Page 1 of 1

7.1.1 - CAKE breaks IPv6

Posted: Wed Dec 29, 2021 2:35 pm
by blurrybird
Hey all,

Seems that when I have a CAKE queue enabled on my WAN interface, IPv6 traffic stops flowing.

I have an RB5009 arriving soon, and I'd love to be able to run CAKE-based SQM on my network.

Any way to formally raise this as a bug or is that as good as done via this post?

Cheers.
/queue export compact hide-sensitive
# dec/29/2021 23:29:16 by RouterOS 7.1.1
# software id = 40RY-IE0B
#
# model = RBD52G-5HacD2HnD
# serial number = BEED0B51CF44
/queue type
add cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-default
add cake-ack-filter=filter cake-bandwidth=50.0Mbps cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-up
add cake-bandwidth=1000.0Mbps cake-diffserv=besteffort cake-nat=yes cake-wash=yes kind=cake name=cake-down
/queue simple
add bucket-size=0.001/0.001 name=cake queue=cake-down/cake-up target=ether1 total-queue=cake-default

/ipv6 export compact hide-sensitive
# dec/29/2021 23:33:09 by RouterOS 7.1.1
# software id = 40RY-IE0B
#
# model = RBD52G-5HacD2HnD
# serial number = BEED0B51CF44
/ipv6 address
add address=::c6ad:34ff:feb5:8d5e eui-64=yes from-pool=abb interface=ether2
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=abb request=address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=ether2 ra-interval=5s-10s

Re: 7.1.1 - CAKE breaks IPv6

Posted: Wed Dec 29, 2021 3:01 pm
by blurrybird
I've worked out how to raise this via help.mikrotik.com and have created SUP-70209.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Thu Dec 30, 2021 5:26 am
by blurrybird
Seems to be more than just CAKE. fq-codel also affected.

viewtopic.php?p=883027&hilit=ipv6+cake#p883027 seems to detail the same problem.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Thu Dec 30, 2021 5:37 am
by mducharme
Seems to be more than just CAKE. fq-codel also affected.
I heard it is with any queue type at all with simple queues. Have you found any queue type that does work?

Re: 7.1.1 - CAKE breaks IPv6

Posted: Thu Dec 30, 2021 7:16 am
by macgaiver
You should put cake as interface queue, instead of creating simple queues for it.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Thu Dec 30, 2021 12:23 pm
by blurrybird
You should put cake as interface queue, instead of creating simple queues for it.
You can only assign a single interface queue. How do you handle asymmetric bandwidth limits?

Re: 7.1.1 - CAKE breaks IPv6

Posted: Thu Dec 30, 2021 12:59 pm
by infabo
You cant assign a queue to lte Interface.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Fri Dec 31, 2021 7:46 pm
by curtdept
You should put cake as interface queue, instead of creating simple queues for it.
Only true if you triple isolate and don't really want to ack filter, etc. Cake config is really geared toward being different between upstream and downstream.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sat Jan 01, 2022 10:45 am
by Tporlapt
Same with PCQ Simple Queue applied to target = WAN interface. Functionally works as expected for IPv4, breaks IPv6

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sat Jan 29, 2022 12:42 am
by ErnyTech
This problem continues to be present, it is quite absurd that there is no answer from mikrotik ...

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sat Jan 29, 2022 12:03 pm
by crosswind
i'm also having this problem (raised as SUP-72949) with fq_codel as a simple queue - when the queue is enabled, new IPv6 conntrack rules are not added. has anyone found a workaround?

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sat Jan 29, 2022 12:16 pm
by Jotne
Have you tested latest beta? If so add these information as well to support@mikrotik.com

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sun Jan 30, 2022 2:54 am
by ivantirado
I’ve had this problem and reported it to support. It started a few releases back and has stayed constant… in my case, any simple queue causes IPv6 traffic to fail. No matter the queue algorithm. Using interface queues works, as well as using queue tree. It’s a simple queue problem… I was told to try a newer beta release but it didn’t work. Support didn’t see anything wrong with my configs or supout.rif - they see no problems there.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sun Jan 30, 2022 5:14 am
by mducharme
What you can do is, if your only LAN interface is a single bridge, you can create two queue trees, one on the WAN port for shaping upload and one on the bridge interface for shaping download. They need to fix this, but in the interim, this can work.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sun Jan 30, 2022 12:11 pm
by ErnyTech
I’ve had this problem and reported it to support. It started a few releases back and has stayed constant… in my case, any simple queue causes IPv6 traffic to fail. No matter the queue algorithm. Using interface queues works, as well as using queue tree. It’s a simple queue problem… I was told to try a newer beta release but it didn’t work. Support didn’t see anything wrong with my configs or supout.rif - they see no problems there.
It is crazy that they keep saying that everything is fine, when multiple people are reporting the issue.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Sun Feb 13, 2022 12:11 pm
by razondz
Still broken in 7.1.2 apparently. I hope it will be fixed soon.

Re: 7.1.1 - CAKE breaks IPv6

Posted: Mon Feb 28, 2022 3:45 am
by mke
What you can do is, if your only LAN interface is a single bridge, you can create two queue trees, one on the WAN port for shaping upload and one on the bridge interface for shaping download. They need to fix this, but in the interim, this can work.
EDIT I edited this post and removed some code examples as I realised I had completely forgotten how queue tree works.

Its been a while since I've used ROS. In this scenario is there any need to account for the combined bandwidth, similar to how with the setup below the UL and DL are wrapped in the unshaped "total-queue=cake-default"?
/queue type
add kind=cake name=cake-ul cake-bandwidth=15.0Mbps \
	cake-atm=ptm cake-diffserv=besteffort cake-nat=yes cake-overhead=22 cake-overhead-scheme=bridged-ptm,via-ethernet
add kind=cake name=cake-dl cake-bandwidth=45.0Mbps \
	cake-atm=ptm cake-diffserv=besteffort cake-nat=yes cake-overhead=22 cake-overhead-scheme=bridged-ptm,via-ethernet 
add kind=cake name=cake-default \
	cake-atm=ptm cake-diffserv=besteffort cake-nat=yes cake-overhead=22 cake-overhead-scheme=bridged-ptm,via-ethernet 

/queue simple
add bucket-size=0.001/0.001 disabled=yes name=cake queue=cake-dl/cake-ul target=ether1,ether1 total-queue=cake-default

Re: 7.1.1 - CAKE breaks IPv6

Posted: Fri Mar 25, 2022 12:19 am
by blurrybird
Everything is working once again in RouterOS 7.2rc5 🎉

Re: 7.1.1 - CAKE breaks IPv6

Posted: Fri Mar 25, 2022 2:11 am
by asiobob
Everything is working once again in RouterOS 7.2rc5 🎉
Excellent. From the change log
*) queue - fixed queued IPv6 traffic considered as "invalid" by Firewall;