Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

troykelly · Fri Dec 16, 2016 12:36 am

The IPv6 setting "accept-router-advertisements" is permanently set to "yes-if-forwarding-disabled"

The setting can be changed via a terminal or in the interface (current RC added IPv6 settings GUI) - but that change is not reflected in the operation of the router.

Testing on CHR with both .37 and .38 RC's

Evidence of setting remaining as "yes-if-forwarding-disabled" below.

Scenario 1 - With accept-router-advertisements=no the router should not be able to ping something outside of it's /64 as there is no route set - but the router can ping an external IPv6 address demonstrating that the setting is actually still set as "yes-if-forwarding-disabled" (ie The router is still accepting RA)

[admin@MikroTik] /ipv6 settings> print
                       forward: no
              accept-redirects: no
  accept-router-advertisements: no
          max-neighbor-entries: 8192
[admin@MikroTik] /ipv6 settings> /ipv6 route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 ADC  2001:19f0:ac01:b8::/64   ether1                          0
[admin@MikroTik] /ipv6 settings> /ping 2404:6800:4006:803::200e
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                            
    0 2404:6800:4006:803::200e                   56  52 145ms echo reply                                                                                                                                        
    1 2404:6800:4006:803::200e                   56  52 145ms echo reply                                                                                                                                        
    2 2404:6800:4006:803::200e                   56  52 146ms echo reply                                                                                                                                        
    3 2404:6800:4006:803::200e                   56  52 146ms echo reply                                                                                                                                        
    4 2404:6800:4006:803::200e                   56  52 146ms echo reply                                                                                                                                        
    5 2404:6800:4006:803::200e                   56  52 145ms echo reply                                                                                                                                        
    sent=6 received=6 packet-loss=0% min-rtt=145ms avg-rtt=145ms max-rtt=146ms

Scenario 2 - By setting "forward"="yes" the router is prevented from accepting router advertisments even though the setting is set as "accept-router-advertisements"="yes"

[admin@MikroTik] /ipv6 settings> print
                       forward: yes
              accept-redirects: yes-if-forwarding-disabled
  accept-router-advertisements: yes
          max-neighbor-entries: 8192
[admin@MikroTik] /ipv6 settings> /ipv6 route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 ADC  2001:19f0:ac01:b8::/64   ether1                          0
[admin@MikroTik] /ipv6 settings> /ping 2404:6800:4006:803::200e
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                            
    0                                                         no route to host                                                                                                                                  
    1                                                         no route to host                                                                                                                                  
    2                                                         no route to host                                                                                                                                  
    3                                                         no route to host                                                                                                                                  
    sent=4 received=0 packet-loss=100%

IPv6 Address Information

 #    ADDRESS                                     FROM-POOL INTERFACE                                                                                                                                  ADVERTISE
 0  G 2001:19f0:ac01:b8:5400:ff:fe48:494d/64      pool_v... ether1                                                                                                                                     no       
 1 DL fe80::5800:ff:fe48:494d/64                            ether2                                                                                                                                     no       
 2 DL fe80::5400:ff:fe48:494d/64                            ether1                                                                                                                                     no

Expected
The router should not have been able to ping anything outside of it's /64 in Scenario 1, and should have been able to ping in Scenario 2. This demonstrates that the IPv6 setting "accept-router-advertisements" is permanently set to "yes-if-forwarding-disabled"

troykelly · Fri Dec 16, 2016 6:51 am

I'd love some feedback or testing from others to dis/prove my findings.

To me - it looks as though the RouterOS frontend (GUI or Terminal) is not updating accept_ra in ip-sysctl.

It doesn't look like it's accept_ra_defrtr being set - because of the fact that setting accept-router-advertisements=no still solicits for and routes via the next-hop received via RA.

Is there any way other than the terminal / GUI to set accept_ra to 2 - this would be a great workaround / validation / temporary solution for the bug?

accept_ra - INTEGER
	Accept Router Advertisements; autoconfigure using them.

	It also determines whether or not to transmit Router
	Solicitations. If and only if the functional setting is to
	accept Router Advertisements, Router Solicitations will be
	transmitted.

	Possible values are:
		0 Do not accept Router Advertisements.
		1 Accept Router Advertisements if forwarding is disabled.
		2 Overrule forwarding behaviour. Accept Router Advertisements
		  even if forwarding is enabled.

	Functional default: enabled if local forwarding is disabled.
			    disabled if local forwarding is enabled.

accept_ra_defrtr - BOOLEAN
	Learn default router in Router Advertisement.

	Functional default: enabled if accept_ra is enabled.
			    disabled if accept_ra is disabled.

Sob · Sat Dec 17, 2016 3:10 am

TL;DR summary: I can confirm what you see.

I tested it with two CHRs with the most simple possible config. One CHR doing gateway with this config:

/ipv6 address
add address=2001:db8::1 interface=ether2

Another one as test router (with current 6.38rc49, but it does not really matter much, because this behaviour goes way back). I started with blank config:

/system reset-configuration no-defaults=yes

There are six possible combinations for accept-router-advertisements and forward. I tested all of them and I always rebooted router after changing settings, to be sure that nothing is left hanging from previous config. Each block contains current settings (from /ipv6 settings export verbose) followed by ping attempt.

