Community discussions

MikroTik App
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Best way to disable IPv6 advertisement only to specific clients?

Fri Jan 24, 2025 7:13 pm

Hello,

I hope you are well.

I have a /56 IPv6 pool leased from the ISP. I advertise it statelessly to my LAN clients and everything works alright.

However, for a few clients, I need to prevent them from receiving IPv6 addresses so that they only use IPv4. I know MAC and IPv4 addresses of these clients if it helps. I can send them DHCPv4 options (but I doubt it's relevant for IPv6). I cannot disable IPv6 on the clients, I need to prevent router from advertising them and only them IPv6.

Is there a way to achieve this? How do I do it?

As far as I understand, there is no built-in functionality to do what I want and advertisement is done through multicast. So I assume /ipv6 firewall filter add is my friend. So I guess my question comes down to
1. is this at all possible?
2. what exact addresses-ports should I block in /ipv6 firewall filter?

Thanks in advance!
Last edited by tryrtryrtryrt on Sat Jan 25, 2025 4:02 pm, edited 2 times in total.
 
tdw
Forum Guru
Forum Guru
Posts: 2088
Joined: Sat May 05, 2018 11:55 am

Re: Best way to disable IPv6 advertisement only to specific clients?  [SOLVED]

Fri Jan 24, 2025 8:09 pm

You can't block advertisments to some clients at the source, being multicast they are sent to all devices within a layer2 network
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Fri Jan 24, 2025 8:12 pm

You can't block advertisments to some clients at the source, being multicast they are sent to all devices within a layer2 network

Just to double-check, is it possible to block on L2 level via /interface ethernet switch rule, or multicast cannot be blocked per client (per MAC) even there?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12661
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Best way to disable IPv6 advertisement only to specific clients?

Fri Jan 24, 2025 8:14 pm

multicast is multicast, not somenotcast..................
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13278
Joined: Thu Mar 03, 2016 10:23 pm

Re: Best way to disable IPv6 advertisement only to specific clients?

Fri Jan 24, 2025 9:19 pm

You can't block advertisments to some clients at the source, being multicast they are sent to all devices within a layer2 network

Just to double-check, is it possible to block on L2 level via /interface ethernet switch rule, or multicast cannot be blocked per client (per MAC) even there?
It might be possible to filter (certain) multicasts on bridge port. But if there are multiple hosts behind that port, none of hosts will then receive filtered multicasts.
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 12:36 pm

It might be possible to filter (certain) multicasts on bridge port. But if there are multiple hosts behind that port, none of hosts will then receive filtered multicasts.

I've added such a rule (my switch rule table was empty, so the rule is active and also /interface ethernet switch rule print shows it's active)
/interface ethernet switch rule add dst-address6=ff02::1/128 new-dst-ports="" ports=sfp-sfpplus6 protocol=icmpv6 switch=switch1
sfp-sfpplus6 is the port the device I want to stop from SLAACing is directly connected to.

Somehow, the device still SLAACs an IPv6 address (I powercycled the device). I don't understand how that is possible.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13278
Joined: Thu Mar 03, 2016 10:23 pm

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 12:56 pm

Which particular model of router are you using? Not all models can do switch rules (even if the config subtree exists).
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 1:13 pm

Which particular model of router are you using? Not all models can do switch rules (even if the config subtree exists).
CRS309-1G-8S+IN https://mikrotik.com/product/crs309_1g_8s_in
Should work.
 
tdw
Forum Guru
Forum Guru
Posts: 2088
Joined: Sat May 05, 2018 11:55 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 2:21 pm

A switch rule ports setting matches switch ingress interfaces. I can't see an equivalent to match egress interfaces, likely by the time the egress interface(s) have been selected it is too late to apply a rule.
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 3:02 pm

As far as I can tell, there is physically no way to match IPv6 RA traffic only for specific bridged port without unacceptable performance penalty (enabling use-ip-firewall for the whole bridge).

/interface ethernet switch rule does not have an out port matcher.
/interface bridge filter does not match these packets (I assume, as they're generated by the CPU).
/ipv6 firewall filter add cannot use out-bridge-port without use-ip-firewall.
(And packets themselves don't contain any content in header or value that can distinguish one destination from the other.)
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 4:00 pm

For future reference, dropping MLD Report packets (for them /interface ethernet switch rule ports would work as router is ingressing these packets) from the device you want to prevent SLAAC for won't help either. Routers don't usually store which devices are subscribed, but rather if anyone is subscribed. If there is another device in the same network as the one you want to prevent from SLAAC, it will subscribe through MLD to do IPv6 RS, and when the router sends IPv6 RA to them, the device you want to prevent will receive it as well.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13278
Joined: Thu Mar 03, 2016 10:23 pm

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 4:17 pm

OK, so it's not possible to block RAs towards individual devices. But it is possible to block all IPv6 frames from individual devices using switch ACL. Drawback is that device in question will see RAs, it will configure self with GUA (based on SLAAC) but won't be able to use it. Which can cause a slight delay at making new connections if device prefers IPv6 over IPv4. Not sure if such delays are tolerable in your case. A way around would be to use DNS server configured to only return A records, not AAAA.
 
tryrtryrtryrt
just joined
Topic Author
Posts: 22
Joined: Sat Jan 13, 2024 1:49 am

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 4:25 pm

OK, so it's not possible to block RAs towards individual devices. But it is possible to block all IPv6 frames from individual devices using switch ACL. Drawback is that device in question will see RAs, it will configure self with GUA (based on SLAAC) but won't be able to use it. Which can cause a slight delay at making new connections if device prefers IPv6 over IPv4. Not sure if such delays are tolerable in your case. A way around would be to use DNS server configured to only return A records, not AAAA.

Thanks for the suggestion. Yeah, I thought about it from the get-go, unfortunately, it's not ideal for the reason you described.
I also thought about a similar idea with routing table+rules dedicated to this device with ::/0 marked as unreachable. But too much hassle.

For now, I will likely continue to live without default IPv6 everywhere except on the router and on a few devices (statically set) where it's necessary.
Wanted to transition to (dual-stack) default IPv6 everywhere to check if there are any bugs in the long run.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13278
Joined: Thu Mar 03, 2016 10:23 pm

Re: Best way to disable IPv6 advertisement only to specific clients?

Sat Jan 25, 2025 6:50 pm

Wanted to transition to (dual-stack) default IPv6 everywhere to check if there are any bugs in the long run.
Perhaps it will give you a bit of incentive in this direction: I've been using IPv6 at home for almost 10 years and I've had no problems with it, all devices I use work with IPv6 just fine. A minor detail which probably makes my life easier: I have both IPv4 address and IPv6 prefix static. So give it a shot.