Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

IPv6 routes not created

Post Reply
 
astac
just joined
Topic Author
Posts: 3
Joined: Fri May 19, 2023 1:31 pm

IPv6 routes not created

Tue Apr 30, 2024 4:03 pm

My mikrotik router receives IPv6 address and /64 prefix. When I assign this prefix to VLAN10
Clients receive IPv6 addresses and can ping router on 2a02:xxxx:xxxx:c227::1/64
Because clients can ping the router but not outside world I assume there is some issue with routes
while testing I tried disabling all IPv6 firewall rules in case something was blocking connection but that was not the issue

ip -6 a on my PC reports my IP like this
Code: Select all
inet6 2a02:xxxx:xxxx:c227:8b5c:456f:4ce8:a43d/64 scope global dynamic noprefixroute

my setup
ISP coax box (with DS Lite) -> Hap ax2
rOS - 7.14.3

# DHCPv6 Client
Code: Select all
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=isp-pool6 prefix-hint=::/64 request=address,prefix use-peer-dns=no

# INTERFACE  STATUS  REQUEST  PREFIX                                  ADDRESS                             
0 ether1     bound   address  2a02:xxxx:xxxx:c227::/64, 1w5d10h9m28s  2a02:xxxx:xxxx:c200::20, 6d20h17m12s
                     prefix
# Ipv6 pool
Code: Select all
#   NAME       PREFIX                    PREFIX-LENGTH  EXPIRES-AFTER
0 D isp-pool6  2a02:xxxx:xxxx:c227::/64             64  1w5d10h8m15s
# ND
Code: Select all
/ipv6 nd
set [ find default=yes ] disabled=yes interface=bridge1 ra-interval=20s-1m
add dns=2620:fe::fe,2620:fe::9 interface=vlan10 ra-interval=20s-1m
# Routes
Code: Select all
     DST-ADDRESS                  GATEWAY                          DISTANCE
DAd+ ::/0                         fe80::ae22:5ff:fe7d:69bd%ether1         1
DAd+ ::/0                         fe80::ae22:5ff:fe7d:69bd%ether1         1
DAc  ::1/128                      lo                                      0
DAc  2a02:xxxx:xxxx:c200::/64     ether1                                  0
DAc  2a02:xxxx:xxxx:c200::f2/128  ether1                                  0
DAc  2a02:xxxx:xxxx:c227::/64     vlan10                                  0
D d  2a02:xxxx:xxxx:c227::/64                                             1
DAc  fe80::%ether1/64             ether1                                  0
DAc  fe80::%bridge1/64            bridge1                                 0
DAc  fe80::%vlan10/64             vlan10                                  0
# Settings
Code: Select all
                  disable-ipv6: no
                       forward: yes
              accept-redirects: yes-if-forwarding-disabled
  accept-router-advertisements: yes
          max-neighbor-entries: 16384
Last edited by tangent on Wed May 01, 2024 5:01 am, edited 1 time in total.
Reason: BBCode formatting fix
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 196
Joined: Fri Dec 31, 2021 9:13 pm

Re: IPv6 routes not created

Sun May 05, 2024 12:15 pm

A full config is needed here, so kindly post it here
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 122
Joined: Thu Dec 21, 2023 6:45 pm

Re: IPv6 routes not created

Sun May 05, 2024 7:28 pm

If the default firewall configuration (defconf) is being used, then did you add vlan10 into the interface list LAN? Otherwise traffic from vlan10 will not be forwarded due to this defconf rule:

