IPv6 taking too long for SLAAC autoconfiguration

jhbarrantes · Mon Mar 04, 2024 1:58 pm

Hi,
I have a pretty standard IPv6 configuration, as detailed below (home, guest and v6only are vlans). Since a couple of updates for stable versions (so not really related to latest 7.14), I'm getting a weird behaviour for clients doing SLAAC address autoconfiguration: it takes a lot of time for clients to negotiate an address. I don't know it that is related to RA's announcements periodicity, but it is specially long (several minutes or even more) when the client was already connected and had an IPv6 address before (example, you turn off wifi and turn it on again). It is not really related with one kind of device, because the same behavior is happening for phones, laptops and even or work stations, and with different OS (linux & mac mainly). Do you know what can be causing this behavior? Duplicate address detection process maybe?

/interface list member
add interface=home list=LAN
add interface=home list=VLANS
add interface=guest list=VLANS
add interface=v6only list=VLANS
add interface=internet list=WAN
/ipv6 address
add from-pool=pool6 interface=v6only
add from-pool=pool6 interface=home
add from-pool=pool6 interface=guest
/ipv6 dhcp-client
add interface=internet pool-name=pool6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="guests: can only access internet" in-interface=guest out-interface-list=!WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from VLANs" in-interface-list=!VLANS
/ipv6 nd
add dns=2a00:1098:2c::1,2a01:4f8:c2c:123f::1,2a01:4f9:c010:3f02::1 interface=v6only

Thanks.

jhbarrantes · Mon Mar 04, 2024 3:25 pm

Definitely something with the RA. I torched the interface v6only and the communication get stuck when trying to netogiate an address. As if I edit any parameter under ND (that I guess is re-launching RA process), the address gets allocated blazing fast.

Anyone with something similar in 7.14? I'm running on a RB4011.

Thanks!

jhbarrantes · Mon Mar 04, 2024 5:01 pm

Hi,

I found what is causing the issue, but really don't know why. I recently moved from two bridges configuration (one with IGMP Snooping + multicast, plus another one to vlan filtering) to a single bridge with all, vlan filtering + IGMP Snooping. Is that what is causing the issue, the IGMP Snooping.

It seems enabling permanent multicast router option on IGMP Snooping mitigates the issue.

Anyone knows what could it be the root cause for this?

Thanks!

mkx · Mon Mar 04, 2024 10:22 pm

It's a known fact that sub-standard implementations of IGMP snoopers interfere with IPv6 (ND is multicast) ... also other vendors have (or used to have) such problems.

DarkNate · Tue Mar 05, 2024 9:35 am

You need IGMP Proxy or PIM-SM to run upstream to intelligently populate the multicast-routing table on the “switching” interfaces etc.

It's not just a MikroTik thing, but similarly, same behaviour on other vendors.

jhbarrantes · Tue Mar 05, 2024 10:37 pm

What will it be an example setup with igmp-snooping + igmp-proxy, for this kind of setup? Bridge as upstream and vlans as downstream interfaces.

Thanks!

DarkNate · Wed Mar 06, 2024 8:35 am

IGMP Proxy upstream will be your router's loopback, downstream each layer 3 sub interface VLAN.

jhbarrantes · Wed Mar 06, 2024 10:26 am

Thank you very much indeed @DarkNate, that did the trick. My setup has a particularity, and this was the root cause of the issue. Appart from those set of VLANs, the bridge itself runs another VLAN (not declared in /interface/vlan, as I don't address it) between an eoip tunnel and a port inside the bridge, for populating a network that comes from a different site. As this network has an IGMP Querier, this was causing the bridge to leave multicast groups unnatended (I already checked with support this is an expected behavior). Adding IGMP Proxy with the new loopback interface as upstream, the set of vlans as downstream, plus the bridge itself as an additional downstream interface, did the trick. Now IPv6 run flawlesly while IGMP Proxy keeps track of MDB table. Even the DLNA multicast group, that previously dissapeared and I had to add it manually to MDB table, is now populated and tracked.

