Greetings All,

A couple of days back, I upgraded to RouterOS (ROS) 7.16.1 (from 7.14.1). After the reboot I noticed that while IPv4 was working fine, ROS's dhcpv6 client was stuck at 'searching...'. I tried various combinations with and without 'accept RA' but nothing seems to make any difference.

To rule out (unlikely?) issues with my 7.14.1 saved config, I went with the default 'out-of-the-box' 7.16.1 configuration but see the same results. I have not made any other mods apart from enabling the dhcpv6 client (currently requesting just the prefix. Attempts to request both the prefix and address also give the same result).

A quick sniffer run on ether1 shows ROS's DHCPv6 'solicit' going out and an immediate (and seemingly proper) DHCPv6 'Advertise' response from Xfinity. I do not see subsequent 'Solicit' retransmits from ROS so I'm assuming it did 'see' this response. But then I do not see the expected DHCPv6 'Request' packet (the next step in the DHCPv6 handshake sequence) from ROS either and the DHCPv6 client status still stays at 'searching'.

The system log does not show any untoward messages or warnings either.

Am I missing/forgetting something basic at my end of did something change in 7.16.1? My topology and config details are at the end of this post.

Thanks!
/DN

My home network topology (typical and very plain vanilla):
Xfinity -> Netgear Nighthawk Cable Modem -> [ether1] Mikrotik (RB4011iGS+) [bridge] -> LAN
RouterOS: v7.16.1
RouterOS Config: 'out-of-the-box' default for v7.16.1 (with just the dhcpv6 client enabled on ether1)


Current IPv6 related config:

admin@XXXXXXXX] /ipv6> /ipv6 export
# 2024-11-03 13:51:09 by RouterOS 7.16.1
# software id = R9T3-B8SI
#
# model = RB4011iGS+
# serial number = XXXXXXXXXXXX
/ipv6 dhcp-client
add interface=ether1 pool-name=ipv6_pool request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
/ipv6 settings
set accept-router-advertisements=no

[admin@XXXXXXXX] /ipv6> /ipv6 address print
Flags: D - DYNAMIC; L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
# ADDRESS INTERFACE ADVERTISE
0 D ::1/128 lo no
1 DL fe80::xxxx:xxxx:fe03:9445/64 bridge no
2 DL fe80::xxxx:xxxx:fe03:9444/64 ether1 no

[admin@XXXXXXXX] /ipv6> dhcp-client print
Columns: INTERFACE, STATUS, REQUEST
# INTERFACE STATUS REQUEST
0 ether1 searching... address
prefix

I have similar issue, it was working fine on 7.17.2 (with the firewall tweak), but the same configuration isn't working on 7.19.1. I had to reset router because it ran out of space, then I reapplied the same configuration and then upgraded to 7.19.1.

I turned on debug log and find these messages:
So it seems like ISP just... has no ipv6 prefix to give me anymore?? Huh?

Oh well, I see that it is giving me an address, so at least I can do NAT.

Xfinity is slowly changing over their IPv6 configurations from having the DHCP6 server answer from a link local address to being forwarded from a remote address. You may have run into this when you rebooted the router.

If your IPv6 firewall has a statement like this from the default config
Try changing it to allow remote forwarded DHCPv6 like this
Earlier Xfinity discussion:
viewtopic.php?t=183485


Edit: fixed url