MikroTik

Hi folks

We noticed our router seems to be forwarding IPv6 over our PPPoE connection to the outside world. This was a bit surprising as we had not enabled IPv6 nor installed the module. We installed the module and disabled everything and attempted to block it in the firewall and still we seem to have IPv6 working from hosts on the network.
Having installed IPv6 module, we've set it up to try to disable this traffic:
The lengthy delay and variation on RTTs makes sites reporting IPv6 painful to use. We can manually disable IPv6 on some devices on the network, but not all.

Is there anything we can do differently in the config to address this?

Thanks in advance

The thought that this might be a weird tunneling interaction, but if I capture the traffic with a port mirroring switch I see IPv6 native traffic on the wire in wireshark looking at the mirrored port, e.g.
Help appreciated in how to disable this at the router level. Thanks!

There must be something else you're not telling us, because your rules say very clearly that there will be no IPv6 traffic passing through this router. Are you sure you see this traffic on router's PPPoE interface? Can't there be some other router connected to same network (check default gateway at clients)?

Looking a bit closer, it looks like there is a device on the network that will unexpectedly tunnel IPv6.



The network is configure as 10.0.0.0/24. But there's a device with a SAGEM OUI mac address that ARPs for 192.168.1.0/24 address. The mac address of this device is in the IPv6 packets. So presumably this device is tunneling / routing the IPv6. I have no idea what it is. It doesn't have a DHCP lease, nor does it's MAC address appear in the routers list of ARP addresses.

The client machine which is sending the IPv6 packets has two NICs - one that binds to the network via a switch and a second that is unbound but collects mirror traffic from the switch. The same behaviour occurs if the client machine is connected directly to one of the routers bridge interfaces. Just need to find the mystery device now and figure out how that communicates with the outside world.

The image URL is a filtered snapshot from wireshark:
https://pasteboard.co/GB4H7n5.png

GOT HOMEPLUG? ALWAYS, ALWAYS CHANGE YOUR HOMEPLUG NETWORK NAME!

<tl;dr>
Sorry folks, this is nothing to do with any Mikrotik gear.

It appears to stem from the use HomePlugAV in the house to extend ethernet into other rooms. Changing the HomePlug network name appears to have removed this issue. I was under the misunderstanding that when the devices paired they produced a shared DES key. That can't be the case. These are also detached houses and some docs suggest this isn't possible. However, after changing the network name there are no IPv6 router advertisements from the unknown device with a Sagem OUI MAC address.

If I think hard about odd behaviors I may have been able to see 2 different neighbors routers at different times. There is is the SAGEM OUI MAC address that we've seen IPv6 router advertisements from and I recall seeing a BSkyB OUI MAC address with a spanning tree ethernet frame and I'd guess that is a neighbour's Sky router.

The HomePlug management software has never shown any unknown HomePlug adapters. I had been meaning to replace HomePlug anyway as it is slower internally than the incoming internet connection. There is 50 yards of cat6 set aside for the job, but we are in the process of moving house so that is on hold.
</tl;dr>

We were feeding the neighbours cats today so I took a look at their networking setup:

1) Their ISP provided router has the MAC address of the router advertising IPv6. The ISP says they do not support IPv6 for consumers.

2) The neighbour has Trendnet AV Homeplug adapters, we have TP-Link.

The hole seems to relate to broadcast packets - I've found a total of 3 routers in historic packet traces (BT, BSkyB, and unknown device with AzureWave OUI).

Good tip! So your electrical service must be shared or at least behind a common transformer. This would allow these Ethernet over electrical devices to see each other. Like you said if they are both set to a common network name then try to link the link the networks like you'd expect. This totally explains why you were seeing traffic you weren't expecting.

Good find! Great tip for the community, I know I've used Ethernet over electrical adapters as a stop gap before.

Yes, the homes affected are quite close to a common transformer. The HomePlug AV generation adapter advertise 300m reach and I'd estimate that there's less than 30m of cabling from either home to the transformer. I thought it was quite interesting tracking this issue down so have written it up publicly. There's a photo in part ii of the homes and the transformer.

https://specklepattern.wordpress.com/20 ... rk-part-i/
https://specklepattern.wordpress.com/20 ... k-part-ii/

I've been thinking about how to avoid this kind of snafu beyond just changing the HomePlug network name. For instance, if the home plug adapters where attached to routed interfaces rather than bridged, we could drop and log packets from other private IPv4 network ranges. We could even encrypt the traffic on those interfaces internally using PPPoE tunnels. No need for anything faster than 80Mbps.

I don't have any experience with these devices, but if the whole security depends just on "network name", that's really bad. Unless there's clearly written somewhere that "network name" is supposed to be "long and secret password". Lets hope that it at least stays in device and isn't broadcasted to everything connected.