Community discussions

MikroTik App
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

IPV6 DHCP client does not add correct default route after reboot

Mon May 22, 2023 11:06 pm

It starts to work if I disable and enable back DHCP client.
Any ideas?

here is my ipv6 config (firewall rules/address lists are there but all default)
ether1 is my LAN and wlan1 is my WAN
/ipv6 address
add address=fd28:a78:c265:: interface=ether1
/ipv6 dhcp-client
add add-default-route=yes interface=wlan1 request=address

/ipv6 firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
Last edited by ahtoh on Tue May 23, 2023 1:15 am, edited 2 times in total.
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 NAT stops working after reboot

Tue May 23, 2023 1:06 am

I noticed the difference between the routes:
after restart:
before-dhcp-toggle.jpg
after dhcp disable/enable:
after dhcp-toggle.jpg
any ideas why it does not come as on the last picture after router restart?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 608
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPV6 DHCP client does not add correct default route after reboot

Tue May 23, 2023 7:07 am

Could it be that your manual DHCPv6 client on ether1 conflicts with Router Advertisements on wlan1?

They appear to be the same route, for whichever reason the bottom one uses different notation. What is not working?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12723
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Tue May 23, 2023 3:41 pm

DHCPv6 doesn't provide routing information to clients. Instead device gets the IPv6 address of gateway by listening Router Advertisements (RAs) ... which are sent out by routers every now and then (interval is configurable, default setting in ROS is interval between 3m20s and 10m). So right after reboot device doesn't know IPv6 address (the link-local one) of gateway, it can take up to 10 minutes to learn the information.

According to my experience IPv6 connectivity indeed is flaky (at best) during that time.

BTW, setting interface name as gateway is kind of futile if interface is of point-to-multipoint type (e.g. ethernet, wifi, ...). The way packet delivery in those networks works is that sender needs to use L2 address of receiver, in named technologies this means that sender sends packets to MAC address of receiver (e.g. gateway). And sender needs to discover that L2 (MAC) address. Usually that's done because sender knows IP (or IPv6) address of receiver and then uses ARP mechanisms to discover MAC address. If IP address of receiver (e.g. gateway) is not known and interface technology requires using MAC address, then the whole lot depends on abuse of other mechanisms, such as proxy-ARP (where gateway replies to ARP requests with own MAC address regardless the IP address).

Setting interface name as gateway when interface type is point-to-point (e.g. PPP, PPPoE, wireguard, etc.) is really enough because there's only one receiver and sender doesn't have to address it.
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Tue May 23, 2023 5:48 pm

Could it be that your manual DHCPv6 client on ether1 conflicts with Router Advertisements on wlan1?

They appear to be the same route, for whichever reason the bottom one uses different notation. What is not working?
the default gateway that is automatically added by dhcp client is different - notice the gateway field in the first route on both screenshots
after reboot it is missing ipv6 address
and ipv6 connectivity is not working I can't ping google.com from the router for example
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 608
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPV6 DHCP client does not add correct default route after reboot

Tue May 23, 2023 9:28 pm

@mkx, RouterOS does send Router Solicitation on boot as well as Neighbor Solicitation. There should be no delays unless the counterpart is sloppy.

@ahtoh Immediately after the reboot, before you toggle dhcp-client, what do ipv6/address and ipv6/neighbor say, can you ping the gateway over IPv6 (address from the last pic) from your router? Also print ipv6/settings.
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Tue May 23, 2023 11:05 pm

I don't know why Mikrotik have an add-default-route option in the DHCPv6 client, it is a hacky bodge which adds the DHCPv6 server as the default gateway. This works in some situations, but not all.

As @mkx stated DHCPv6 has no mechanism to distribute a default gateway, the gateway and subnet prefix are obtained from Router Advertisments (RA). The Mikrotik default config is essentially not to accept RAs, you have to explicitly enable them with:
/ipv6 settings set accept-router-advertisements=yes

Note the latest security announcement https://blog.mikrotik.com/security/cve-2023-32154.html so ensure you upgrade to 7.9.1 (stable), 6.49.8 (stable), 6.48.7 (long-term) or 7.10beta8 (testing) first.

Note that the advertised route is not displayed in earlier versions of RouterOS, I believe fixed in 7.8 onwards.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 608
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPV6 DHCP client does not add correct default route after reboot

Tue May 23, 2023 11:15 pm

The Mikrotik default config is essentially not to accept RAs, you have to explicitly enable them with:
/ipv6 settings set accept-router-advertisements=yes
If you do that make sure to configure the firewall to discard RAs from unwanted interfaces and/or nodes.
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 12:03 am

Ideally the accept RA setting should be per-interface rather than global.
 
tholderbaum
newbie
Posts: 38
Joined: Thu Jan 23, 2014 3:34 am
Location: Tampa, Florida
Contact:

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 3:48 pm

The Mikrotik default config is essentially not to accept RAs, you have to explicitly enable them with:
/ipv6 settings set accept-router-advertisements=yes
If you do that make sure to configure the firewall to discard RAs from unwanted interfaces and/or nodes.
I am not sure that is entirely true.

