Trying to get IPV6 working with RouterOS 6.48

danbit · Thu Dec 31, 2020 4:45 am

Hello all.

I have a hEX S running RouterOS 6.48 stable.

My fiber ISP has a modem which can only do Routing (no bridge mode). For IPv4 I added it to a DMZ and all is working fine, however I'm trying to get IPv6 working with it but I'm not able to move past being able to ping external addressed from Mikrotik itself. My computer is being assigned an IPv6 address using ND but I can't ping anything and the traceroute stops at the bridge IP interface.

The ISP assigns to their Fiber Optic Modem a /56 prefix. The router WAN interface has an IP address from a different range which I don't know the subnet.

If I leave the DHCPv6 and SLAAC enabled on the Fiber Optic Modem, I'm assigned an IP address from one of the first /64 subnets my prefix allows. With that I'm able to open external pages without issues.

In my RouterOS config I have the following:

[admin@MikroTik hEX S] > /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 A S  ::/0                     fe80::1%sfp1                    1
 1 ADC  2804:d4b:820b:6500::/64  bridge                          0

[admin@MikroTik hEX S] > /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
 #    ADDRESS                                     FROM-POOL INTERFACE                                                                                                                 ADVERTISE
 0 DL fe80::ba69:f4ff:fe86:c2d7/64                          bridge                                                                                                                    no
 1 DL fe80::ba69:f4ff:fe86:c2db/64                          sfp1                                                                                                                      no
 2  G 2804:d4b:820b:6500::1/64                              bridge                                                                                                                    yes
 
 [admin@MikroTik hEX S] > /ping 2804:49c:3102:401:ffff:ffff:ffff:36
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 2804:49c:3102:401:ffff:ffff:ffff:36        56  55 71ms  echo reply
    1 2804:49c:3102:401:ffff:ffff:ffff:36        56  55 71ms  echo reply
    2 2804:49c:3102:401:ffff:ffff:ffff:36        56  55 70ms  echo reply
    3 2804:49c:3102:401:ffff:ffff:ffff:36        56  55 70ms  echo reply
    sent=4 received=4 packet-loss=0% min-rtt=70ms avg-rtt=70ms max-rtt=71ms
    
    (Ignore the first three lines, they were from an old config and are disabled)
  [admin@MikroTik hEX S] > /ipv6 firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0 X  chain=forward action=accept protocol=tcp dst-address=2804:14d:1499:409b:728b:cdff:febf:bd/128 in-interface=!bridge dst-port=8080 log=no log-prefix=""

 1 X  chain=forward action=accept protocol=tcp dst-address=2804:14d:1499:409b:728b:cdff:febf:bd/128 in-interface=!bridge dst-port=8081 log=no log-prefix=""

 2 X  chain=forward action=accept protocol=tcp dst-address=2804:14d:1499:409b:728b:cdff:febf:bd/128 in-interface=!bridge dst-port=22 log=no log-prefix=""

 3    chain=forward in-interface=bridge

 4    chain=forward out-interface=bridge

My computer gets an IP address from the subnet configured for the bridge network and while doing a traceroute6 I can see the IP address of the bridge, but nothing else:

traceroute6 2804:49c:3102:401:ffff:ffff:ffff:36
traceroute6 to 2804:49c:3102:401:ffff:ffff:ffff:36 (2804:49c:3102:401:ffff:ffff:ffff:36) from 2804:d4b:820b:6500:98b5:4187:1b9a:cde5, 64 hops max, 12 byte packets
 1  2804:d4b:820b:6500::1  165.475 ms  1.604 ms  1.413 ms
 2  * *c *
 3  * * *

What I'm doing wrong here? I tried to clear my firewall rules and leave just just two forwarding rules, but still I can't access external hosts from my computer while everything works from the router

Thanks!

mducharme · Thu Dec 31, 2020 5:09 am

My fiber ISP has a modem which can only do Routing (no bridge mode).

If they don't do bridge mode, the only way this will work is if their modem acts as a DHCPv6-PD server, and you can request a prefix from it by configuring a DHCPv6-PD client on the MikroTik. Unfortunately, it is most likely that they won't do that (although you can give it a try).

danbit · Thu Dec 31, 2020 5:32 am

My fiber ISP has a modem which can only do Routing (no bridge mode).
If they don't do bridge mode, the only way this will work is if their modem acts as a DHCPv6-PD server, and you can request a prefix from it by configuring a DHCPv6-PD client on the MikroTik. Unfortunately, it is most likely that they won't do that (although you can give it a try).

Hi @mducharme, thanks for the info.

If I enable the the DHCPv6 Client in RouterOS I'm able to get a /64 prefix from the modem. I tried setting other Pool Prefix Lengths like a /60 and a ::/60 prefix hint but I always get a /64 prefix from the modem. Would that still be usable?

Also, would you be able to better explain why from the modem onwards the connection works and from the network clients it does not ?As you could see set statically the route for default gw using the link local fe80::1 which allows the router to go to the public internet.

I'm still investigating on using the provided ISP modem as bridge but seems they disable that with TR-069. I read some other posts of people that were able to bypass that by adding the WAN to the bridge but I was wondering if this is possible only for IPv6 traffic.

Thank you!

mducharme · Thu Dec 31, 2020 5:44 am

If I enable the the DHCPv6 Client in RouterOS I'm able to get a /64 prefix from the modem. I tried setting other Pool Prefix Lengths like a /60 and a ::/60 prefix hint but I always get a /64 prefix from the modem. Would that still be usable?

