:3F:27:F7:E0
add action=mark-packet chain=forward comment="Mark Infinity Download" connection-mark=C_Infinity_WAN \
    in-interface-list=WAN new-packet-mark=D_Infinity passthrough=no
add action=mark-packet chain=forward comment="Mark Infinity Upload" connection-mark=C_Infinity_WAN \
    new-packet-mark=U_Infinity out-interface-list=WAN passthrough=no
add action=mark-packet chain=forward comment="Mark Pegasus Download" connection-mark=C_Pegasus_Wan \
    in-interface-list=WAN new-packet-mark=D_Pegasus passthrough=no
add action=mark-packet chain=forward comment="Mark Pegasus Upload" connection-mark=C_Pegasus_Wan \
    new-packet-mark=U_Pegasus out-interface-list=WAN passthrough=no
add action=mark-packet chain=forward comment="Mark Others Download" connection-mark=C_Others_WAN \
    in-interface-list=WAN new-packet-mark=D_Others passthrough=no
add action=mark-packet chain=forward comment="Mark Others Upload" connection-mark=C_Others_WAN \
    new-packet-mark=U_Others out-interface-list=WAN passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=GA_Pool interface=Trusted_vlan
add from-pool=GA_Pool interface=IoT_vlan
add from-pool=GA_Pool interface=Server_vlan
add from-pool=GA_Pool interface=Guest_vlan
/ipv6 dhcp-client
add interface=pppoe-proximus pool-name=GA_Pool request=prefix
/ipv6 dhcp-server
add address-pool="" comment="Windows client need this to get DNS server" dhcp-option=dns interface=\
    Trusted_vlan name=Trusted_IPv6DHCP
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP - to research if really needed" disabled=\
    yes protocol=139
add action=accept chain=forward comment="Accept LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop any"
add action=drop chain=input comment="Drop any"
/ipv6 firewall mangle
add action=mark-connection chain=forward comment=Mark_Others_Connection dst-prefix=::/0 \
    new-connection-mark=C_Others_WAN out-interface-list=WAN passthrough=yes src-prefix=::/0
add action=mark-connection chain=forward comment="Mark Infinity WAN connections" dst-prefix=::/0 \
    new-connection-mark=C_Infinity_WAN out-interface-list=WAN passthrough=yes src-mac-address=\
    74:56:3C:6C:4D:E2 src-prefix=::/0
add action=mark-connection chain=forward comment="Mark Pegasus WAN connections" dst-prefix=::/0 \
    new-connection-mark=C_Pegasus_Wan out-interface-list=WAN passthrough=yes src-mac-address=\
    3C:7C:3F:27:F7:E0 src-prefix=::/0
add action=mark-packet chain=forward comment="Mark Infinity Download" connection-mark=C_Infinity_WAN \
    dst-prefix=::/0 in-interface-list=WAN new-packet-mark=D_Infinity passthrough=no src-prefix=::/0
add action=mark-packet chain=forward comment="Mark Infinity Upload" connection-mark=C_Infinity_WAN \
    dst-prefix=::/0 new-packet-mark=U_Infinity out-interface-list=WAN passthrough=no src-prefix=::/0
add action=mark-packet chain=forward comment="Mark Pegasus Download" connection-mark=C_Pegasus_Wan \
    dst-prefix=::/0 in-interface-list=WAN new-packet-mark=D_Pegasus passthrough=no src-prefix=::/0
add action=mark-packet chain=forward comment="Mark Pegasus Upload" connection-mark=C_Pegasus_Wan \
    dst-prefix=::/0 new-packet-mark=U_Pegasus out-interface-list=WAN passthrough=no src-prefix=::/0
add action=mark-packet chain=forward comment="Mark Others Download" connection-mark=C_Others_WAN \
    dst-prefix=::/0 in-interface-list=WAN new-packet-mark=D_Others passthrough=no src-prefix=::/0
add action=mark-packet chain=forward comment="Mark Others Upload" connection-mark=C_Others_WAN \
    dst-prefix=::/0 new-packet-mark=U_Others out-interface-list=WAN passthrough=no src-prefix=::/0
/ipv6 nd
set [ find default=yes ] dns=2606:4700:4700::1111,2606:4700:4700::1001 mtu=1492 other-configuration=yes
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPv6 DNS (though DHCP) for Windows devices

Sat May 27, 2023 1:40 am

It appears that your firewall blocks DHCP requests from LAN, try adding this rule:
add action=accept chain=input dst-port=547 in-interface-list=LAN protocol=udp \
    comment="Accept DHCPv6 Clients from LAN"
(alter as needed to only allow clients from the vlan you want).
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: IPv6 DNS (though DHCP) for Windows devices

Sun May 28, 2023 10:09 am

It appears that your firewall blocks DHCP requests from LAN, try adding this rule:
add action=accept chain=input dst-port=547 in-interface-list=LAN protocol=udp \
    comment="Accept DHCPv6 Clients from LAN"
(alter as needed to only allow clients from the vlan you want).