Default one works as expected, router does not accept RA, doesn't get address and can't ping gateway:

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled forward=yes max-neighbor-entries=8192
[admin@MikroTik] > /ping 2001:db8::1 count=1                                      
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0                                                         no route to host   
    sent=1 received=0 packet-loss=100%

This one is ok too:

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=no forward=yes max-neighbor-entries=8192
[admin@MikroTik] > /ping 2001:db8::1 count=1                                     
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0                                                         no route to host   
    sent=1 received=0 packet-loss=100%

But this one does not work as expected, it has accept-router-advertisements=yes, so it should accept RA and get address. But it does not get adress:

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes forward=yes max-neighbor-entries=8192
[admin@MikroTik] > /ping 2001:db8::1 count=1                                      
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0                                                         no route to host   
    sent=1 received=0 packet-loss=100%

Next three are with forward=no. This one is ok:

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled forward=no max-neighbor-entries=8192
[admin@MikroTik] > /ping 2001:db8::1 count=1                                      
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 2001:db8::1                                56  64 0ms   echo reply         
    sent=1 received=1 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

This one is ok too:

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes forward=no max-neighbor-entries=8192
[admin@MikroTik] > /ping 2001:db8::1 count=1     
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 2001:db8::1                                56 255 0ms   echo reply         
    sent=1 received=1 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

But this one again does not work as expected, it has accept-router-advertisements=no, but it does get address:

/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=no forward=no max-neighbor-entries=8192
[admin@MikroTik] > /ping 2001:db8::1 count=1                                    
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 2001:db8::1                                56  64 0ms   echo reply         
    sent=1 received=1 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

troykelly · Sat Dec 17, 2016 3:23 am

TL;DR summary: I can confirm what you see.

Thank-you for that - very thorough.

Are there any ideas for a work-around?

Sob · Sat Dec 17, 2016 3:57 am

I don't think so. Not with RouterOS alone. I don't know what router you use (if you have CHR just for testing or not), but if you were really desperate and your router was able to use MetaRouter, it should be possible to use it (with OpenWRT guest) as an extra virtual router between ISP and your router. But it would be an ugly solution.

Better hope that MikroTik guys undertand what you want. Try to convince them to forget all about your specific setup and just stick with the basic testcase, why combination of accept-router-advertisements=yes and forward=yes does not work as expected.

troykelly · Mon Dec 19, 2016 8:59 am

I don't think so. Not with RouterOS alone. I don't know what router you use (if you have CHR just for testing or not), but if you were really desperate and your router was able to use MetaRouter, it should be possible to use it (with OpenWRT guest) as an extra virtual router between ISP and your router. But it would be an ugly solution.

Cheers Sob.
CHR inside a virtualized environment doesn't support KVM or MetaRouter.
I'm trying to see the impact of a centos box handling the IPv6 next hop (via RA) but that effectively doubles our hosting costs (VPS and Bandwidth/data).
I'd love some community support to try and get MikroTik to at the very least acknowledge the issue and give an indication as to how long it will take to resolve - I can't seem to get a response from them.

troykelly · Tue Dec 20, 2016 12:49 pm

I just need to be able to get the transit router via RA with a static IPv6 address set on ether1 - and to do that I just need this bug fixed.

I need a way to set accept_ra=2 which I assume should be set with accept-router-advertisements=yes

Can somebody shed some light - is it just a shortcoming of RouterOS - or is it a bug?

I assume the accept setting translates as:
accept-router-advertisements=no == accept_ra=0
Do not accept Router Advertisements.

accept-router-advertisements=yes-if-forwarding-disabled == accept_ra=1
Accept Router Advertisements if forwarding is disabled.

accept-router-advertisements=yes == accept_ra=2
Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled.

The kernel supports it, and it's fairly standard practice especially in the VPS space to advertise a router, and use static IP's. From Janis' previous responses it seems to be Mikrotik's position that RA and forwarding are mutually exclusive - this is contrary to the RFC (and to standard practice from what I have seen / used).

Sob · Tue Dec 20, 2016 3:16 pm

I guess there was a little misunderstanding. Usually RA is associated with SLAAC and it gives you only one address and definitely no subnet to use for routing. Maybe support was mistakenly too quick to think that you're another user who doesn't understand things (I'm sure they get many of those). But you can have your subnet for routing from elsewhere (static) and ISP's router can have route to you like this:

/ipv6 route
add dst-address=<your subnet> gateway=fe80::<your address>%<interface>

And then your requirement to get default route from RA makes sense. Now just to find some gentle but effective way how to explain it to support...

Sob · Wed Dec 21, 2016 8:38 pm

Version 6.38rc52 has been released.
Changes since previous version:
...
*) ipv6 - fixed "accept-router-advertisements" behaviour;

And you thought they didn't listen to you!

troykelly · Wed Dec 21, 2016 11:33 pm

And you thought they didn't listen to you!

I need to find a hat to eat. I didn't think it would ever get resolved.

I'm very glad the bug was recognized and resolved - thank-you Sob & whomever at MikroTik that secretly fixed it.

Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Re: Bug Report - IPv6 accept-router-advertisements - 6.38 + 6.37

Who is online