Community discussions

MikroTik App
 
rm66
just joined
Topic Author
Posts: 6
Joined: Sat May 06, 2023 2:12 pm

New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Sat May 06, 2023 3:12 pm

Hello,

I'm a new MikroTik user and brand new to this forum.

The problem I am experiencing appears to be that some IPv6 address configuration is lost every time the router reboots, either through fluctuations in power supply or through a manual shutdown. In each case I lose some of my IPv6 configuration. To be explicit, I assign the following addresses to my interfaces:
/ipv6 address
add address=::1 from-pool=ULA-pool6 interface=bridge
add address=::1 from-pool=general-pool6 interface=bridge-guest
add address=::1 from-pool=general-pool6 interface=bridge
add address=::1 from-pool=ULA-pool6 interface=bridge-guest

This all works as expected and the router functions as intended. All IPv6 addresses are assigned to my interfaces, advertised and I have complete (IPv4 and IPv6) connectivity for all connected SLAAC devices and router itself.

However, when the router reboots after a power outage or manual shutdown, only a part of my initial address assignment remains. If I type "/ipv6 address export" after a reboot I see:
/ipv6 address
add address=::1 from-pool=ULA-pool6 interface=bridge
add address=::1 from-pool=general-pool6 interface=bridge-guest

This loss of address assignment configuration (and hence no corresponding addresses are being assigned) has happened repeatedly and consistently after 2 short power outages and one manual shutdown.

I have upgraded to RouterOS 6.49.7 and some time later (probably the better part of a week) upgraded the firmware to 6.49.7.

I have Googled and I am aware that similar problems have existed in some versions of RouterOS: viewtopic.php?t=184711&sid=a03de18f52ad ... b4c576e3cc However, I am not sure whether I am being bitten by a similar bug or some other mis-configuration is to blame (I am new to this). Any help, guidance or pointers would be much appreciated.

My full configuration is below:
# may/05/2023 11:23:48 by RouterOS 6.49.7
# software id = 9KW1-TWC8
#
# model = RB760iGS
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=48:A9:8A:17:0C:13 auto-mac=no comment="Private LAN" name=bridge
add name=bridge-guest
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=\
    joesoap@bestip.com
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Changed address pool for DHCP" name=dhcp ranges=10.17.227.31-10.17.227.254
add comment="Guest network address pool" name=dhcp_pool1 ranges=10.28.107.2-10.28.107.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge-guest lease-time=1h name=dhcp1
/ipv6 pool
add name=ULA-pool6 prefix=fd19:8a99:2d5e::/56 prefix-length=64
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-guest interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment="Added bridge-guest to LAN interfaces" interface=bridge-guest list=LAN
/ip address
add address=10.17.227.1/24 comment="Changed default router address" interface=bridge network=\
    10.17.227.0
add address=10.28.107.1/24 interface=bridge-guest network=10.28.107.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.17.227.0/24 gateway=10.17.227.1 netmask=24
add address=10.28.107.0/24 gateway=10.28.107.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=2001:4860:4860::8888
/ip dns static
add address=10.17.227.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Deny guest network traffic access to the private LAN" \
    dst-address=10.17.227.0/24 src-address=10.28.107.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN src-address=10.17.227.0/24
add action=masquerade chain=srcnat comment="Allow guest network access to the internet" \
    ipsec-policy=out,none out-interface-list=WAN src-address=10.28.107.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=10.17.227.0/24
set api-ssl disabled=yes
/ipv6 address
add address=::1 from-pool=ULA-pool6 interface=bridge
add address=::1 from-pool=general-pool6 interface=bridge-guest
add address=::1 from-pool=general-pool6 interface=bridge
add address=::1 from-pool=ULA-pool6 interface=bridge-guest
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=general-pool6 request=prefix \
    use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
    udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge ra-interval=20s-1m
add interface=bridge-guest
/system clock
set time-zone-name=Europe/London
/system identity
set name=RouterOS
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks in advance,

Richard
 
rm66
just joined
Topic Author
Posts: 6
Joined: Sat May 06, 2023 2:12 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Wed May 10, 2023 6:02 pm

Okay, so perhaps an alternative line of questioning.

My router requests an IPv6 prefix (/56) from the ISP with this line of config:
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=general-pool6 request=prefix \
    use-peer-dns=no
When I issue this command at the CLI the prompt returns almost immediately and the prefix is properly issued and assigned to pool 'general-pool6'. I then assign addresses in distinct subnets via the commands
/ipv6 address
add address=::1 from-pool=ULA-pool6 interface=bridge
add address=::1 from-pool=general-pool6 interface=bridge-guest
add address=::1 from-pool=general-pool6 interface=bridge
add address=::1 from-pool=ULA-pool6 interface=bridge-guest
The ULA pool is manually assigned (see earlier config) and enables me to address hosts with a fixed IPv6 address on my network(s) (my ISP changes my global prefix periodically).