In the terminal, the ipv6 after a default config reset looks like this:

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

I have never configured any of my firewalls for IPv6, and yet in winbox, both settings are set to "yes if forwarding disabled". My read on this is that the default config disabled ipv6, however, the settings in winbox mean that if I enabled ipv6, I would have to set both of those options explicitly to no:

/ipv6 settings
set accept-redirects=no accept-router-advertisements=no max-neighbor-entries=\
8192

Perhaps this would be safer and more clearly understood:

/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
max-neighbor-entries=8192
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 4:30 pm

I have never configured any of my firewalls for IPv6, and yet in winbox, both settings are set to "yes if forwarding disabled". My read on this is that the default config disabled ipv6, however, the settings in winbox mean that if I enabled ipv6, I would have to set both of those options explicitly to no:

No, yes-if-forwarding-disabled is effectively yes when /ipv6 settings forward=no

It isn't relevant to the OPs question who is using IPv6

Edit: Corrected IPv6 forward settings syntax
Last edited by tdw on Wed May 24, 2023 5:23 pm, edited 1 time in total.
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 5:06 pm

these are my ipv6 settings, it's default on my router, and I'm using latest version 7.9.1
Screenshot 2023-05-24 100440.png
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 5:17 pm

In that case it would only apply when IPv6 forward is disabled
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 5:23 pm

So what am I supposed to change to make ipv6 work?
this is so basic config so I'm surprised it's not working.
I just want to automatically get ipv6 address from the upstream router and use NAT within a subnet behind mikrotik.
Similar to default IPv4 config in many routers that just works out of the box
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 5:24 pm

Change Accept Router Advertisments to yes
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 5:34 pm

should I remove add-default-route=yes from the dhcp client?
It sounded that it's a hack that was not supposed to be there to begin with
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 6:13 pm

Ok I enabled Accept Router Advertisments and disabled that option to add default gateway in the DHCP client.
But now I have another problem,
after reboot it says duplicate address detected:
If I disable and enable the address it works.

So it's a similar situation for me as before, now instead of toggling the dhcp client I need to toggle the ipv6 address.
duplicate address.jpg
You do not have the required permissions to view the files attached to this post.
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 6:25 pm

OK I figured this out - enabled EUI64 on the address and now it seem to work after reboot.

here is my final config that works. hopefully this will help someone else
generate your local ip6 address here:https://cd34.com/rfc4193/
/ipv6 settings
set accept-router-advertisements=yes
/ipv6 address
add address=fdXX:XXX:XXXX:XXX:XXX eui-64=yes interface=ether1
/ipv6 dhcp-client
add interface=wlan1 request=address
/ipv6 firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 7:09 pm

There should be no need for a ULA address (fdxx::) to be assigned to the interface.

Why are you using NAT? ISPs should provide a block of addresses with prefix delegation from which you assign addresses to your internal networks. Usually the only case where this isn't possible is LTE/5G WAN connections where carriers still assume you are only connecting a mobile phone or tablet to the internet.
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 7:30 pm

Because I'm behind two routers. The first one does receive the prefix.
Don't know how to pass the prefix to the downstream router.
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 7:50 pm

It is the same mechanism as for getting a prefix from your ISP.

For example if your ISP provides a prefix of /56 your first router could offer prefixes of /60 to your other routers. It does however require the DHCPv6 server on your first router to support prefix delegation, I suspect that many commodity routers don't.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 608
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 8:16 pm

FWIW here is my IPv6 config:
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes

# Request the global prefix to provide global IPv6 addresses for LAN.

/ipv6 address
add address=::1 from-pool=global interface=vlan-main

/ipv6 dhcp-client
add interface=ether1-gateway pool-name=global pool-prefix-length=62 prefix-hint=::/62 request=address,prefix use-peer-dns=no

# - Don't relay ISPs DNS, use the router itself as the DNS server.

/ipv6 nd
set [ find default=yes ] disabled=yes interface=bridge reachable-time=5m
add advertise-dns=no hop-limit=64 interface=vlan-main other-configuration=yes reachable-time=5m

/ipv6 address
add address=::2 from-pool=ula interface=vlan-main

/ipv6 pool
add name=ula prefix=fd00::/64 prefix-length=64

/ipv6 dhcp-server option
add code=23 name=DNS value="'fd00::2'"

