Community discussions

MikroTik App
 
si458
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Jun 22, 2012 7:51 pm
Contact:

single ipv6 /64 range

Mon Oct 12, 2020 7:50 pm

Hi all

I’m asking this because I’m bashing my head against the wall, I’m outta ideas and I’m probably just being thick!

I have a single ipv6 /64 range given to me by my isp

I have setup the DHCP-client with no issues and it retrieves the prefix no problem and assigns the pool correctly

I can assign the ip prefix to my wan interface using the ::1/64 and the pool name and it gets the first available ip

I am also able to ping it remotely on the web
And also ping other ipv6 ips like cloudflare or google no problem

The issue I’m having is

if I swop the wan interface to my lan interface,
My internal lan computers get there ipv6 addresses from within my range no problem
But none of them have internet access? And they aren’t able to ping any ipv6 addresses?
They can ping internally in there /64 range like the internal router ip no problem

What am I doing wrong?

From what I’ve read, the wan interface doesn’t need an ipv6 address only the internal as the /64 range is routed to myself but I could be mistaken?

I have the ipv6 address set as advertised otherwise the int comps wouldn’t be able to get there ipv6 addresses

I have also played around with the router advertisements setting that to yes instead of no but that makes no difference either?

Any help would be amazing!

Regards

Simon
Last edited by si458 on Mon Oct 12, 2020 8:00 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: single ipv6 /64 range

Mon Oct 12, 2020 7:57 pm

There's nothing obviously wrong in your description, but perhaps there could be something wrong in your config. If I was you, I'd try to export it and show it to someone.
 
si458
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Jun 22, 2012 7:51 pm
Contact:

Re: single ipv6 /64 range

Mon Oct 12, 2020 8:04 pm

There's nothing obviously wrong in your description, but perhaps there could be something wrong in your config. If I was you, I'd try to export it and show it to someone.
What config should I export? I’m guessing all the /ipv6 stuff ?

EDIT:
/ipv6 address
add address=::1 from-pool=isp interface=ether2-168
add address=::1 advertise=no disabled=yes from-pool=isp interface=ether1-wan
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-wan pool-name=isp request=prefix
/ipv6 nd prefix default
set preferred-lifetime=1m valid-lifetime=1h
/ipv6 settings
set accept-router-advertisements=yes
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: single ipv6 /64 range

Mon Oct 12, 2020 10:14 pm

It looks very similar to viewtopic.php?f=13&t=167414

So as in that other thread:

- try if disabling accept-router-advertisements breaks previously working connectivity from router
- if it does, turn it back on and try another ping/traceroute with manually specified source address
- try to ping assigned address from internet and see if it works
 
si458
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Jun 22, 2012 7:51 pm
Contact:

Re: single ipv6 /64 range

Tue Oct 13, 2020 11:43 am

Hi,

thanks for the suggestion

ive tried disabling accept-router-advertisements and that made no difference

ive tried a static ipv6 on the wan and that pings anything externally fine but also external things can ping it
BUT add the same static ipv6 to the lan instead of wan and that doesnt ping anything externally and external things cant ping it.

ive also tried setting a static ipv6 on the lan and a static ipv6 on my computer and they can both ping each other no problem,
but again the computer cant ping anything externally and same for router,

the only ping option that works is the wan having an ipv6 on it
but again, i cant set both the wan and lan an an ipv6 address in the same /64 range?

it just seems as if the router isnt forwarding the traffic?

Regards

Simon
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 12:04 pm

I have a single ipv6 /64 range given to me by my isp
That is normally where the problems start. Did you try to ask them why they aren't a bit more reasonable?
I mean, I get a /48 and I don't think that is warranted, but a /56 or at least a /60 should solve many customer's problems...
 
si458
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Jun 22, 2012 7:51 pm
Contact:

Re: single ipv6 /64 range

Tue Oct 13, 2020 12:10 pm

I have a single ipv6 /64 range given to me by my isp
That is normally where the problems start. Did you try to ask them why they aren't a bit more reasonable?
I mean, I get a /48 and I don't think that is warranted, but a /56 or at least a /60 should solve many customer's problems...
to be honest, the isp has just got IPV6 and
we have just decided to start playing with it so we dont really understand it much as its all new

whats the smallest range we can offer to customers then?
in theory itsa single /64 range but as explained thats not working,
so do we need to offer 2 /64 ranges? one for the wan and one for lan?
or a /63 ( 2 x /64 range)?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 12:52 pm

whats the smallest range we can offer to customers then?

