Framed-IPv6-Prefix

liteforce · Fri Dec 23, 2011 2:12 am

Hi folks,

We are having mega fun trying to get RouterOS/PPC 5.11 to do anything with a statically-configured Framed-IPv6-Prefix: attribute.

Just in case it makes any difference, this is L2TP/PPP rather than PPPoE/PPP but the basic concepts are the same.

This is the base PPP profile:

/ppp profile
set default change-tcp-mss=yes name=default only-one=default remote-ipv6-prefix-pool=none \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
    use-vj-compression=default
add change-tcp-mss=yes dhcpv6-pd-pool=adsl-dhcpv6-test dns-server=192.0.2.1,192.0.2.2 \
    local-address=192.0.2.254 name=default-l2tp only-one=default remote-ipv6-prefix-pool=\
    adsl-prefix-test use-compression=no use-encryption=no use-ipv6=yes use-mpls=no \
    use-vj-compression=no
set default-encryption change-tcp-mss=yes name=default-encryption only-one=default \
    remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes use-ipv6=yes use-mpls=\
    default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=1m use-radius=yes

Using the above with a remote-ipv6-prefix-pool: attribute, whenever a user connects and successfully negotiates IPv6CP with our router, they receive a dynamically allocated prefix from that pool and it is routed over that users' PPP interface from our side.

The interesting part is that if we statically set a remote-ipv6-prefix: for a user:

/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=sampleuser@ourrealm.net.uk \
    password=blah profile=default-l2tp remote-address=192.0.2.10 remote-ipv6-prefix=\
    2001:db8:1000:2::/64 routes="" service=l2tp

... it doesn't have any effect whatsoever - they still continue to receive a prefix from the pool.

Now, as we want to statically assign prefixes to users anyway, we remove the pool from the PPP profile and as a result of that, the user now receives no prefix whatsoever.

I have also tested this with FreeRADIUS 2.1.12 (but tried it with local user config in case it was a RADIUS issue on our part) and radcheck/radreply tables are below:

mysql> SELECT * FROM radcheck WHERE username = 'sampleuser@ourrealm.net.uk';
+-----+----------------------------+--------------------+----+----------+
| id  | username                   | attribute          | op | value    |
+-----+----------------------------+--------------------+----+----------+
| 164 | sampleuser@ourrealm.net.uk | Cleartext-Password | := | blah     | 
+-----+----------------------------+--------------------+----+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM radreply WHERE username = 'sampleuser@ourrealm.net.uk';
+------+----------------------------+------------------------------+----+----------------------+------+
| id   | username                   | attribute                    | op | value                | type |
+------+----------------------------+------------------------------+----+----------------------+------+
| 1986 | sampleuser@ourrealm.net.uk | Mikrotik-Delegated-IPv6-Pool | := | 2001:db8:1002::/48   | l2tp | 
| 1984 | sampleuser@ourrealm.net.uk | Framed-IP-Address            | := | 192.0.2.10           | l2tp | 
| 1988 | sampleuser@ourrealm.net.uk | Framed-IPv6-Prefix           | := | 2001:db8:1000:2::/64 | l2tp | 
+------+----------------------------+------------------------------+----+----------------------+------+
3 rows in set (0.00 sec)

Our RADIUS returns all three attributes and while the Mikrotik-Delegated-IPv6-Pool one is handled properly by RouterOS as in it is visible when doing a '/ipv6 dhcp-server print', the Framed-IPv6-Prefix: attribute is *not* handled even though debug logs from our end show the prefix being returned by our RADIUS and it is a valid prefix (not one which is hex-mangled as mentioned by earlier posters).

The NAS (mpd5 on FreeBSD) which we are currently using handles Framed-IPv6-Prefix attributes from our RADIUS with no problems.

If we are doing something wrong, I am happy to hold my hands up and apologize to the lads in Latvia for complaining unnecessarily but as it stands, I think there is definitely something amiss with Framed-IPv6-Prefix handling in RouterOS 5.x.

I'm happy to send a supout or provide further information where required.

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

liteforce · Fri Dec 23, 2011 3:16 am

I have now verified that this exact behaviour is replicated in 5.9 and 5.12rc1 (didn't try 5.10 as this router requires EoIP).

We are leaving this device at 5.12rc1 until we find a good reason to downgrade it back to 5.11.

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

janisk · Thu Dec 29, 2011 8:30 am

check in next RouterOS release.

liteforce · Mon Jan 02, 2012 11:11 am

Hi Janis,

Framed-IPv6-Prefix now works fine in 5.12rc1 (Build Timestamp: Dec/29/2011 13:35:29)

Thanks very much for that!

Are there any plans to add support for Framed-IPv6-Route in the near future ?

(route a v6 prefix but *not* advertise to the remote PPP endpoint)

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

liteforce · Sat Jan 21, 2012 9:04 pm

Confirmed fixed in 5.12 (as per the changelog).