/ipv6 dhcp-server
add dhcp-option=DNS interface=vlan-main name=vlan-main

# Block bad IPv6 addresses from WAN as well as unwanted ICMPv6

/ipv6 firewall address-list
add address=::1/128 list=bad_ipv6 \
    comment="defconf: RFC6890 lo"
add address=::ffff:0.0.0.0/96 list=bad_ipv6 \
    comment="defconf: RFC6890 IPv4 mapped"
add address=2001::/23 list=bad_ipv6 \
    comment="defconf: RFC6890"
add address=2001:db8::/32 list=bad_ipv6 \
    comment="defconf: RFC6890 documentation"
add address=2001:10::/28 list=bad_ipv6 \
    comment="defconf: RFC6890 orchid"
add address=::/96 list=bad_ipv6 \
    comment="defconf: ipv4 compat"
add address=100::/64 list=not_global_ipv6 \
    comment="defconf: RFC6890 Discard-only"
add address=2001::/32 list=not_global_ipv6 \
    comment="defconf: RFC6890 TEREDO"
add address=2001:2::/48 list=not_global_ipv6 \
    comment="defconf: RFC6890 Benchmark"
add address=fc00::/7 list=not_global_ipv6 \
    comment="defconf: RFC6890 Unique-Local"
add address=::/128 list=bad_dst_ipv6 \
    comment="defconf: unspecified"
add address=::/128 list=bad_src_ipv6 \
    comment="defconf: unspecified"
add address=ff00::/8 list=bad_src_ipv6 \
    comment="defconf: multicast"
add address=fe80::/10 list=no_forward_ipv6 \
    comment="defconf: RFC6890 Linked-Scoped Unicast"
add address=ff00::/8 list=no_forward_ipv6 \
    comment="defconf: multicast"
add address=fe80::/10 list=link_local \
    comment="Link-local IPv6 addresses"
add address=::/128 list=unspecified
add address=ff02::1:ff00:0/104 list=ns_multicast
add address=ff02::16/128 list=mld_multicast \
    comment="MLDv2 Report multicast"

/ipv6 firewall raw
add action=accept chain=prerouting dst-address-list=ns_multicast icmp-options=135:0-255 in-interface-list=LAN protocol=icmpv6 src-address-list=unspecified \
    comment="Accept unspecified for DAD from LAN"
add action=accept chain=prerouting dst-address-list=mld_multicast icmp-options=143:0-255 in-interface-list=LAN protocol=icmpv6 src-address-list=unspecified \
    comment="Accept unspecified to MLD from LAN"
add action=drop chain=prerouting log-prefix=bogon src-address-list=bad_ipv6 \
    comment="Drop from bogon IPs"
add action=drop chain=prerouting dst-address-list=bad_ipv6 \
    comment="Drop to bogon IPs"
add action=drop chain=prerouting src-address-list=bad_src_ipv6 \
    comment="Drop from bad src IPs"
add action=drop chain=prerouting dst-address-list=bad_dst_ipv6 \
    comment="Drop to bad dst IPs"
add action=drop chain=prerouting in-interface-list=WAN src-address-list=not_global_ipv6 \
    comment="Drop non-global from WAN"
add action=jump chain=prerouting jump-target=icmpv6-prerouting protocol=icmpv6 \
    comment="Jump to ICMPv6 chain"

add action=drop chain=icmpv6-prerouting icmp-options=130:0-255 in-interface-list=WAN protocol=icmpv6 \
    comment="Drop MLD Query from WAN"
add action=drop chain=icmpv6-prerouting icmp-options=131:0-255 in-interface-list=WAN protocol=icmpv6 \
    comment="Drop MLDv1 Report from WAN"
add action=drop chain=icmpv6-prerouting icmp-options=132:0-255 in-interface-list=WAN protocol=icmpv6 \
    comment="Drop MLDv1 Done from WAN"
add action=drop chain=icmpv6-prerouting icmp-options=143:0-255 in-interface-list=WAN protocol=icmpv6 \
    comment="Drop MLDv2 Report from WAN"
add action=drop chain=icmpv6-prerouting icmp-options=139:0-255 in-interface-list=WAN protocol=icmpv6 \
    comment="Drop Node Information Query from WAN"
add action=drop chain=icmpv6-prerouting icmp-options=160:0-255 in-interface-list=WAN protocol=icmpv6 \
    comment="Drop Extended Echo Request from WAN"
add action=return chain=icmpv6-prerouting log-prefix=icmpv6 \
    comment="Back to prerouting"