(Air ignorance mode on - novice alert) Could it be that during a reboot or restart the command that requests a prefix is out of step with the /ipv6 address assignments? That is, the pool (supplied by my ISP) is not ready when the OS interpreter gets to do the address assignments. I see no messages in the logs that would suggest such an error but, as mentioned, I am very new to RouterOS. Further, if such a command fails during start up, will RouterOS subsequently drop it from my configuration (probably unlikely, but I ask nevertheless to help my understanding).

I add that such problems don't seem to be unique to me. I set up IPv6 following this guide https://www.medo64.com/2018/03/setting- ... -mikrotik/ and in the comments on this page is a comment by João Pedro Lisboa (unanswered) which suggests behaviour similar to what I am seeing.

Any insights that would set me on the right path of reasoning/diagnosis would be very much appreciated.

Thanks in advance
Richard
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Wed May 10, 2023 9:24 pm

When you use IPv6 pool as source of addresses, then it's fine if pool doesn't have any prefixes available. Even if pool is disabled.

Just recently my ISP botched my static prefix ... so whike ISP support was dealing with the issue, I disabled DHCPv6 client. The effect was, that those IPv6 address assignments were in error with comment about pool problem. Reboot of router didn't change it. After ISP support informed me that they fixed the problem, I enabled the DHCPv6 client. Immediately after it retrieved prefix, router's IPv6 addresses became set and valid ... RAs were being broadcasted and LAN devices got IPv6 connevtivity.
 
rm66
just joined
Topic Author
Posts: 6
Joined: Sat May 06, 2023 2:12 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Wed May 10, 2023 11:51 pm

Thanks very much for the information Mkx. It's a relief to hear that errors do not result in configurations being dropped or omitted. Given your experience it is likely that the behaviour I am observing is a RouterOS bug, possibly related to viewtopic.php?t=184711&sid=a03de18f52ad ... b4c576e3cc.

Maybe it's time to consider upgrading to 7.x...

Thanks very much for the help.

-Richard
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Thu May 11, 2023 2:16 pm

FWIW: what I wrote in my previous post, is how ROS 6.49.7 behaves on hAP ac2. The only potential problem (which might still be called a bug in ROS) is that you're assigning two pseudo-dynamic addresses to each of interfaces ... and ROS might not like this. In my case, if there are more than one explicitly assigned IPv6 addresses per interface, those are not from pool but truly static. Since you're using one pool in a pseudo-static way, you may want to try to assign addresses truly static ... because: if pool contents doesn't change, what's the point in using pool at all?
 
rm66
just joined
Topic Author
Posts: 6
Joined: Sat May 06, 2023 2:12 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Thu May 11, 2023 7:28 pm

Thanks Mkx. I'll look more carefully at your suggestion and give it a try.

Richard
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Thu May 11, 2023 7:48 pm

Thanks Mkx. I'll look more carefully at your suggestion and give it a try.

Richard

Paste this on terminal, and see if is solved:
/ipv6 address
set [find] eui-64=yes
/ipv6 dhcp-client
set [find] rapid-commit=no
/ipv6 nd
set [find] hop-limit=64 ra-interval=3m20s-10m
/ipv6 settings
set max-neighbor-entries=2048
 
rm66
just joined
Topic Author
Posts: 6
Joined: Sat May 06, 2023 2:12 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)

Fri May 12, 2023 10:27 am

Thanks Rextended. Will try this on the weekend and report back.

- Richard
 
rm66
just joined
Topic Author
Posts: 6
Joined: Sat May 06, 2023 2:12 pm

Re: New hEX S losing some IPv6 configuration on reboot (ROS 6.49.7)  [SOLVED]

Sat May 13, 2023 5:00 pm

Just in case someone else finds themself in a situation similar to the one I described above, thanks to kind suggestions by Mkx in particular I have been able to solve my problem of losing assigned IPv6 addresses on reboot.

I was assigning two addresses to each interface using a dynamic pool for global IPv6 addresses and a static (manually created) pool for unique local addresses (ULA). As pointed out by Mkx, there is no need to use a pool to assign ULAs as these, once chosen, are fixed. So, this morning I deleted the ULA pool, and removed the previously assigned ULA addresses from my bridge (private LAN) and bridge-guest (guest LAN) interfaces.

Then at the CLI I executed:
/ipv6 address
add address=fd19:8a99:2d5e::/64 interface=bridge eui-64=yes advertise=yes
add address=fd19:8a99:2d5e:1::/64 interface=bridge-guest eui-64=yes advertise=yes

Following a tip from Rextended (thanks!) I decided to use EUI-64 generated addresses for the ULA for each interface.

After these changes, I have observed no loss of IPv6 addresses after a reboot (I've tried at least 3 times since the changes mentioned above). The problem I witnessed seems to be related to the use of two IPv6 pools. Strangely, no error conditions were signalled and none were logged.

Many thanks to all who offered their help.

-Richard

Who is online

Users browsing this forum: No registered users and 25 guests