Thank you for your reply. Sadly this doesn't seems to fix my problem.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPv6 DNS (though DHCP) for Windows devices

Sun May 28, 2023 10:19 am

You're using the right DNS option and this setup works in principle.

Did you put the accept rule above the drop rule? Do you see counters go up when you renew DHCP lease on your PC?
 
aTOMico
just joined
Posts: 6
Joined: Sun Jan 16, 2022 5:31 pm

Re: IPv6 DNS (though DHCP) for Windows devices

Sun May 28, 2023 11:38 am

Hi,
for me your main problem is the rule in the input chain.
It should be: source address: fe80::/16 , udp , source port 547 (is the server) , in interface list WAN .
You have to allow the dhcp server on the WAN side in the input chain.
How do you enter option 23 in the dhcpv6 server ?
This site can help a lot to enter the hex code:

https://en.ethernetlord.eu/tools/mt-ipv ... erator.php

For me its working.
Hope this helps you.
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: IPv6 DNS (though DHCP) for Windows devices

Sun May 28, 2023 1:23 pm

Thank both of you!

The combination of the firewall rule (i had no idea you needed a firewall rule in IPv6 for DHCP) and the hex generator instead of putting it in plain text seems to have done the trick :)
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPv6 DNS (though DHCP) for Windows devices

Sun May 28, 2023 7:35 pm

It should work when you put it as a string, I do this.

You don’t have to have a DHCP rule, it’s just your current configuration drops all input that is not accepted.

I don’t think the suggestion to accept dhcp server input on wan is valid, it should be trusted_vlan where your windows machines are.
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: IPv6 DNS (though DHCP) for Windows devices

Mon May 29, 2023 11:02 am

It should work when you put it as a string, I do this.

You don’t have to have a DHCP rule, it’s just your current configuration drops all input that is not accepted.

I don’t think the suggestion to accept dhcp server input on wan is valid, it should be trusted_vlan where your windows machines are.
I didn't do the one on the WAN. That didn't seem right.

How did you add multiple DNS entries as a string?
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPv6 DNS (though DHCP) for Windows devices

Tue May 30, 2023 7:10 am

How did you add multiple DNS entries as a string?
I use this option to advertise my mikrotik as a DNS server, i.e. just one value. But it should work like this:
value="'2001:db8::1''2001:db8::2'
Someone in Scripting might know better.
 
CDNMysphyt
just joined
Posts: 1
Joined: Tue Nov 21, 2023 3:38 am

Re: IPv6 DNS (though DHCP) for Windows devices

Tue Nov 21, 2023 4:16 am

I'm running into a similar issue and I've pretty sure I'm using the same config statements, even added the firewall rule to allow the DHCPv6 messages, but the router seems to just ignore them.
/ipv6 dhcp-server option
add code=23 name=dns value=0x26064700470000000000000000001001
/ipv6 dhcp-server
add address-pool="" comment="Windows client need this for DNS server" dhcp-option=dns interface=bd.main lease-time=1d name=main-dhcpv6
/ipv6 firewall filter
add action=accept chain=input comment="accept DHCPv6 solicit for DNS" dst-address=ff02::1:2/128 dst-port=547 in-interface-list=LAN log=yes protocol=udp src-address=fe80::/10 src-port=546

I see in my logs that the packets are making it to the router and at least matching the rule.
11-20 20:06:07 firewall,info input: in:bd.main out:(unknown 0), connection-state:new src-mac 8c:ae:4c:c6:24:e9, proto UDP, [fe80::cacd:e10e:5bce:abf3]:546->[ff02::1:2]:547, len 120
11-20 20:06:08 firewall,info input: in:bd.main out:(unknown 0), connection-state:new src-mac 8c:ae:4c:c6:24:e9, proto UDP, [fe80::cacd:e10e:5bce:abf3]:546->[ff02::1:2]:547, len 120
11-20 20:06:12 firewall,info input: in:bd.main out:(unknown 0), connection-state:new src-mac 8c:ae:4c:c6:24:e9, proto UDP, [fe80::cacd:e10e:5bce:abf3]:546->[ff02::1:2]:547, len 120

However my packet capture on the host doesn't show any response from the router

I've tried with using the DNS server's IPv6 address as the value, like mikey's original config snippet showed, and I've converted it to hex; neither worked. The link to the hex tool in this thread doesn't seem to be working right.

I'm running RouterOS 7.12 on a RB2011UAS-2HnD.

Any suggestions?
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPv6 DNS (though DHCP) for Windows devices

Tue Nov 21, 2023 5:37 am

If you disable every and all drop and reject rule in the firewall, does it still not work?

Who is online

Users browsing this forum: Bing [Bot], bp0, miks, rplant, Victoravv and 88 guests