Community discussions

MikroTik App
 
Cees2439867
just joined
Topic Author
Posts: 12
Joined: Tue Feb 15, 2022 6:12 pm

How to connect my server to the internet through IPv6

Wed Apr 13, 2022 11:20 am

Almost there. Last issue. Everything works fine. For IPv4 the server is reachable by configuring NAT, firewall and the DNS A-record at my hosting provider.
For IPv6 struggling with changing prefix. My Internet provider gives me me a /56 IPv6 prefix. That allows me 256 sub nets of /64. At my hosting provider I configure the DNS AAAA for IPv6. All is well. Now the sub net of my RB750GR3 changes suddenly at the bridge level over the 256 sub nets.
My internet provider does not change the prefix of my IPv6 address (nor my IPv4 address) as long as I keep the same equipment. For IPv4 this works fine.
A good idea is a fixed IPv6 address for my webserver. Then everything is fine. How to solve this?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Wed Apr 13, 2022 9:33 pm

One thing is to make sure prefix used on server's subnet is fixed. Next thing is to make server static IPv6 address from tge right IPv6 subnet.

Post the config, parts /ipv6 address, /ipv6 route and /ipv6 dhcp-client (or whatever method is used by ISP to dekegate you tge prefix).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 4:24 pm

I wish IPV6 was as simple and easy as IPV4! :-(
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 5:30 pm

I wish IPV6 was as simple and easy as IPV4! :-(
Actually it's not that complicated either ... it's different than IPv4 indeed so one has to learn a few things anew.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 5:48 pm

I am looking forward to you holding my hand going through it. :-)
 
Cees2439867
just joined
Topic Author
Posts: 12
Joined: Tue Feb 15, 2022 6:12 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 6:05 pm

Post the config, parts /ipv6 address, /ipv6 route and /ipv6 dhcp-client (or whatever method is used by ISP to dekegate you tge prefix).
Thanks for your response.
Not sure if writing addresses here may harm me. Therefore Iput xxxx:xxxx as the first two block's.
Anyway the fixed part in the prefix is xxxx:xxxx:5c08:78xx/56

[cees08913bcf@MikroTik_RB750GR3] > ipv6 address print
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:xxxx:xxxx:7805:de2c:6eff:fe56:8f52/64 pool-ipv6 bridge-prive yes
1 G 2001:xxxx:xxxx:7809:2cc8:1bff:fee1:6e2c/64 pool-ipv6 bridge-gast yes
2 DL fe80::de2c:6eff:fe56:8f51/64 ether1 no
3 DG xxxx:xxxx:5c00:0:bd1d:1dba:e002:f609/64 ether1 no
4 DL fe80::de2c:6eff:fe56:8f52/64 bridge-prive no
5 DL fe80::2cc8:1bff:fee1:6e2c/64 bridge-gast no


[cees08913bcf@MikroTik_RB750GR3] > ipv6 route print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd+ ::/0 fe80::229:c2ff:fe01:b819%ether1 1
DAd+ ::/0 fe80::229:c2ff:fe01:b819%ether1 1
DAc xxxx:xxxx:5c00::/64 ether1 0
DAd xxxx:xxxx:5c08:7800::/56 1
DAc xxxx:xxxx:5c08:7805::/64 bridge-prive 0
DAc xxxx:xxxx:5c08:7809::/64 bridge-gast 0
DAc fe80::%ether1/64 ether1 0
DAc fe80::%bridge-prive/64 bridge-prive 0
DAc fe80::%bridge-gast/64 bridge-gast 0


[cees08913bcf@MikroTik_RB750GR3] > ipv6 dhcp-client print
Columns: INTERFACE, STATUS, REQUEST, PREFIX, ADDRESS
# INTERFACE STATUS REQUEST PREFIX ADDRESS
0 ether1 bound address xxxx:xxxx:5c08:7800::/56, 1w3d16h19m57s xxxx:xxxx:5c00:0:bd1d:1dba:e002:f609, 1w3d16h19m57s
prefix

Thank you, Hope this helps.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 6:36 pm

I was hoping to see output of export command ... print shows running config but there are number of ways to get there ...
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 8:22 pm

