Hi, RouterOS people. I would be very grateful for your thoughts on this.
No neighbours are discovered, but if I ping something from my laptop, it appears in the Neighbours list with a zero'd out MAC address and the laptop can't get any replies.
I CAN traceroute and ping 2000::/3 addresses from my Mikrotik router.
Physical configuration:
[ISP Modem/Router] <-> [RB2011] <-> [Ubuntu]
Logical configuration:
[ISP Modem/Router] <-> ether10
-----------------------------------------
bridge <-> [LAN] <-> [Ubuntu]
The split is very deliberate and important to me. Let's just say it's to cover a bad security experience that led me to use RouterOS in the first place several years ago. I don't want the ISP's router on my LAN bridge. (There are no VLANs or separation rules set up, ether10 is just removed from the bridge and lives in its own /30 subnet.)
I feel like I need to do something to help traffic traverse from bridge to ether10. It's easy on IPv4, I just add a default route with the ISP router's IP address and packets go to the right place. But with IPv6 the best I can do is add a route for 2000::/3 via ether10 and that's just not doing it for me. I can ping (from Ubuntu) the RB2011's bridge link local address, but not the ether10 link local address, even if I add a route to it via ether10.
The ISP Modem/Router is also IPv6 aware, it is sending out RAs (Ubuntu shows "ra" against route entries for the router's /64), but it's very locked down and I have limited information about it. I know i have a /56 delegated prefix, and what that prefix is. Ubuntu has chosen an IPv6 address for itself, automagically, but it just can't get out. Traceroute from Ubuntu just farts at the first hop.
As for configuration... I've removed everything except my IPv6 ICMP Packet Too Big raw rule. So it's "virgin"(-ish).
I'm open to configuration suggestions, so long as a hypothetical person with a hypothetical back door for "customer service" purposes cannot enumerate the devices on my LAN. So ideally, IPv6 autoconfiguration, no DHCP at all.
This has come about now because I've switched from an ISP offering PPPoE without IPv6 (+ my own HE tunnel) to an ISP offering IPv4 connectivity via some bizarre DHCP thing that I can get an address from, but which drops all TCP traffic after 12 hours or so, and IPv6 that I couldn't get working natively - and thus the need for their own "special" modem inbetween me and my copper pair. I have had the HE tunnel and a VPN working without the router, but VPNs can be randomly slow and services like netflix, iPlayer, etc get pissy about them, so not ideal for 100% of my TCP traffic.
Re: IPv6 Neighbour discovered but MAC is 00:00:00:00:00:00
The way I have my RB set up for IPv6 is probably not directly applicable to you, but I'll describe it anyway.
- I have DHCPv6 client running on my WAN interface (which is PPPoE but the same might apply to IPoE never the less):
The above takes care of routing (it adds a route with dst-address ::/0 and gateway set to interface pppoe-out1, this interface has only link-local IPv6 address), in your case it should take care about both WAN address and default IPv6 route using correct ISP's gateway. If WAN address turns out to belong to your /56 prefix, be sure to avoid same /64 subnet when deciding on subnet addresses for your LAN segments.Code: Select all
/ipv6 dhcp-client add add-default-route=yes interface=pppoe-out1 pool-name=pool-ipv6 pool-prefix-length=56 request=prefix
If using DHCPv6 client to fetch the prefix doesn't work and your ISP is assigning you a static IPv6 prefix (and you're 1e+008 % sure it won't change in next 42 years), you can construct a static IPv6 address pool for use in next steps. - I'm setting IPv6 address to any LAN interface where I want to enable IPv6.
The way how it actually works:where the address should be vaild address within the prefix you're receiving from your ISP (check it using /ipv6 pool print). The dddd is a combination of least significant octets from delegated prefix and most significant octet of your choice (by receiving /56 prefix, you have choice of 256 /64 subnets less one for router's WAN address if that's how it's configured).Code: Select all/ipv6 address add address=aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh/64 interface=<lan interface>
In theory it should be more portable (in case if prefix changes) to set it this way:but it won't work. The bug prevents from setting the "xx" part in relative address because logic that combines prefix from pool with suffix from address assignment command incorrectly assumes that "xx" actually means "00xx" and that admin actually wanted to clear some bits which are part of prefix (and thus immutable). I've reported that bug to MT support a few months ago, but it's not fixed yet (I guess it might be fixed when IPv6 gets more attention).Code: Select all/ipv6 address add address=::xx:eeee:ffff:gggg:hhhh/64 interface=<lan interface> from-pool=pool-ipv6 - check that RA is enabled (/ipv6 nd print) ... I think that it's enabled by default, meaning that hosts in LAN should be able to auto configure their IPv6 addresses from correct /64 subnet. The auto configuration doesn't happen instantly, you'll have to wait up to ra-interval time ...
Re: IPv6 Neighbour discovered but MAC is 00:00:00:00:00:00
Many thanks Metod
This is about what I'd expect to be true. I have a question firstly about the DHCP client: Is the pool name my local name to which I will refer to the /64 prefix? Or is it something that's known to the DHCP server, and which I would need to find out to correctly configure DHCP client?
Unfortunately my understanding is that the /56 is dynamically allocated, and so it can change "from time to time".
Assuming that the answer to the top question is that it's my local pool name, I'll try re-enabling the DHCPv6 server on the ISP router and see what happens.
Cheers
This is about what I'd expect to be true. I have a question firstly about the DHCP client: Is the pool name my local name to which I will refer to the /64 prefix? Or is it something that's known to the DHCP server, and which I would need to find out to correctly configure DHCP client?
Unfortunately my understanding is that the /56 is dynamically allocated, and so it can change "from time to time".
Assuming that the answer to the top question is that it's my local pool name, I'll try re-enabling the DHCPv6 server on the ISP router and see what happens.
Cheers
Re: IPv6 Neighbour discovered but MAC is 00:00:00:00:00:00
Yup, the pool name is local setting, no business of ISP.
The "non-working" variant in point 2 ... you can probably use it, but don't set the "xx" part of address postfix ... this way you'll be able to properly use one /64 subnet (where "xx" equals "00") in a dynamic way ... hopefully router's WAN address won't come from that subnet.
The "non-working" variant in point 2 ... you can probably use it, but don't set the "xx" part of address postfix ... this way you'll be able to properly use one /64 subnet (where "xx" equals "00") in a dynamic way ... hopefully router's WAN address won't come from that subnet.
Re: IPv6 Neighbour discovered but MAC is 00:00:00:00:00:00
I had tried all of the above except for the DHCPv6 client being set up to get a prefix. None of it worked, even that. In the end I've just given the modem a 172.16 address and added the port back to the bridge with rules that drop any input or forward for connections that are !(new | established)
The modem can see IPv6 neighbours addresses, but doesn't appear to have any further information (e.g. hostname) so I'm cool with that.
The modem can see IPv6 neighbours addresses, but doesn't appear to have any further information (e.g. hostname) so I'm cool with that.