Can't disable IPv6 SLAAC

tobcon · Sun Jan 05, 2025 7:11 pm

Hello

This is my IPv6 config:

[admin@fw-xxx-0] > /ipv6 export
# 2025-01-05 18:04:01 by RouterOS 7.16.2
# software id = JLI2-LN5C
#
# model = CCR1009-8G-1S-1S+
# serial number = 606E0469xxxx
/ipv6 dhcp-client
add add-default-route=yes interface=wan10 pool-name=fiber6 pool-prefix-length=48 request=address,prefix \
    use-peer-dns=no
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" disabled=yes src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface=!wan10
add action=drop chain=forward log-prefix=IPV6

Even though there is no address configures on LAN, the router is performing SLAAC. Any idea why?

➜  ~ sudo tcpdump -i wlp3s0 'icmp6 && icmp6[0] == 134' -v

tcpdump: listening on wlp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:06:39.197843 IP6 (class 0xc0, flowlabel 0x48bb2, hlim 255, next-header ICMPv6 (58) payload length: 56) _gateway > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
        hop limit 0, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 4c:5e:0c:xx:xx:f8
          prefix info option (3), length 32 (4): 2a02:xxxx:xxxx::/64, Flags [onlink, auto], valid time 2592000s, pref. time 0s

And the interface holding an IPv6 address..

3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:cf:4b:1e:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 172.16.90.117/24 brd 172.16.90.255 scope global dynamic noprefixroute wlp3s0
       valid_lft 1796sec preferred_lft 1796sec
    inet6 2a02:xxxx:xxxx:0:7e4b:266:870:xxxx/64 scope global deprecated dynamic noprefixroute 
       valid_lft 2591998sec preferred_lft 0sec
    inet6 fe80::17fc:d894:9986:xxxx/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Z0ltan · Sun Jan 05, 2025 9:18 pm

Disable neighbor discovery and SLAAC will stop working. By the way you request both an address and a prefix as well, if you don’t need an address for the router perhaps only request the prefix.

tobcon · Sun Jan 05, 2025 10:12 pm

Disable neighbor discovery and SLAAC will stop working.

Ok, I have now disabled ND with this:

/ipv6 nd
set [ find default=yes ] disabled=yes

With this, IPv6 Router advertisement stops on the affected VLAN.

But why do I need to disable ND? Without disabling ND the Router is doing the IPv6 Router advertisement. But just on one VLAN/Interface! On other VLAN/Interfaces it doesn't do it with ND enabled. This doesn't really make sense to me.

tdw · Sun Jan 05, 2025 11:59 pm

Did you previously have an IPv6 address assigned to the VLAN in question? It may be that if you add an address and then remove it the Mikrotik requires a reboot to stop the advertisment. There a a few things where a reboot is required to get the state consistent after changes, in this case it could be radvd doesn't get notified that the address has been removed and continues to advertise it.

Can't disable IPv6 SLAAC

Can't disable IPv6 SLAAC

Re: Can't disable IPv6 SLAAC

Re: Can't disable IPv6 SLAAC

Re: Can't disable IPv6 SLAAC