/ipv6/export
# 2025-01-08 18:46:37 by RouterOS 7.16.2
# software id = soft_id
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = my_serial
/ipv6 pool
add name=ipv6-pool prefix=::/0 prefix-length=48
/ipv6 dhcp-client
add add-default-route=yes comment=LITFIBRE-IP6 interface=ether1 pool-name=ipv6-pool pool-prefix-length=48 request=address,prefix use-interface-duid=yes use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes other-configuration=yes
/ipv6/settings/set accept-router-advertisements: yes
expected end of command (line 1 column 20)
Sorry, it should beCode: Select all/ipv6/settings/set accept-router-advertisements: yes expected end of command (line 1 column 20)
/ipv6/settings/set accept-router-advertisements=yes
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 dhcp-client
add comment=LITFIBRE-IP6 interface=ether1 pool-name=ipv6-pool \
request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=\
bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=\
bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=\
bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept UDP traceroute" dst-port=33434-33534 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=\
546 in-interface=ether1 protocol=udp
add action=accept chain=input comment="defconf: accept IKE" \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" \
protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" \
protocol=ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=\
in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=\
bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=\
bad_ipv6
add action=drop chain=forward comment=\
"defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" \
protocol=139
add action=accept chain=forward comment="defconf: accept IKE" \
dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" \
protocol=ipsec-ah
add action=accept chain=forward comment=\
"defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=\
in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" \
in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes \
other-configuration=yes
/ipv6 settings
set accept-router-advertisements=yes
2nd directive:/ipv6 dhcp-client
add add-default-route=yes comment="delegate ISP-assigned prefix" interface=\
ether1 pool-name=isp-ipv6 prefix-hint=::/48 request=address,prefix \
use-peer-dns=no
3rd directive:/ipv6 nd
set [ find default=yes ] dns=2606:4700:4700::1111,2606:4700:4700::1001 \
interface=ether1 mtu=1500 ra-lifetime=none reachable-time=5m
4th directive:/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h
NOW REBOOT your Router/ipv6 settings set accept-router-advertisements=yes max-neighbor-entries=8192
DHCPv4 is working over ether1 yes.you use pppoe or vlan?
the dhcpv4 is directly over ether1?
what is your LAN interface?
/ip route pri
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 1.1.1.1 1
DAc 1.1.1.1/20 ether1 0
DAc 192.168.1.0/24 bridge 0
/ipv6 settings set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled forward=yes max-neighbor-entries=32768 set multipath-hash-policy=l3 ; # this line do error if not used on v7.16.2 and up /ipv6 dhcp-client remove [find] add add-default-route=no disabled=no interface=ether1 pool-name=dhcpv6-pool pool-prefix-length=64 prefix-hint=::/0 \ rapid-commit=no request=prefix use-peer-dns=yes /ipv6 address remove [find where dynamic=no] add address=::/64 advertise=yes disabled=no eui-64=yes from-pool=dhcpv6-pool no-dad=no interface=bridge /ipv6 nd prefix default set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d /ipv6 nd set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=64 managed-address-configuration=no \ mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified \ retransmit-interval=unspecified interface=bridge set [ find default=yes ] ra-preference=medium ; # this line do error if not used on v7.16.2 and up
/interface print
Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1568 9214 F4:1E:57:2D:D4:5B
1 S ether2 ether 1500 1568 9214 F4:1E:57:2D:D4:5C
2 RS ether3 ether 1500 1568 9214 F4:1E:57:2D:D4:5D
3 RS ether4 ether 1500 1568 9214 F4:1E:57:2D:D4:5E
4 S ether5 ether 1500 1568 9214 F4:1E:57:2D:D4:5F
;;; defconf
5 R bridge bridge 1500 1560 F4:1E:57:2D:D4:5C
6 R lo loopback 65536 00:00:00:00:00:00
7 RS wifi1 wifi 1500 1560 1560 F4:1E:57:2D:D4:60
8 RS wifi2 wifi 1500 1560 1560 F4:1E:57:2D:D4:61
9 RS wifi3 wifi 1500 1560 1560 F6:1E:57:2D:D4:60
10 RS wifi4 wifi 1500 1560 1560 F6:1E:57:2D:D4:61
/ipv6 address remove [find where dynamic=no] /ipv6 dhcp-client remove [find] add add-default-route=yes disabled=no interface=ether1 rapid-commit=no request=address use-peer-dns=yesIf you obtain an IPv6, put it here obfuscating it (but not the /xx part....)