I wish IPV6 was as simple and easy as IPV4! :-(
Worst part for me about IPv6 is that the IP addresses themselves are not easy to read or memorize. The simplicity of IPv4 address numbering and subnetting is part of what makes networking logical and fun for me. I actually see this as a major design flaw of IPv6, so much so that I don't think IPv6 will ever defeat IPv4 in mainstream networks. Something else will come along before that can ever happen. Just my prediction (but I hope I am right). It's unfortunate that IPv4 quantities are so finite/limited because apart from that, I see no reason to have an entirely new IP numbering standard. TL;DR? IPv6 sucks.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 9:23 pm

Problem with current RouterOS is that when you do:
/ipv6 address
add address=::1/64 from-pool=mypool interface=LAN1
add address=::1/64 from-pool=mypool interface=LAN2
...
selected addresses/prefixes don't stick to interfaces. If next time interfaces happen to initialize in different order, prefixes will be different, even if prefix in pool didn't change. Solution would be if RouterOS accepted hints, e.g. addresses like ::1:0:0:0:1/64, ::2:0:0:0:1/64. They could be combined with prefix, and you'd always get xxxx:xxxx:xxxx:xx01::1/64 and xxxx:xxxx:xxxx:xx02::1/64. Unfortunately, it's currently not supported.

Solution/workaround for now is to assign addresses (semi-)manually. If you're sure that prefix doesn't change, just use manual config. If you know that it might change, use DHCPv6 lease script to update addresses. Check this one for inspiration. If you know that your prefix is not changing regularly and you just need to make sure that prefixes on interfaces survive reboots, it can be simplified (none of "/ipv6 nd prefix" stuff would be needed).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 9:41 pm

@anav: All the basics (addresses, netmasks, routes, firewall, ...) are the same as in IPv4, only addresses are a bit longer. If you're interested and create new thread like "I want to be friends with IPv6, but I don't know how", there's good chance that someone will give you some pointers.

@fragtion: From all the things you may not like about IPv6, you chose the one that objectively can't be much different. IPv4 is nice and simple, just four numbers 0-255. But that's also the reason why it doesn't have enough addresses. If you want more addresses, you must have either more numbers, bigger numbers, or both. It would be pointless to add just few addresses, e.g. fifth number 0-255, because if wouldn't be enough. And even this one number would require to change all software, because old software wouldn't understand it. So when you have to change everything anyway, you might as well add enough addresses to last forever.

The choice was 128 bits, which as 0-255 numbers would be sixteen of them. And addresses like 213.54.234.65.123.75.76.34.8.34.234.64.125.65.78.123 wouldn't be great. Or you put two bytes together and go with eight 0-65535, so 54242.123.54346.2345.1.54324.34563.4234. Not great either. So the end result is this, but in hexadecimal form. You could say that 128 bits is too much. But even if you cut it in half, it's still too long compared to IPv4. And going even lower defeats the original purpose.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 9:51 pm

Solution would be if RouterOS accepted hints, e.g. addresses like ::1:0:0:0:1/64, ::2:0:0:0:1/64. They could be combined with prefix, and you'd always get xxxx:xxxx:xxxx:xx01::1/64 and xxxx:xxxx:xxxx:xx02::1/64. Unfortunately, it's currently not supported.

Actually it is supported (or was around 6.45 when I was trying it), but the problem is that ROS only combines full "double octets" (including leading zeroes). Which is fine if prefix in pool is /48 (or shorter, but you can't use whole prefix space this way) and you can then assign addresses in form ::1:0:0:0:1/64 (and the /48 prefix is prepended instead of leading colon). But if prefix is /56 or /64, ROS can't combine exactly the prefix-length bits from prefix with the suffix set in address assignment command, ignoring leading bits as needed. To make it working regardless prefix length it should first perform (prefix AND "subnet mask"), then (postfix AND "negated subnet mask") and only then OR them together.