Yes, if it does that, it will be usable - the only downside is that you will only have one subnet. So if you want to have a guest network or a second network for any other reason, it won't be an option.

Also, would you be able to better explain why from the modem onwards the connection works and from the network clients it does not ?As you could see set statically the route for default gw using the link local fe80::1 which allows the router to go to the public internet.

There is no NAT in IPv6 (or at least it is used much less often), so the computers behind the router need public IPv6 addresses. In this case, those are the computers behind your hEX. Your ISP supplied modem needs to route a subnet behind your hEX in order for the return traffic to work. Otherwise, your computers behind the hEX can send packets to the internet and they will be delivered, but when the destination on the Internet tries to send the response, it will get to the ISP modem/router, which has no idea that you have the hEX behind that. It therefore won't forward the reply packet to the hEX.

If the hEX requests a prefix via DHCPv6-PD from the modem, the modem should add a static route for that prefix with the IP of your hEX as the next hop. As long as any clients on the LAN side of the hEX are requesting addresses within this prefix, the reply packets for requests by those hosts should be delivered back to the hEX due to the static route that is automatically added to the ISP modem when your hEX requests a prefix from it. Once the packet makes it to the hEX itself, the hEX knows that the clients are connected directly to the LAN bridge and sends the packet out that interface.

danbit · Thu Dec 31, 2020 6:14 am

Hi.

Thanks again for the info!

If the prefix provided using DHCPv6 Client is still useful, how can I use it to advertise addresses to the hosts behind my hEX? I'm ok with having only one subnet for now.

I tried to use the DHCPv6 Client to request a Prefix and used this prefix to advertise IP addresses on my bridge interface. My bridge interface is ::1/64 from the pool. My hosts can get an IP address using this prefix pool but still the outcome is the same as before.

From Host:

$ traceroute6 google.com
traceroute6 to google.com (2800:3f0:4004:807::200e) from 2804:d4b:820b:6500:124:b82:10e0:6156, 64 hops max, 12 byte packets
 1  2804:d4b:820b:6500::1  0.745 ms  0.483 ms  0.480 ms
* * *

From hEX

[admin@MikroTik hEX S] > /tool traceroute 2800:3f0:4004:807::200e
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS
 1 2804:d4b:c41:28a::1                0%    5   0.5ms     0.6     0.5     0.8     0.1
 2 2804:d40:5:c000::1                 0%    5   2.7ms     2.8     2.6       3     0.1
 3                                  100%    5 timeout
 4 2001:4860:1:1:0:1e3a:0:2a          0%    4  72.7ms    73.5    72.7    74.7     0.8
 5 2001:4860:0:11dc::1                0%    4  88.2ms    88.1    87.7    88.2     0.2
 6 2001:4860:0:1::3d7                 0%    4  84.9ms    85.1    84.9    85.6     0.3
 7 2800:3f0:4004:807::200e            0%    4  91.3ms    91.4    91.3    91.6     0.1

I understand about the NAT not being used for IPv6, but I was not fully understanding why the routing is not working, now it makes more sense with you explanation. Thanks!

DarkNate · Thu Dec 31, 2020 1:13 pm

First, what is "Fibre modem"? Check here: https://networkengineering.stackexchang ... 4461#64461

Second, make the WAN interface as null in the ONT/ONU. It will automatically turn into a simple layer 2 forwarding device aka bridge mode. Assuming your ISP isn't MAC binding the WAN interface (DHCP/PPPoE/Static), you can now directly initiate WAN interface from the Tik.

Source: Helped people on PON bridge crappy and vendor locked ONTs/ONUs for a year straight now.

danbit · Thu Dec 31, 2020 8:16 pm

First, what is "Fibre modem"? Check here: https://networkengineering.stackexchang ... 4461#64461

Second, make the WAN interface as null in the ONT/ONU. It will automatically turn into a simple layer 2 forwarding device aka bridge mode. Assuming your ISP isn't MAC binding the WAN interface (DHCP/PPPoE/Static), you can now directly initiate WAN interface from the Tik.

Source: Helped people on PON bridge crappy and vendor locked ONTs/ONUs for a year straight now.

Potato, potahto...

My ISP locks the WAN config of the Modem (ONT) so I can't easily convert into a simple bridge. I know this would be the best scenario but currently this is not possible as the ISP does not allow it for whatever reason...

As mentioned, I'm able to get a prefix from using DHCPv6 Client and assign an IP to the bridge interface. This allows my clients to receive an IP address using SLAAC but I can't get past the hEX in the traceroute but I can ping public resources from hEX and correctly traceroute them. In the traceroute from hEX I can see the IP address assigned to the IPv6 WAN interface.

Thanks!

mducharme · Thu Dec 31, 2020 8:22 pm

As mentioned, I'm able to get a prefix from using DHCPv6 Client and assign an IP to the bridge interface. This allows my clients to receive an IP address using SLAAC but I can't get past the hEX in the traceroute but I can ping public resources from hEX and correctly traceroute them. In the traceroute from hEX I can see the IP address assigned to the IPv6 WAN interface.

This issue leads me to suspect that the ISP's fiber CPE device is giving you a prefix but is not creating a route, which is not correct behaviour. It should automatically be adding a static route on the device itself to go to your hEX when it gives the hEX the prefix lease.

Can you log into the ISP fiber CPE device and view the routing table? (if they provide that level of access to customers)

Trying to get IPV6 working with RouterOS 6.48

Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Re: Trying to get IPV6 working with RouterOS 6.48

Who is online