Community discussions

MikroTik App
 
majbthrd
just joined
Topic Author
Posts: 17
Joined: Tue Jan 31, 2012 9:17 pm

SXT LTE IPv6 possible without DHCPv6?

Thu Oct 14, 2021 11:16 pm

I have a RBSXTR&R11e-LTE-US (RouterOS 6.48.5, R11e-LTE-US MPSS: R11eL_v16.02.183961 APSS: R11eL_v05.03.183961 CUSTAPP:) where the cell provider offers IPv6, but only the SXT exhibits IPv6 connectivity. IPv6 traffic on the LAN side of the firewall is sent out to the WAN, but when the cell provider generates a Neighbor Solicitation in order to deliver response, this is ignored by RouterOS.

My previous experience seems to suggest that RouterOS will work correctly (providing IPv6 connectivity for a /64 subnet) with a IPv6 provider *when* the "M bit" (Managed address configuration) is set in the Router Advertisement and RouterOS is configured with a DHCPv6 client for said provider.

As you can see below, this IPv6 provider does not have the M bit, and so does not provide a DHCPv6 server:
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Cur hop limit: 64
    Flags: 0x00, Prf (Default Router Preference): Medium
        0... .... = Managed address configuration: Not set
        .0.. .... = Other configuration: Not set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = Proxy: Not set
        .... ..0. = Reserved: 0
    Router lifetime (s): 45
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 2607:XXXX:XXXX:XXXX::/64)
    ICMPv6 Option (Route Information : High ::/0)
    ICMPv6 Option (Recursive DNS Server 2001:4860:4860::8888 2001:4860:4860::8844)
    ICMPv6 Option (Source link-layer address : 1a:82:1b:XX:XX:XX)
The /ipv6 nd capability clearly works, as RouterOS is aware of the assigned prefix:
[admin@MikroTik] > /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-... INTERFACE        ADV
 0 DL fe80::XXXX:XXXX:XXXX:XXXX/64                         bridge           no 
 1 DL fe80::XXXX:XXXX:XXXX:XXXX/64                         lte1             no 
 2 DG fec0:0:0:ffff::1/64                                  bridge           no 
 3 DG 2607:XXXX:XXXX:XXXX::/64                             bridge           yes
 4 DG 2607:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:f562/128          lte1             no 
From a PC on the LAN side of the Mikotik, I do a ping6 2607:f8b0:4000:809::2004

The LAN-originated ping goes out the lte1 interface without issue:
Internet Protocol Version 6, Src: 2607:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3e29, Dst: 2607:f8b0:4000:809::2004
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
    .... .... .... 0111 0100 0000 1010 1100 = Flow Label: 0x740ac
    Payload Length: 64
    Next Header: ICMPv6 (58)
    Hop Limit: 255
    Source:  2607:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3e29
    Destination: 2607:f8b0:4000:809::2004
Internet Control Message Protocol v6
    Type: Echo (ping) request (128)
    Code: 0
    Identifier: 0x235b
    Sequence: 11
    [No response seen]
For every LAN-originated outgoing ping message, on the lte1 interface there is the following response that RouterOS seems to ignore:
Internet Protocol Version 6, Src: fe80::XXXX:XXXX:XXXX:XXXX, Dst: ff02::1:ffXX:3e29
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
    .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
    Payload Length: 32
    Next Header: ICMPv6 (58)
    Hop Limit: 255
    Source: fe80::XXXX:XXXX:XXXX: XXXX
    Destination: ff02::1:ffXX:3e29
Internet Control Message Protocol v6
    Type: Neighbor Solicitation (135)
    Code: 0
    Reserved: 00000000
    Target Address: 2607:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3e29
    ICMPv6 Option (Source link-layer address : 1a:82:1b:XX:XX:XX)
Here is the configuration, the bulk of which is just the standard Mikrotik configuration. About the only customization is in the APN where the provider specifics are used and ipv6-interface is used to generate the Router Announcements on the LAN:
/interface lte
set [ find ] name=lte1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=fast.t-mobile.com ip-type=ipv4-ipv6 \
    ipv6-interface=bridge
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

Who is online

Users browsing this forum: Andrey05, ItchyAnkle, menyarito and 79 guests