But in essence the only way of doing it is the @sob way of static config. I'm usually combining the proper way and the static way ... static for subnet with servers (things that need DNS records) and properly dynamic for subnets where IP addresses don't matter (e.g. guest WiFi).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 10:21 pm

I found your old posts (1, 2) when I was looking for "address pool error: bad preferred prefix! (1)" and "address pool error: bad preferred prefix length! (1)" I'm getting, which is the same you had. Only thing that does sort of work is e.g. address=::2:0:0:0:1/64 with pool's prefix-length=60, it keeps the "2", but it also changes mask to /60, so it's useless when I need to assign /64s to interfaces. I played with different prefix sizes in pool, but so far I didn't find anything usable (aside from default sequential assignment, but the result there is "random").
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Thu Apr 14, 2022 10:38 pm

My experience is that when you add addresses to several interfaces (add address=::1 from-pool=poolname interface=bridge1) the addresses are picked from the pool in sequence of creation in ipv6->addresses and it is the same after every boot.
However, when adding/removing them (without removing all) there can be different subnet numbers.
 
Cees2439867
just joined
Topic Author
Posts: 12
Joined: Tue Feb 15, 2022 6:12 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 12:19 pm

@mkx
I was hoping to see output of export command ... print shows running config but there are number of ways to get there ...
Sorry for my misunderstanding:

/ipv6 address
add address=::de2c:6eff:fe56:8f52 eui-64=yes from-pool=pool-ipv6 interface=bridge-prive
add address=::2cc8:1bff:fee1:6e2c eui-64=yes from-pool=pool-ipv6 interface=bridge-gast

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=pool-ipv6 request=address,prefix use-peer-dns=no

There is no "/ipv6 route add route" in my configuration I am afraid...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 12:38 pm

Now what is your issue? With that config you should have static network addresses on each of these bridges.
Assuming you use SLAAC to send the info to the server, and you have disabled "privacy extensions" in the server (so it gets an address with ...:xxxx:yyff:fezz:zzzz/64 just like your router) its address should be static.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 12:54 pm

As to the LAN addresses changing, what @sob wrote fully explains it.

The DHCPv6 and routing settings can be improved:
  • setting add-default-route=yes on DHCPv6 client is not correct ... this option sets DHCPv6 server's address as default gateway which might work or it might not. IPv6 comes with ND mechanism, where routers announce their presence by sending out RAs (Routing Advertisements). Ideally every device should be using that information ... and that includes routers for select interfaces (i.e. WAN interface). Unfortunately Mikrotik has global setting /ipv6 settings accept-router-advertisements, default calue effectively disables the feature. If you're sure LAN devices won't mess with this mechanism, set the option to yes, router will pick up default gateway from ISP's RAs in a few seconds.
    The problem with current ROS versions is that routes, accepted via RAs, are not shown so it's hard to check it.
  • you most probably don't have to request address (prefix would do), Mikrotik doesn't need public IPv6 address on WAN interface


@pe1chl: OP's settings don't ensure that same /64 prefix is used on same subnet after router reboots (given that prefix delegated by ISP doesn't change). It doesn't happen often, but it can happen. Currently the only way to prevent it from happening is to set static IPv6 address to LAN interfaces, but that can break things in case when delegated prefix changes.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 1:28 pm

@pe1chl: OP's settings don't ensure that same /64 prefix is used on same subnet after router reboots (given that prefix delegated by ISP doesn't change). It doesn't happen often, but it can happen.
It is like I wrote above: it does not ensure it, in theory it might go wrong, but in practice it works right. That is, the local networks get a subnet address out of the obtained pool in the sequence they have been added (and which is the sequence they are listed when exporting /ipv6 address).

They only time it assigns another address is when you remove/disable one of the addresses and then add it back.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 2:51 pm

Try to re-read opening post of this thread with special attention to second paragraph. I believe it describes what's bothering @OP and it's what you claim it can happen but only in certain conditions. While I don't know which of conditions you describe are affecting @OP, I'm just explaining that current ROS implementation sucks (as has been right from the start) and a possible workaround (which is not ideal).

Mind that even leaving server to self-construct IPv6 address (and hope it will come up with exactly the same every time) is also leaving room for failures ... it would be really great if some points of uncertainty could be removed from landscape.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 3:22 pm

Well, as long as the "privacy extensions" are disabled in the server, so it will form the local part of the address from its MAC-address, it will come up with the same address every time until the ethernet card is changed.
OF COURSE you can set a static local part when you like that, details depending on the particular OS, which we do not know about.