IMHO /60 is reasonable, specially so if one of /64 is needed for WAN address which then leaves a few /64 for their LAN use (allowing them to run 3 subnets). As @pe1chl mentioned, /56 is not unheard of, I'm getting /56 which is entirely for me - ISP is using PPPoE where link-local address on pppoe interface is enough. I guess similar effect would be to offer (and request from CPE side) both IPv6 address and a /60 prefix in which case the address (outside the offered prefix) is used for WAN interface of router and prefix is available to users.
 
biomesh
Long time Member
Long time Member
Posts: 574
Joined: Fri Feb 10, 2012 8:25 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 1:51 pm

Comcast rolled out ipv6 to end users many years ago. They provide an address for the wan interface and a prefix. The default prefix size is a /64 since most users don't have multiple subnets or complicated networks. Comcast also offers a /60 for those who need it by use of a prefix hint. This is a good way to limit default allocation, but allow for expansion.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 4:44 pm

Keep it simple. If you are supposed to get prefix using DHCPv6, then use that, don't experiment too much with static addresses. If it works without accept-router-advertisements when you put prefix on WAN, then disable it (it's default config). Then put the prefix on LAN where it should be. And then it's time to play with packet sniffer. You want to know what happens on WAN interface when you are accessing internet from LAN, and also when you try to access devices in LAN from internet (e.g. using some online ping). I'd start with the latter. You want to see that ISP's router sends those packets to yours.

Edit: And of course it doesn't hurt if even before you start with the above, you makr sure that problem is not elsewhere, e.g. if you're not just blocking too much using firewall.
... its all new
It's from 1995. ;)

About prefix size, as a client you can try DHCPv6 client's prefix-hint parameter with values like ::/48, ::/56, ::/60, ...

As for ISPs, original idea was to give /48 to each customer. It's easy to understand for customer, because they have whole fourth block of address for themselves (xxx:xxx:xxxx:XXXX::). ISP should get /32 as starting point, so giving out /48 to everyone is enough for up to 65k customers. And they can get more than /32. But sure, it's overkill for most, so another common choice is /56, which is enough for up 16M customers. There's no good reason to give less. It's still overkill for most, but it's good for future.

You may think now that one subnet for main LAN, one for guests and perhaps one for IoT things is enough, so even /60 is five times more than you need. And it may be true now, but if future shows that it would be useful to have many more subnets, it will become bottleneck. In theory, if such need arises, it should be very easy to fix, no problem at all, ISPs will simply start giving out larger prefixes. But can you count on that? Look at them now, how "flexible" they are with even introducing IPv6. Of course the start is much more difficult, but I'm not optimist, because once they get stuck in own artificial limitations, changes will be problem too. And when you're someone designing something new, that so far not yet available or known thing, it would be nice to know that you can do it. Because if half of the world will be stuck on /60 and it won't be enough for it, it will be like inventing some IPv6-only service today - you can try, but it won't catch on, because half of the world can't use it. But maybe it's doomed already when some ISPs are giving single /64, which is not enough today, and they don't think they are doing anything wrong... [/end of unplanned rant]
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 4:59 pm

[/end of unplanned rant]
Where's the start of it? ;-)
 
si458
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Jun 22, 2012 7:51 pm
Contact:

Re: single ipv6 /64 range

Tue Oct 13, 2020 5:14 pm

Hi All

thanks for the comments and suggestions!

ok so after playing around with stuff, ive managed to get abit of the ipv6 working!

no computers behind my router/firewall works but our servers all with external ip addresses work with ipv6! so we have progress!

sorry i forgot to mention this isnt home use HOWEVER it sorta will be in soon hopefully if we can get it working in the datacenter first...

basically we have a class c /24 provided to us for our rack (his gateway 217.xx.xx.1) usable range 217.xx.xx.2-217.xx.xx.254
we have a few mikrotik routers attached on external ips with VM comps internally
the mikrotik routers ask for the prefix from his gateway and it assigns the prefix no problem and then mikrotik handles the ip assignment using EUI64 no problem on the wan ports!

ive also just proven the ipv6 range works with a few windows server which have external ip addresses assigned to them
for this i picked a random ipv6 address from our range and shoved it into windows with a prefix of 64
and setting the gateway as the ipv6 address that mikrotik is showing as the default gateway (im guessing his gateway)
and BOOM works straight away no problem! no issues!

so now its just trying to get the computers behind the firewall/nat working as thats still having issues
what should the gateway address be for the computers internally? as it appears to be my mikrotik router and not his gateway like the mikrotiks get

also can i assign the same ipv6 range /64 to the lan and wan of the mikrotik device but use the EUI64 to avoid conflict ip addresses?

or do i need to now do something else?

thanks again everyone for help/suggestion
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 6:31 pm

also can i assign the same ipv6 range /64 to the lan and wan of the mikrotik device but use the EUI64 to avoid conflict ip addresses?
You cannot, it would be equivalent to assigning the same /24 in IPv4 to both - each side would work on its own but the router would not route between them.

And if you create some terrible "protocol-based VLAN" setup and selectively bridge the WAN interface with the LAN interface only for frames carrying IPv6 packets, the only firewall you'll be able to provide will be /interface bridge filter (which lacks connection tracking, hence is almost unusable for anything but elementary tasks).