/ipv6 rou pri
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd ::/0 fe80::a05:e2ff:feb0:9e8f%ether1 1
DAc ::1/128 lo 0
DAc ISP_PROVIDED_IP/128 ether1 0
DAc fe80::%ether1/64 ether1 0
DAc fe80::%bridge/64 bridge 0
/ipv6 address pri
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
# ADDRESS INTERFACE ADVERTISE
0 D ::1/128 lo no
1 DL fe80::f61e:57ff:fe2d:d45c/64 bridge no
2 DL fe80::f61e:57ff:fe2d:d45b/64 ether1 no
3 DG ISP_PROVIDED_IP/128 ether1 no
I suspect this means that your ISP has a secuirty lock on the mac address of their provided Router.Once again, I have checked that my ISP router is able to connect via IPv6 when it is plugged into the ONT.
Thanks for the suggestion, the ISP has confirmed that they do not use any MAC whitelisting and that the router "should" work fine.I suspect this means that your ISP has a secuirty lock on the mac address of their provided Router.Once again, I have checked that my ISP router is able to connect via IPv6 when it is plugged into the ONT.
So you can try the following [assuming you are still using the config I provided you]
Find out the MAC Address of the ISP Router for the WAN connection THEN on the TIK Router change the MAC addy of ether1 to match that and see if that solves the problem.
Or you can ask them if their security protocal ties their provided Router MAC addy or serial number to your account --- they can change that to your Tiks either1 MAC addy or Tiks serial number if that is the case ...
"cryptic box" probably is just configured to do bridging,
and the Juniper router of your ISP provide public IPv4 on DHCP and single IPv6...
This is wrong …. If the network team cannot see the ONT …. ESCALATE TO some one who can … do not give up … this is not rocket science … someone from the NOC should be able to help you to resolve this ….
Their network team cannot see the ONT (cryptic wall box) and the IP allocation is not coming through it anymore. They cannot see very much because of this.
+100If the network team cannot see the ONT …. ESCALATE TO some one who can … do not give up … this is not rocket science … someone from the NOC should be able to help you to resolve this ….
Another possibility (very common where optical network owner is different than ISP) is that ISP network team never saw ONT, they actually saw their own router. With their router out of the way, ISP can't see much. And ONT will be managed (and seen) by ON owner's network team (but you as ISP's customer don't have "right" to talk to them).This is wrong …. If the network team cannot see the ONT ….
Their network team cannot see the ONT (cryptic wall box) and the IP allocation is not coming through it anymore. They cannot see very much because of this.
Actually not likely.I'm using 6to4, but I'm assuming there's probably a way to switch it to 6to6 as I can get a single IP6 address and it's probably going to be a little better?
Nothing in the capture suggests any of these actions. Please try to capture at least 10 minutes worth of traffic. At the very least we need to see ICMPv6 Router Advertisement packet there.During the capture, I requested a prefix, changed my firewall rules, and then requested a single IP.
If that is their way of dealing with this THEN i suspect they are using a Mac Addy or Serial number lock on your account .... so then you should TRY the spoofing solution I mentiomed earlier:Unfortunately it doesn't look like my ISP will actually be much help in getting this sorted as they're taking the "it's a third-party router, not our responsibility" route.
If that does not work then you may try one other method./interface ethernet set ether1 mac-address=xxx
Very strange ....Well, after a bit of back and fourth with my ISP they have advised me that despite previous communication they are using RADV for prefix allocations on IPv6.
received Router Advertisement on ether1 from fe80::a05:e2ff:feb0:9e8f
/ipv6 dhcp-client
add interface=ether1 pool-name=litv6 request=address
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64
/ipv6 settings
set accept-router-advertisements=yes
Nice to read that you have it now working ...Well, I got it working.
For some reason, setting the prefix hint to 0 fixed it.
Nice to read that you have it now working ...Well, I got it working.
For some reason, setting the prefix hint to 0 fixed it.
I'm very curiouse as to the prefix size they actually gave you because a prefix hint to 0 in the IPv6 prefix field indicates that the requesting router has no preference for the prefix ...
Nice to read that you have it now working ...Well, I got it working.
For some reason, setting the prefix hint to 0 fixed it.
I'm very curiouse as to the prefix size they actually gave you because a prefix hint to 0 in the IPv6 prefix field indicates that the requesting router has no preference for the prefix ...
You're correct yeah. I'm not sure if it's worth tracking down the specific configuration issue that caused the problem as I have a feeling fhat they [Lit Fibre/CityFibre] made some changes on their end at some point because packet captures started showing a bit more data later on.
Nice to read that you have it now working ...
I'm very curiouse as to the prefix size they actually gave you because a prefix hint to 0 in the IPv6 prefix field indicates that the requesting router has no preference for the prefix ...
Also I did apply a firmware update, which could have had an impact.
And prefix hint ::/0 is default ... it's not shown in @OPs first shown configuration so it's been at default initially. So it must have been something other which made the difference.
Yes that is weird and frankly makes no sense to me.They did allocate a /48 prefix as requested. Although with the prefix hint set to 48 they won't allocate it. The prefix hint must be 0. Weird.