I agree that it would be nice when it would be possible to specify a subnet number in each address assigned from a pool, but in practice it has not caused problems for me in 3 different setups (both at home and on two networks at work). The assignments from pool are always made in the order of their appearence in /ipv6 address. Maybe we need to find out in what cases that doesn't work that way.
But, "randomly changing IPv6 address" usually is caused by "privacy extensions", not by the router, in my experience.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 6:31 pm

There's one possible problem with bridges I found. If bridge has default config that takes MAC address from one of ports, it can change as ports are added, removed, disabled or enabled. And when it happens, it triggers prefix change and it gets new one every time. It can be prevented by manually setting admin-mac=xx:xx:xx:xx:xx:xx for bridge.

It seems that this whole thing will need to be reworked eventually, because it's quite limited. It's not just this inability to select 100% stable prefixes (at least within received prefix from ISP). Another example is if I get e.g. /56 from ISP, I want router to assign few local /64s and also delegate few /60s to other routers. But if DHCPv6 client created only one pool with one prefix-length, it doesn't seem possible to take both /64s and /60s from it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 6:51 pm

There's one possible problem with bridges I found. If bridge has default config that takes MAC address from one of ports, it can change as ports are added, removed, disabled or enabled. And when it happens, it triggers prefix change and it gets new one every time. It can be prevented by manually setting admin-mac=xx:xx:xx:xx:xx:xx for bridge.
When that is the cause, it is probably also sufficient to remove the EUI-64 option and set the address to ::1 which would also be easier to remember.
(which is what I do all the time so maybe I did not notice a problem like that before)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 8:46 pm

It happens with ::1/64 without EUI64 too. Another requirement is that this must not be the only prefix assigned from pool. If it's the only one, it's ok, it always chooses the first one with 0. But if there's some on another interface, then this changing bridge gets new one with every change, 1, 2, 3, 4, all the way up.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Fri Apr 15, 2022 11:33 pm

Yes, I am familiar with the ever increasing numbers, but I never see it happening "by itself".
But, normally I set an admin MAC on bridge interfaces anyway. At the moment on my home router I have 3 networks but they are VLANs on a bridge, and have an address from the pool, and at every reboot of the router or after every disconnect of the internet line (PPPoE with DHCPv6) they always are assigned in the same way.
 
Cees2439867
just joined
Topic Author
Posts: 12
Joined: Tue Feb 15, 2022 6:12 pm

Re: How to connect my server to the internet through IPv6

Sat Apr 16, 2022 9:59 am

@mkx @Sob @pe1ch1

Many thanks for your input on connecting my NextCloud web-server to a MikroTik router. MikroTik sometimes feels like flying a plane while riding a bike is enough. Anyhow while solving issues out it seems to work very well and I am happy with it. In general I cannot find much about adding a server to MikroTik equipment with IPv6 on the internet. It must be quite new to the community.

With your suggestions I have rebooted the router several times and it seems that the two networks I use repeatedly get the same address what @pe1ch1 also concluded. I will live with that until better solutions become available. Again thanks for the help!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Sat Apr 16, 2022 12:46 pm

In general I cannot find much about adding a server to MikroTik equipment with IPv6 on the internet. It must be quite new to the community.

Well, it's not really new, I'm running my own servers hooked to Mikrotik routers over IPv6 since before I was bitching about this issue in threads linked by @sob.
But ROS is somehow limited when it comes to IPv6 in general, IPv6 uptake in general is not great and people running (serious) servers usually aren't networking newbies and find their way around without much discussion on forums.
 
Cees2439867
just joined
Topic Author
Posts: 12
Joined: Tue Feb 15, 2022 6:12 pm

Re: How to connect my server to the internet through IPv6

Mon May 02, 2022 11:40 am

One after thought.
I have a pool of /56 with then 256 subnets of /64. I have two bridges one for private and one for guests. They used to be xxxx:xxxx:xxxx:xx02:: and xxxx:xxxx:xxxx:xx08:: (I do not know why) at first during the time we wrote in this thread. Then the bridge addresses changed to xxxx:xxxx:xxxx:xx00:: and xxxx:xxxx:xxxx:xx02:: after a reboot because of the suggestion from @sob.
After upgrading to 7.2.1, I checked, of course, the IPv6 addresses for the bridges. Now they have changed to xxxx:xxxx:xxxx:xx00:: and xxxx:xxxx:xxxx:xx01:: for respectively private and guest bridges. Curious, I hope this is stable.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to connect my server to the internet through IPv6

Mon May 02, 2022 11:45 am

This happens when you fiddle with it. When you stop changing the config and reboot, it should remain stable after that.
But, that assumes that you only put IPv6 addresses on interfaces that are always available at reboot.
When you assign IPv6 addresses to dynamic interfaces (like PPPoE) it will not be stable.
 
