Community discussions

MikroTik App
 
WizGirl
just joined
Topic Author
Posts: 5
Joined: Fri Apr 22, 2022 10:05 am

IPv6 Default route invalid?

Fri Apr 29, 2022 11:42 pm

I have my home network in the process of enabling IPv6 support, and everything is working "internally" I have gotten a prefix delegation, set up my pool and ND is working. For some reason I cannot seem to get my default route to work. They always show as invalid and unreachable. On my xfinity modem, i checked to see what it was using for the default gateway, and pinged it from my ether1, and that showed consistent replies, but when i put that default gateway (or the different one automatically selected by ROS from the DHCP client for that matter) into the default route, it still shows invalid and unreachable. Am I missing something here?
# apr/29/2022 13:40:23 by RouterOS 7.3beta37

/ipv6 address
add from-pool=pool01 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=pool01 \
    pool-prefix-length=60 request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] interface=bridge managed-address-configuration=yes \
    other-configuration=yes
/ipv6 settings
set accept-router-advertisements=yes
 
WizGirl
just joined
Topic Author
Posts: 5
Joined: Fri Apr 22, 2022 10:05 am

Re: IPv6 Default route invalid?

Sat Apr 30, 2022 3:35 am

I have continued to try to figure this out. I can ping ipv6 addresses at large from within routeros, but thats it, default route will not work, and none of my devices can access ipv6 webpages. (routing internally works though)

Pinging various public IP's....
[admin@RB3011UiAS] > ping 2001:4860:4860::8888
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                    
    0 2001:4860:4860::8888                       56  58 14ms162us  echo reply                                                                                                                
    1 2001:4860:4860::8888                       56  58 8ms440us   echo reply                                                                                                                
    2 2001:4860:4860::8888                       56  58 13ms264us  echo reply                                                                                                                
    3 2001:4860:4860::8888                       56  58 13ms626us  echo reply                                                                                                                
    4 2001:4860:4860::8888                       56  58 15ms533us  echo reply                                                                                                                
    5 2001:4860:4860::8888                       56  58 13ms312us  echo reply                                                                                                                
    6 2001:4860:4860::8888                       56  58 15ms899us  echo reply                                                                                                                
    sent=7 received=7 packet-loss=0% min-rtt=8ms440us avg-rtt=13ms462us max-rtt=15ms899us 


This is the default gateway xfinity dhcp is handing out below...

[admin@RB3011UiAS] > ping 2001:558:4000:bf::10
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                  
    0 2001:558:4000:bf::10                       56  63 13ms624us  echo reply                                                                                                              
    1 2001:558:4000:bf::10                       56  63 12ms5us    echo reply                                                                                                              
    2 2001:558:4000:bf::10                       56  63 16ms504us  echo reply                                                                                                              
    3 2001:558:4000:bf::10                       56  63 27ms593us  echo reply                                                                                                              
    4 2001:558:4000:bf::10                       56  63 11ms789us  echo reply                                                                                                              
    5 2001:558:4000:bf::10                       56  63 17ms335us  echo reply                                                                                                              
    sent=6 received=6 packet-loss=0% min-rtt=11ms789us avg-rtt=16ms475us max-rtt=27ms593us 

yet still...
Image

Does anyone have any ideas on what the problem might be? I read something that might suggest it was an issue with the nexthop to the gateway, but its already pingable as it is.. so im not sure about that, although admittedly I do not fully understand what it is trying to say there.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPv6 Default route invalid?

Sat Apr 30, 2022 12:33 pm

If you can ping Google's 2001:4860:4860::8888, you already have working default gateway and you don't need any other.

But I have doubts about things working in LAN. Because unless you added external DHCPv6 server for LAN clients, they currently shouldn't be getting any addresses from the prefix you got. You should have DHCPv6 client with pool-prefix-length=64, that will in turn give you address with /64 on bridge, and then you should have managed-address-configuration=no other-configuration=no, to tell clients that they should use autoconfiguration (which also needs advertise=yes for address, but that should be default).
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: IPv6 Default route invalid?

Sat Apr 30, 2022 2:26 pm

To expand on the WAN-side configuration...

DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server from which the address/prefix/other information was received - this works if the DHCPv6 server and the default gateway have the same link-local address, but otherwise fails.

The correct method is to set add-default-route=no and use received router advertisments (RA) which unfortunately are not displayed by RouterOS as discussed in other forum posts.

On the LAN-side you should not use the all-zeros subnet address, it is reserved as the Subnet-Router anycast address per RFC4291 section 2.6.1. You can either set a specific non-zero address or use one generated from the interface MAC address, so either
/ipv6 address
add address=::1/64 from-pool=pool01 interface=bridge

or
/ipv6 address
add eui-64=yes from-pool=pool01 interface=bridge
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: IPv6 Default route invalid?

Thu Aug 17, 2023 12:57 am

Default IPv6 firewall rule impacts recent Comcast Xfinity change.
viewtopic.php?p=1019432#p914681 is worth reading.

Default setup for Router Advertisements and Forwarding interact and affect default gateway acquisition.
viewtopic.php?t=194172#p1019428 is worth reading.

Who is online

Users browsing this forum: anav, menyarito, patrikg and 82 guests