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

janisk · Mon Jan 23, 2012 12:11 pm

thanks for confirming that it is fixed

Jeeves · Wed Feb 15, 2012 2:12 pm

Hmm. I must be doing something wrong then.

My Mikrotik still hands out prefixes of its own pool instead of what Radius tells it. See debuglogging and configuration below. If someone can enlighten me, please do.

Thanks.

Radius reply:

13:08:57 radius,debug,packet received Access-Accept with id 18 from 31.3.104.47:1812 
13:08:57 radius,debug,packet     Signature = 0xb336a4431e29721eb3d6a52530d6fabb 
13:08:57 radius,debug,packet     Service-Type = 2 
13:08:57 radius,debug,packet     Framed-Protocol = 1 
13:08:57 radius,debug,packet     Framed-IP-Address = 192.168.210.192 
13:08:57 radius,debug,packet     Framed-IP-Netmask = 255.255.255.0 
13:08:57 radius,debug,packet     MT-Wireless-PSK = "2a03:7900:201:e00::/56" 
13:08:57 radius,debug,packet     Framed-IPv6-Prefix = 2a03:7900:202::/64

DHCPv6:

13:09:06 dhcp,debug,packet recv <pppoe-tuxis> fe80::dcf6:5009:adfc:cf12 -> ff02::1:2 
13:09:06 dhcp,debug,packet solicit 
13:09:06 dhcp,debug,packet transaction-id: aa93ad 
13:09:06 dhcp,debug,packet  -> clientid:  00030001 586d8f15 547b 
13:09:06 dhcp,debug,packet  -> ia_na:  00000000 00000e10 00001518 
13:09:06 dhcp,debug,packet  -> oro:  00170018 001f 
13:09:06 dhcp,debug,packet  -> elapsed_time: 0 
13:09:06 dhcp,debug,packet  -> ia_pd:  
13:09:06 dhcp,debug,packet    t1: 3600 
13:09:06 dhcp,debug,packet    t2: 5400 
13:09:06 dhcp,debug,packet    id: 0x0 
13:09:06 dhcp,debug processing iapd: 0x0 
13:09:06 dhcp,debug acquired dynamic binding 
13:09:06 dhcp,debug,packet send <pppoe-tuxis> -> fe80::dcf6:5009:adfc:cf12%18 
13:09:06 dhcp,debug,packet advertise 
13:09:06 dhcp,debug,packet transaction-id: aa93ad 
13:09:06 dhcp,debug,packet  -> clientid:  00030001 586d8f15 547b 
13:09:06 dhcp,debug,packet  -> serverid:  00030001 000c4299 113b 
13:09:06 dhcp,debug,packet  -> ia_pd:  
13:09:06 dhcp,debug,packet    t1: 129600 
13:09:06 dhcp,debug,packet    t2: 207360 
13:09:06 dhcp,debug,packet    id: 0x0 
13:09:06 dhcp,debug,packet   -> ia_prefix:  
13:09:06 dhcp,debug,packet     preferred: 233280 
13:09:06 dhcp,debug,packet     valid: 259200 
13:09:06 dhcp,debug,packet     prefix: 2a03:7900:201::/56

So that's odd.

Configuration:

/ppp profile print
1   name="profile1" local-address=192.168.200.1 remote-ipv6-prefix-pool=pool2 dhcpv6-pd-pool=pool1 use-ipv6=yes use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=yes change-tcp-mss=yes

/ipv6 pool print
Flags: D - dynamic 
 #   NAME                                                                                                                     PREFIX                                      PREFIX-LENGTH
 0   pool1                                                                                                                    2a03:7900:201::/48                                     56
 1   pool2                                                                                                                    2a03:7900:202::/48                                     64

Jeeves · Wed Feb 15, 2012 3:46 pm

Ok, so I found out that MT-Delegated-IPv6-Pool shouldn't be a prefix, but a poolname. Correct?

That would be a shame, because you cannot statically define a prefix for a client. But Delegated-IPv6-Prefix isn't supported. Will it be supported?

omidkosari · Sat Mar 31, 2012 4:05 pm

Strange problem in using remote-ipv6-prefix-pool . with the following configs when i connect via VPN connection to router , the ipv6 assignment works fine but when i connect via pppoe connection with same username , it does not have any effect and user does not receive ipv6 prefix . ros v5.14

/ppp profile
add change-tcp-mss=no dns-server=208.67.222.222 local-address=10.11.174.1 name=temp only-one=default remote-address=\
    10.11.174.253 remote-ipv6-prefix-pool=adsl use-compression=no use-encryption=no use-ipv6=yes use-mpls=default use-vj-compression=no

/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test password=test profile=temp routes="" service=any

/ipv6 pool
add name=adsl prefix=2a00:1ce0:fe00::/40 prefix-length=64

Framed-IPv6-Prefix

Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Re: Framed-IPv6-Prefix

Who is online