TomSF
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: How to connect my server to the internet through IPv6

Sat Jun 11, 2022 6:47 pm

I hope I am not hijacking this thread, but my issues seem relevant. I am running ROS 7.3.1 on a CCR1009, but the issues precede the latest release.
For literally a couple years, I have had private and guest bridges, each getting delegated a /64 prefix from the pool created by the DHCP6 server, which gets a /60 prefix from my ISP. Like mentioned in this thread, they start with ::0/64 and increment by 1. The order assigned to the bridges is not consistent but that didn't cause me problems. I could look at the pool and see the two prefixes used. Everything worked fine until it didn't, and I had not changed the configuration, other than to stop having DHCP6 server add a default route. I have now simplified things by removing IPv6 from the guest bridge and the following is what is happening:

- The pool gets created but no prefixes get used.
- An IPv6 address is created for the /60 prefix from the ISP with a blackholed gateway.
- ND advertises the ::0/64 prefix on the private bridge, even though ND does not have a prefix entry in its configuration.
- There is no route created for the private bridge prefix so there is no IPV6 global traffic.
- If I manually try to add an address for the advertised prefix, I get a duplicate address error. I can incrementally increase the ::0/64 and eventually it will add an address that is not a duplicate.

I then manually created a route for the private bridge prefix that ND is advertising. This creates a prefix entry in the ND configuration and IPV6 traffic flows through the WAN. There is still no address entry for the prefix and no prefixes used from the pool.

I have a series of questions:
- Why does an address get created for the /60 prefix with a blackholed gateway. What good is it?
- Why does ND start advertising a prefix when there is no prefix shown in its configuration? How did it pick that one?
- Beyond that, why did something that worked for a couple years stop working.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Sat Jun 11, 2022 7:06 pm

Blackhole route handles unused subnets. If you get /60 and use only one /64, then if something sends packet to another address from /60 that's not in used /64, router would send it back to ISP, then ISP would send it back to your router, and they would play this ping pong until TTL expires. Blackhole route prevents that.

As for the rest, we can't see what exactly you have in config. But often the simplest solution is the good old "turn it off and on again", or some variation of that. Remove and re-add IP address, DHCPv6 client, ...
 
TomSF
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: How to connect my server to the internet through IPv6

Thu Jun 16, 2022 8:25 pm

Thanks for the blackhole explanation. Per your suggestion, I ripped out and rebuilt my IPV6 configuration. I even rebuilt the firewall per Mikrotik documentation. Nothing changed. I am now in the process of writing a DHCP6 client script to add the prefix to ND and add a route, both of which used to automatically happen. My current configuration is below but it is a work in progress as far as the script. One thing that is unique is that I have an fd00::1 address for the router for my DNS and NTP servers. I used to have a DHCP6 server provide this address and had ND set to other-configuration=yes to cause hosts to get the address from the DHCP6 server. I have verified that they did that correctly I now have eliminated the server and am advertising the DNS address in ND with other-configuration=no. That also works properly. In summary, the following happen at router boot:
- The DHCP6 client gets an address and prefix.
- A DHCP6 pool is created with the prefix.
- No prefixes are used from the pool.
- No prefix is added to ND.
- No route is created for the prefix.
- Hosts are issuing router solicitations but the router has nothing to give.
- If I try to add an address from the pool for the private bridge, I get a duplicate address error. I assume it is because there are hosts on the bridge using the prefix. However, the pool shows the prefix being used. There is still no route nor ND prefix though. If I add an address from the pool to the guest bridge (even if it is the same prefix), I do not get a duplicate address error, probably because there are no hosts on the guest bridge.
- After I manually add the prefix to ND and a route for the prefix, IPV6 works as it should.
Configuration (with firewall removed for brevity) follows. For now, I only have ND running on the private bridge.