Perfect setup now, all in one single bridge and with no issues for multicast traffic. Leave the configuration here, in case someone else need it.

/interface list member
add interface=home list=LAN
add interface=home list=VLANS
add interface=guest list=VLANS
add interface=v6only list=VLANS
add interface=internet list=WAN
/ipv6 address
add from-pool=pool6 interface=v6only
add from-pool=pool6 interface=home
add from-pool=pool6 interface=guest
/ipv6 dhcp-client
add interface=internet pool-name=pool6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="guests: can only access internet" in-interface=guest out-interface-list=!WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from VLANs" in-interface-list=!VLANS
/ipv6 nd
add dns=2a00:1098:2c::1,2a01:4f8:c2c:123f::1,2a01:4f9:c010:3f02::1 interface=v6only
/interface bridge
add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged igmp-snooping=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=77
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=77
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=77
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eoip-remote-lan pvid=22
/interface bridge vlan
add bridge=bridge comment=guests tagged=bridge,ether6,ether10 vlan-ids=87
add bridge=bridge comment=lan tagged=bridge,ether6,ether10 vlan-ids=77
add bridge=bridge comment=v6 tagged=bridge,ether10 vlan-ids=99
add bridge=bridge tagged=bridge vlan-ids=22
/routing igmp-proxy interface
add interface=lo upstream=yes
add interface=home
add interface=guest
add interface=v6only
add interface=bridge

Kind regards, and thanks again.

jhbarrantes · Wed Mar 06, 2024 5:42 pm

Ummm… I shot fireworks too early. I must be close as the MDB table is populated and multicast groups are tracked properly, but neighbor discovery for IPv6 is broken, and que only way I have to get this working is by splitting it into different bridges: main for my vlan addressing & IPv6, second one for remote eoip network + IGMP Snooping.

I’ll keep trying…

DarkNate · Thu Mar 07, 2024 5:33 pm

Why do people still mess up bridge config on MikroTik? Post after post, day after day for the last 10 years straight.

Read the official docs, only a single bridge should exist:
https://help.mikrotik.com/docs/display/ ... +switching

viewtopic.php?t=204440#p1058995

jhbarrantes · Fri Mar 08, 2024 9:53 am

I'm not messing up anything mate, my purpose is precisely this, to work with a single bridge. But if I'm messing up my IPv6 setup in the process, I rather go with two bridges to achieve my goal. As I mention, the issue is caused when turning on IGMP Snooping at the bridge, and I need this feature because I'm bringing a remote network using EoIP (full L2) in a particular vlan (eoip-tunnel + ether5 as untagged for vlan 22) that manages multicast.
It happens also that this remote network has an active querier for the multicast traffic, and it seems this is somehow stopping the bridge to do its duty for local multicast on the rest of the vlans. This is not a guess, was confirmed by support:

The current limitation of RouterOS IGMP snooping is that there is no VLAN-aware querier. The bridge itself can only generate untagged VLAN queries and when the bridge detects a remote querier on some VLAN, it stops generating the queries. We are looking forward to adding the VLAN-aware querier, but there is no release date available for that.

Obviously, as the remote network has no visibility of the rest of multicast running on different vlans, cannot really track properly the MDB table. So here I am with only three possible solutions I can imagine:

Add static entries for all multicast groups in MDB table. Really painful.
Play with IGMP Proxy: very promising when you mention, but I cannot make it fully work with this setup, probably because I'm not addressing myself vlan 22, that comes from the other place.
Run these two ports on a separated bridge, and only use IGMP Snooping there: Crappy solution, but it works just fine.

So please, be considered when you point out people are still messing up with bridge config over 10 years, because I did my best for not having to run multiple bridges anywhere. And btw, sometimes, I'm still trying!

Regards!

