Thanks for the feedback on RB4011/RB1100AHx4 with HW offloaded vlan-filtering. The problem is reproduced, and we are working on a solution.

Super, thanks!

+1 something in VLAN filtering/HW Offload seems broken. RB4011 Bridge/VLAN with VLAN filtering and HW offload, across two switch groups. Can't ping device from one switch group to the other switch group. Fun to track down, because when I turned on packet sniffer, it worked fine. (cause it disabled H...

Yeah, I tried it with a bridge I named "DeadEnd" :). No addresses, no ND, nothing on it. Worked as expected, returning unreachable. It does seem like you should be able to use route policies etc. I suspect you are better with those than I am. No opinion on what's best. One thing to conside...

I still need to differentiate my traffic, WAN and LAN. Since the route is to a dummy interface, the forwarding firewall filter will apply. Just put in a drop rule for WAN traffic to that interface. No? That would also give you a lot of options on when you want drop vs unreachable just by messing wi...

Got it. I think Cisco equipment has the option to allow black hole routes reply w/ unreachable, but I may be misremembering. Anyway.... So if MT doesn't have that option, how about this: Create a dummy interface and point the black hole route to it. I would expect once a packet arrives at that inter...

are you worried about the whole /56 changing or just which /64 s are assigned to each lan changing? There should be a dynamically created route for the entire /56 (or /60 if you are like me on Xfinity) to a black hole already there. That way only the assigned /64s are routed. As i understand, the en...

When I run packet sniffer tool, I see some packets with size much larger than the MTU. Some as large as 10K or so.

Does packet sniffer combine tcp frames?

This is seen on RB4011, on the bridge interface, with all connected interfaces (vlan and ports) set at or around 1500.

OK, I can't contain my self. Theory: ICPv6 relay is handling all the communications, not just the initial client solicitation. Except that the replies are spoofed as being from the server's location. (So it is all local scoped communication which is what you said it should be.) I mean, you can't get...

:oops: I'll buy that. The RFC isn't specific on that -- it doesn't describe the relay process in any kind of detail. I just did a little research on DHCPv6 relays, and the vendors I looked at (juniper/cisco) describe the relays handing bi-directional communication with the server, not just the first...

A bit of a post mortem on the default firewall rule for DHCPv6... According to RFC 8415, locating the DCHPv6 server on global scope is perfectly valid. When this is done, it is expected that a DHCP "relay agent" be on the local link to forward the initial client request. The initial reques...

Thanks for doing that I wasn't able to replicate that initially, but i think that was because i was changing the settings without rebooting and things were getting confused for some reason. So i just did a series of tests rebooting after each config change, and now I see what you do. I guess its fai...

Thanks for the clarification. I think you can safely turn off the ND entry for the WAN completely -- Its just for the RA stuff as far as I can tell. Neighbor Solicitation still works just fine on that interface with it off. I've seen this in my setup. I suspect if an interface allows IPV6, it must d...

I'm glad it worked. Seems like we are fighting the same battle. So I'm curious your configuration -- you say you are running ND on the WAN interface. That means your wan is Advertising itself as a router -- i don't believe that's where your default route is coming from. I suspect you are getting the...

It might be a problem similar to one we have been seeing on Xfinity. They seem to have changed the location of the upstream DHCPv6 PD server to a global address -- if you modify that rule to allow global (remove the local address restriction) it should be able to get the PD. If you are also using &q...

I see it too. On an RB4011 I can set the MTU of the WAN interface that large, and the log warning stops. As you said, not all RBs can MTU that large. Alternatively, you might make the default route static and turn off "accept router advertisements". Just copy the route that RA automaticall...

@proximus 1) The default rule is 100% correct, as is, and works just fine with Comcast. DHCPv6 uses link-local (fe80::/10) IPv6 addresses when communicating between client and relay/server. No doubt it has worked in the past and still works for some. Did for me, too. However, it seems Comcast is rol...

Perhaps something in this post helpful....

viewtopic.php?p=914681#p914681

Thanks again. I don't think I have many fancy rules, apologies if I was unclear. As you said, the big bit is the change in the firewall rule. Here is the default Mikrotik IPv6 firewall rule (ros7.1.2) that I had to change to make it work: filter add chain=input action=accept protocol=udp dst-port=54...

Thanks Tangent, It seems the DHCPv6 server address is indeed in another segment, not local, judging from the address compared to the address assigned to the router (different /64). I suspect the multicast function is handled by a DHCPv6 relay. Once found, the resulting connection becomes unicast. DH...

Two months ago, IPv6 stopped working on my Xfinity connection. It had previously worked brilliantly. I was stumped. My first thought was a cable modem configuration problem. I wasn't looking forward to working my way though Xfinity's support. Long story short, Xfinity changed how they do DHCPv6 in m...

Thanks for the replies. So other than that you cannot put a FQDN in a firewall rule it should work? But running a script periodically doesn't seem the best idea. When you resolve smtp.outlook.com, it goes to a long ugly Cname, then another long ugly Cname, then a list of 7 or so A name IP addresses ...

I have a device on my network that needs to send email notifications. Its setup requires access to an SMTP server. The problem, is the device only allows specification via IP address, not FQDN. (It is an older Cisco phone system). Ideally, I would have an internal SMTP server or relay on a static IP...

Just had this happen to me as well. SSH login w/ key slow, gives me "mikrotik" banner after about 20 seconds, then no prompt.


Is there a solution?

@celticcomms, thanks for the advice. What do you think of this idea: (1) Forward some new external port to SSH port 22 inside (just use dst-nat) (2) use PKI ( with good passphrase) to connect SSH, use CLI (3) make ssh tunnels in this connection if needed for webfig or winbox (enable on Mikrotik) is ...

Hi, My first post and first mikrotik router. So far so good :) I was wondering what are considered best setup to remote manage (config etc) the router in a SOHO type environment. Setup: Router has single public IP, NAT to private network. Assume manage from internet, already know public ip for route...