# jun/16/2022 10:50:05 by RouterOS 7.3.1
# software id = IJPI-DTS3
#
# model = CCR1009-7G-1C
# serial number = 6F5506437C16
/ipv6 address
add address=fd00::1 advertise=no comment="DNS server address" interface=\
privateBridge
/ipv6 dhcp-client
add comment="When the address status changes, remove the old address from the \
IPV6 firewall address list and add the new one." interface=ether1 \
pool-name="IPv6 Prefix" prefix-hint=::/60 request=address,prefix script=":\
global ip6prefix;\r\
\n:global old6prefix;\r\
\n:if (\$\"na-valid\" = 1) do={\r\
\n:set \$ip6prefix [/ipv6 dhcp-client get 0 prefix];\r\
\n:set \$ip6prefix [pick \$ip6prefix 0 [find \$ip6prefix \"/60\";]]\r\
\n:set \$ip6prefix (\$ip6prefix . \"/64\");\r\
\n:local mylist \"WAN IPV6 address\";\r\
\n/ipv6 firewall address-list remove [/ipv6 firewall address-list find lis\
t=\$mylist];\r\
\n/ipv6 firewall address-list add list=\$mylist address=\$\"na-address\";\
\r\
\n};\r\
\n\r\
\n" use-interface-duid=yes use-peer-dns=no
/ipv6 nd
set [ find default=yes ] disabled=yes dns=fd00::1 hop-limit=64 \
other-configuration=yes
add dns=fd00::1 hop-limit=64 interface=privateBridge
add advertise-dns=no disabled=yes interface=ether1
/ipv6 nd prefix
add interface=privateBridge prefix=xxxx:xxx:8584:890::/64
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/ipv6 route
add disabled=no distance=1 dst-address=xxxx:xxx:8584:890::/64 gateway=\
privateBridge routing-table=main scope=30 target-scope=10
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Fri Jun 17, 2022 3:51 am

What should work is just DHCPv6 client and address like this:
/ipv6 address
add interface=privateBridge address=::1/64 from-pool="IPv6 Prefix" advertise=yes
 
TomSF
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: How to connect my server to the internet through IPv6

Thu Jun 23, 2022 11:36 pm

The suggestion

"/ipv6 address
add interface=privateBridge address=::1/64 from-pool="IPv6 Prefix" advertise=yes"

creates an address of xxxx:xxx:8584:890::1/64 on privateBridge, and a used pool prefix of xxxx:xxx:8584:890::/64 on privateBridge. Changing ::1/64 to ::2/64 and assigning it to guestBridge creates an address of xxxx:xxx:8584:890::2/64 on guestBridge and the same used pool prefix on guestBridge. So, ND is going to advertise the same prefix on both bridges, which is not what I want. What I want is a prefix of xxxx:xxx:8584:891::/64 on privateBridge and xxxx:xxx:8584:892::/64 on guestBridge. I used to get unique prefixes/bridge automatically assigned (used) from the pool but now I don't get anything assigned or used from the pool. I now I need a DHCP6 client script to create the ND prefixes for each bridge and add corresponding routes for each bridge.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Fri Jun 24, 2022 1:18 am

If I do:
/ipv6 pool add
name=test60 prefix=2001:db8:8584:890::/60 prefix-length=64
/ipv6 address
add address=::1/64 from-pool=test60 interface=test1
add address=::1/64 from-pool=test60 interface=test2
add address=::1/64 from-pool=test60 interface=test3
Then I get correct and expected:
ipv6 address print
Flags: I, D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
 #    ADDRESS                       FROM-POOL  INTERFACE          ADVERTISE
...
19  G 2001:db8:8584:890::1/64       test60     test1              yes
20  G 2001:db8:8584:891::1/64       test60     test2              yes
21  G 2001:db8:8584:892::1/64       test60     test3              yes
But it's true that I also see something weird and unexpected. It seems that there's some interaction between other addresses on same interface, even if they are disabled. If I remove above addresses and do this:
/ipv6 address
add address=2001:db8:1::1 advertise=no disabled=yes interface=test1
add address=::1/64 from-pool=test60 interface=test1
Then I end up with:
ipv6/address/print
Flags: X, I, D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
 #    ADDRESS                       FROM-POOL  INTERFACE          ADVERTISE
...
19 XG 2001:db8:1::1/64                         test1              no
20  G 2001:db8:8584:890::1/64       test60     test1              yes
21 DG 2001:db8:8584:890::1/64                  test1              no
The 2001:db8:8584:890::1/64 from pool is there twice, first as I expect it, but then once again as weird dynamic one. No idea what that's supposed to be.
 