/ipv6 firewall filter
add action=accept chain=forward connection-state=established,related,untracked \
    comment="Accept Established, Related and Untracked"
add action=drop chain=forward connection-state=invalid \
    comment="Drop Invalid"
add action=drop chain=forward src-address-list=no_forward_ipv6 \
    comment="Drop Bad Forward IPs"
add action=drop chain=forward dst-address-list=no_forward_ipv6 \
    comment="Drop Bad Forward IPs"
add action=jump chain=forward jump-target=icmpv6-forward protocol=icmpv6 \
    comment="Jump to ICMPv6 chain"
add action=drop chain=forward in-interface-list=WAN \
    comment="Drop All from WAN"

add action=accept chain=input connection-state=established,related,untracked \
    comment="Accept Established, Related and Untracked"
add action=drop chain=input connection-state=invalid \
    comment="Drop Invalid"
add action=jump chain=input jump-target=icmpv6-input protocol=icmpv6 \
    comment="Jump to ICMPv6 chain"
add action=accept chain=input port=33434-33534 protocol=udp \
    comment="Accept UDP Traceroute"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp \
    comment="Accept DNS over TCP from LAN"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp \
    comment="Accept DNS over UDP from LAN"
add action=accept chain=input dst-port=546 in-interface-list=WAN protocol=udp src-address-list=link_local \
    comment="Accept DHCPv6 Client Prefix Delegation from WAN"
add action=accept chain=input dst-port=547 in-interface-list=LAN protocol=udp \
    comment="Accept DHCPv6 Clients from LAN"
add action=accept chain=input dst-port=500,4500 in-interface-list=WAN protocol=udp \
    comment="Accept IPsec IKE & NAT-T"
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp \
    comment="Accept IPsec ESP"
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited \
    comment="Reject All LAN"
add action=drop chain=input \
    comment="Drop All"

add action=reject chain=icmpv6-input icmp-options=134:0-255 in-interface-list=!WAN protocol=icmpv6 reject-with=icmp-admin-prohibited \
    comment="Drop Router Advertisements from LAN"
add action=accept chain=icmpv6-input protocol=icmpv6 \
    comment="Accept ICMPv6"

add action=accept chain=icmpv6-forward icmp-options=128:0-255 in-interface-list=LAN protocol=icmpv6 \
    comment="Accept Echo Request from LAN"
add action=reject chain=icmpv6-forward in-interface-list=LAN reject-with=icmp-admin-prohibited \
    comment="Reject All ICMPv6 from LAN"
add action=drop chain=icmpv6-forward \
    comment="Drop All ICMPv6"
I wish I could give you firewall stats, but I recently updated RouterOS and they were reset.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 608
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 8:58 pm

Don't know how to pass the prefix to the downstream router.

The 1st router needs to have 2 settings:
1. to mark in its RAs that Other Configuration should be retrieved via DHCPv6
2. DHCPv6 server to provide prefixes, e.g. by subdividing larger IPv6 prefix it received via upstream or from ULA

However, I do not think RouterOS's DHCPv6 sever is capable of that. Last time I couldn't it even to get to provide IPv6 addresses via Managed Address Configuration.


This article seems to describe as much as you can get out of the RouterOS's DHCPv6 server: https://wu.renjie.im/blog/network/ros-dhcpv6/
 
tdw
Forum Guru
Forum Guru
Posts: 2008
Joined: Sat May 05, 2018 11:55 am

Re: IPV6 DHCP client does not add correct default route after reboot

Wed May 24, 2023 11:26 pm

You should be able to adapt that for your setup. Some of the problems you had previously may be due to assigning addresses from two pools to the same interface - IIRC there have been issues with this in RouterOS so using a pool for the ISP prefix and a static ULA per that article may help.
 
ahtoh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Jan 25, 2013 3:10 pm

Re: IPV6 DHCP client does not add correct default route after reboot

Thu May 25, 2023 11:04 pm

I must have mentioned, the first router is ISP provided (xfinity) and I don't see a way to request /56 or /60 from the provider and then make it pass the subnet prefix to the downstream mikrotik.
For my purposes NAT is good enough so I don't care.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 608
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPV6 DHCP client does not add correct default route after reboot

Fri May 26, 2023 11:40 pm

I must have mentioned, the first router is ISP provided (xfinity) and I don't see a way to request /56 or /60 from the provider and then make it pass the subnet prefix to the downstream mikrotik.
In my area xfinity provides at least /60. Based on my config:
/ipv6 dhcp-client
add interface=wlan1 request=address,prefix pool-name=somename prefix-hint=::/56

print detail
Flags: D - dynamic, X - disabled, I - invalid 
 0   ... prefix=2601:647:...::/60
You may want to play with prefix-hint, perhaps in your area you can get a bigger subnet.

Who is online

Users browsing this forum: No registered users and 57 guests