DarkNate · Fri Mar 08, 2024 10:54 am

Run PIM-SM, problem solved.

I run PIM-SM even for single-VLAN these days.

PIM-SM allows you to intelligently populate the multicast routing table (mcast database on MikroTik bridge), you also end up resolving the issue with BUM traffic on the Ethernet spec.

I posted PIM-SM config on this forum multiple times, you can search my history here and you'll find the config.

Single Bridge, 4000 VLANs or 1 VLAN, simply PIM config, simple MLD/IGMP Snooping on the bridge and any other downstream bridges such as an access switch or Wi-Fi AP (also single bridge).

tx6376 · Fri Mar 08, 2024 12:20 pm

Example.

viewtopic.php?p=1029268#p1022915

jhbarrantes · Fri Mar 08, 2024 1:14 pm

I will give it a try, thanks! However, what is the point of enabling PIM-SM if I then need to add a manual entry to MDB for not breaking SLAAC, which is exactly what is happening and what I'm trying to correct?

Thanks!

jhbarrantes · Fri Mar 08, 2024 2:19 pm

Hi guys!

I ended up with thew following configuration that (finger crossed) seems to be working just fine:

/interface list member
add interface=home list=LAN
add interface=home list=VLANS
add interface=guest list=VLANS
add interface=v6only list=VLANS
add interface=internet list=WAN
/ipv6 address
add from-pool=pool6 interface=v6only
add from-pool=pool6 interface=home
add from-pool=pool6 interface=guest
/ipv6 dhcp-client
add interface=internet pool-name=pool6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="guests: can only access internet" in-interface=guest out-interface-list=!WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from VLANs" in-interface-list=!VLANS
/ipv6 nd
add dns=2a00:1098:2c::1,2a01:4f8:c2c:123f::1,2a01:4f9:c010:3f02::1 interface=v6only
/interface bridge
add name=bridge vlan-filtering=yes frame-types=admit-only-vlan-tagged igmp-snooping=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=77
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=77
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=77
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=eoip-remote-lan pvid=22
/interface bridge vlan
add bridge=bridge comment=guests tagged=bridge,ether6,ether10 vlan-ids=87
add bridge=bridge comment=lan tagged=bridge,ether6,ether10 vlan-ids=77
add bridge=bridge comment=v6 tagged=bridge,ether10 vlan-ids=99
add bridge=bridge comment=remote-lan tagged=bridge vlan-ids=22
/routing pimsm instance
add afi=ipv4 disabled=no name=ipv4 vrf=main
add afi=ipv6 disabled=no name=ipv6 vrf=main
/routing pimsm interface-template
add disabled=no instance=ipv4 interfaces=home,guest
add disabled=no instance=ipv6 interfaces=home,guest,v6only

From my previous export, just add the PIM-SM, replacing IGMP-Proxy configuration previously setup. I realize the flag "Is multicast router" is now mark as true in the bridge status tab, which is the same config that actually work the other day, when enabling this fixed in the bridge configuration. So it makes sense.

Are you missing anything on the PIM-SM config? VLANs "home" & "guest" are addressed in IPv4 / IPv6, while "v6only" is a vlan that only have IPv6 as its name indicates. I have not included loopback interface to the list of interfaces, shall I?

Thanks!

DarkNate · Fri Mar 08, 2024 3:02 pm

I will give it a try, thanks! However, what is the point of enabling PIM-SM if I then need to add a manual entry to MDB for not breaking SLAAC, which is exactly what is happening and what I'm trying to correct?

Thanks!

Yeah, remove the manual entry. I simply didn't update that post anymore. PIM-SM only will be sufficient with the rest of the config.

jhbarrantes · Fri Mar 08, 2024 5:10 pm

Great, thanks @DarkNate!

IPv6 taking too long for SLAAC autoconfiguration

IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Re: IPv6 taking too long for SLAAC autoconfiguration

Who is online