TomSF
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: How to connect my server to the internet through IPv6

Fri Jun 24, 2022 2:33 am

One thing that is different, but I doubt it makes a difference, is my pool is dynamically created by the DHCP6 client. The way I wrote my script, it puts an ...:890::/64 prefix on privateBridge and an ...:891::/64 prefix on the guestBridge. There are no address list entries corresponding to the bridge prefixes I created. If I try to manually add an ::0/64 address (or just ::/64), from my pool, on privateBridge, I get a duplicate address but a used prefix of ...890::/64 is created from the pool. If I manually add a 1::/64 from the pool on privateBridge, I do not get a duplicate address but no additional used prefixes are taken from the pool. If I add a ::/64 address from the pool to the guestBridge, I do not get a duplicate address and a prefix is used from the pool If I continue to add ::/64 from the pool to guest bridge, more prefixes are taken from the pool in the expected increasing value (..890, ..891, ...892, etc.), even though ND is already advertising ...891::/64 on guestBridge. What is also odd, is that for ...892 and above, two addresses are created in the address list; one has flag G and is advertised, the other has flags DG and is not advertised. ND prefixes are created for all the pool prefixes. I then tried to add more ::/64 entries to privateBridge, All created two address list entries, one advertised and the other not. 894 and 896 were duplicate address, 897 and beyond were not duplicates. If you are confused reading this, I do not blame you. Now to remove all the addresses and reboot my router..
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to connect my server to the internet through IPv6

Fri Jun 24, 2022 9:29 am

One thing to keep in mid when assigning IPv6 addresses from pool is that use of double colon (::) in that assignment directive is slightly different than in usual IPv6 addresses:
  • when assigning normal address, say using
    /ipv6 address add interface=test1 address=fe80::dead:beef:0001/64
    
    the double colon expands into as many zero words as necessary ... in this example that would be 4 words: fe80:0000:0000:0000:0000:dead:beef:0001/64
  • when using it in a address= from-pool= construct, it actually instructs code parser to replace the double colon with prefix obtained from pool. Like this:
    /ipv6 pool add name="ipv6-pool" prefix=fe80::/16 prefix-length=64
    /ipv6 address add interface=test1 address=::dead:beef:1/24 from-pool="ipv6-pool"
    
and code parser will take a /64 prefix from pool (with consideration of configured part) and assign an address ... in this case it will be something in line of fe80:aaaa:bbbb:cccc:dddd:dead:beef:0001/64. However, one can not use two double colons in the same construct, e.g. /ipv6 address add interface=test1 address=::dead::1/24 from-pool="ipv6-pool" is wrong because code parse can't decide which double colon to replace with prefix obtained from pool.

In principle pool will mark any prefixes handed out as used and will not hand out the same prefix again. I guess ROS checks if prefix handed out is actually in use on some interface (even if that interface is disabled), in which case it chooses another prefix. But I may be wrong on this.
 
TomSF
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: How to connect my server to the internet through IPv6

Fri Jun 24, 2022 6:17 pm

I agree that it appears ROS detects in-use addresses. Adding an address has benefits in that it automatically creates a prefix and a route, but for me there are too many other weird things happening. For years, things worked as expected and then they stopped working. I am going to stick with my script. It allocates prefixes from the pool and creates routes. It also attempts to cleanup if the prefix changes. Writing it was mostly a learning exercise for what I think is a very cryptic scripting language. I had avoided learning it for years. I can post the script if there is any interest.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to connect my server to the internet through IPv6

Fri Jun 24, 2022 11:22 pm

IPv6 in RouterOS needs some "finishing touches" for sure, to put it mindly. It's improving slowly over time, but could be faster. And scripting, well, it's unending source of amusement... if you're into black or morbid humor. ;)
 
TomSF
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: How to connect my server to the internet through IPv6

Fri Jun 24, 2022 11:35 pm

"And scripting, well, it's unending source of amusement... if you're into black or morbid humor. ;)"

Amen to that!!!!

Who is online

Users browsing this forum: 4l4R1 and 17 guests