You also cannot split the IPv6 /64 into smaller subnets as that would (at least) break the EUI64, you would also be unable to explain to the ISP router that it should send packets for something in its own /64 via a router rather than directly. And there is no NAT on IPv6 at Mikrotik, so even port forwarding cannot save you from the need to get assigned multiple /64s to make things work.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 8:59 pm

I can't say that I understand what exactly you did. It would probably require some diagram showing how everything is connected, plus the working config.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 9:16 pm

In a colocation rack that I manage there is "a single /64" as well, but the server are directly on the segment with that /64 (via a switch), not behind a router.
There is a /28 IPv4 network as well and a couple of servers (and a CCR) have addresses from that. There is no IPv6 routing beyond that.

When you have a router between your servers and the offered connection, you have to request at least one other subnet.
It would be sufficient to have a /126 segment (or /120 as is often used) only for the connection between your router and the ISP router, and then your existing /64 can be put on the inside of your router.
The ISP would have to set a route to your /64 via the router address on the /126 subnet.

With this setup, everything works well without requiring tricks. And in fact it is not different from having a /28 subnet routed on IPv4: there too you would have another /30 or /31 subnet for the link between your and their router.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 10:08 pm

But according to OP, DHCPv6 client receives prefix and when it's assigned on WAN interface, it works, but when on LAN, it doesn't. Nothing against the first part, it should work, even on "wrong" interface, because router got it and upstream router should know where it is. But the expected and most likely scenario should be that it will be behind the router, so that should work too.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 11:43 pm

Yes when properly configured that should work. But apparently they are beginners and they think that everyone would ask for a prefix via DHCPv6 and then use that directly on their network, just as a DHCPv4 server would be used.
To get a working routed setup you need 2 prefixes. In my case on my home network the link address is assigned using PPPoE (and is a local address) and the prefix on my own networks is assigned using DHCPv6.
But on the colocation server everything is static. There is no DHCPv6 and even no SLAAC. They say they did that because so many systems come with SLAAC running by default these days, and having it on their colocation network would mean that systems would be on the internet unprotected without the admins knowing about it.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: single ipv6 /64 range

Tue Oct 13, 2020 11:49 pm

To get a working routed setup you need 2 prefixes.
Can't the ISP router just use the link-layer address of the OP's WAN (which it has got from the DHCP request for the prefix) as a gateway to the /64 it has assigned to the OP's router? I.e. is the interconnection subnet at the WAN side absolutely necessary?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: single ipv6 /64 range

Wed Oct 14, 2020 12:35 am

To get a working routed setup you need 2 prefixes.
Can't the ISP router just use the link-layer address of the OP's WAN (which it has got from the DHCP request for the prefix) as a gateway to the /64 it has assigned to the OP's router? I.e. is the interconnection subnet at the WAN side absolutely necessary?
Yes, but the WAN has to have an address first. Of course it can use a local address (FE80::) but the router has to be clever enough to reply with its LAN address as a source address when sending e.g. ICMP packets.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: single ipv6 /64 range

Wed Oct 14, 2020 3:00 am

@sindy: DHCPv6 server in RouterOS does that, when it gives prefix to client, it adds route to it with gateway=<client's LL address>%<interface>. I've never used other DHCPv6 servers for PD, but I assume it's standard behaviour.
 
si458
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Jun 22, 2012 7:51 pm
Contact:

Re: single ipv6 /64 range

Wed Oct 14, 2020 12:06 pm

Hi All

thanks again for all your input, and sorry again for maybe opening a can of worms by accident...

all our servers with external ip addresses now have ipv6 within the single /64 range!
ok sadly they are all static as to do BUT better than nothing
and also to do it via dhcp(SLAAC) i would need the isp to assign the /64 to our interface with our .1 gateway ip and set as advertise (waiting on his reply)

as for the internal computers, they still dont have ipv6 but again waiting on ISP reply to see if he can maybe assign me a /60 range instead as i would say we have about 3 firewalls in the class c

still trying to get the internals working with the single /64 but no luck,
and wireshark is no help as im not sure how to do it with mikrotik
and I wouldnt no where to start looking at why it isnt working

Simon
 
tdw
Forum Guru
Forum Guru
Posts: 2032
Joined: Sat May 05, 2018 11:55 am

Re: single ipv6 /64 range

Wed Oct 14, 2020 3:51 pm

I've found https://www.ripe.net/publications/docs/ripe-690 covers the pros and cons of various WAN link addressing methods and prefix size suggestions, pity not all ISPs follow it.

You can use the Mikrotik packet sniffer to capture traffic and stream it to Wireshark running on a computer which is often easier than using the somewhat limited built-in user interface.

Who is online

Users browsing this forum: kbabioch, parm, rn3dcx, Rox169 and 35 guests