Code: Select all
/ipv6 firewall filter
add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
Top
 
astac
just joined
Topic Author
Posts: 3
Joined: Fri May 19, 2023 1:31 pm

Re: IPv6 routes not created

Sun May 05, 2024 11:06 pm

yes, vlan10 is in my LAN interface list
Top
 
astac
just joined
Topic Author
Posts: 3
Joined: Fri May 19, 2023 1:31 pm

Re: IPv6 routes not created

Sun May 05, 2024 11:51 pm

My full config with "hide-sensitive" and removed static DHCP leases and WiFi
Code: Select all
/interface bridge
add admin-mac=48:A9:8A:8E:E8:83 auto-mac=no ingress-filtering=no name=bridge1 \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN poe-out=off
set [ find default-name=ether2 ] comment=PC
set [ find default-name=ether3 ] comment=Switch
set [ find default-name=ether4 ] comment=WorkNTB
/interface vlan
add comment="Main network" interface=bridge1 name=vlan10 vlan-id=10
add comment="Server backend network (no internet)" interface=bridge1 name=\
    vlan15 vlan-id=15
add comment="VM internet access" interface=bridge1 name=vlan30 vlan-id=30
add comment="Guest network" interface=bridge1 name=vlan40 vlan-id=40
add comment=Hosting interface=bridge1 name=vlan50 vlan-id=50
add comment="IoT network (no internet)" interface=bridge1 name=vlan70 \
    vlan-id=70
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool10 ranges=10.10.10.100-10.10.10.254
add name=pool40 ranges=10.10.40.10-10.10.40.254
add name=pool70 ranges=10.10.70.10-10.10.70.254
add name=pool15 ranges=10.10.15.10-10.10.15.254
add name=pool30 ranges=10.10.30.10-10.10.30.254
add name=pool50 ranges=10.10.50.10-10.10.50.254
/ip dhcp-server
add address-pool=pool10 interface=vlan10 lease-time=10m name=dhcp10
add address-pool=pool40 interface=vlan40 lease-time=10m name=dhcp40
add address-pool=pool70 interface=vlan70 lease-time=10m name=dhcp70
add address-pool=pool15 interface=vlan15 lease-time=1h name=dhcp15
add address-pool=pool30 interface=vlan30 name=dhcp30
add address-pool=pool50 interface=vlan50 name=dhcp50
/ip smb users
set [ find default=yes ] disabled=yes
/queue simple
add max-limit=10M/50M name=VLAN40 target=vlan40
/system logging action
add bsd-syslog=yes name=LogToNAS remote=10.10.10.25 src-address=\
    10.10.10.1 target=remote
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=no instance=\
    zt1 name=zerotier1 network=xxx1
add allow-default=no allow-global=yes allow-managed=yes disabled=no instance=\
    zt1 name=zerotier2 network=xxx2
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier3-games network=xxx3
/interface bridge port
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10 pvid=\
    10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10 pvid=\
    40
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10 pvid=\
    10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    WiFi-5GHz-Generic internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    WiFi-2.4GHz-GenericIoT internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    WiFi-5GHz-GenericGuest internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    WiFi-2.4GHz-GenericGuest internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    WiFi-5GHz-GenericIoT internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    WiFi-2.4GHz-Generic internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10 pvid=\
    10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=16384
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,WiFi-5GHz-Generic,WiFi-2.4GHz-Generic \
    untagged=ether3,ether2,ether5 vlan-ids=10
add bridge=bridge1 tagged=\
    bridge1,WiFi-5GHz-GenericGuest,WiFi-2.4GHz-GenericGuest,ether3 untagged=\
    ether4 vlan-ids=40
add bridge=bridge1 tagged=\
    bridge1,ether3,WiFi-5GHz-GenericIoT,WiFi-2.4GHz-GenericIoT vlan-ids=70
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=15
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=50
/interface list member
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.40.1/24 interface=vlan40 network=10.10.40.0
add address=10.10.70.1/24 interface=vlan70 network=10.10.70.0
add address=10.10.15.1/24 interface=vlan15 network=10.10.15.0
add address=10.10.80.1/24 interface=*18 network=10.10.80.0
add address=10.10.90.1/24 interface=*1C network=10.10.90.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.50.1/24 interface=vlan50 network=10.10.50.0
add address=10.10.20.1/24 interface=*1D network=10.10.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
    10.10.10.1
add address=10.10.15.0/24 dns-none=yes
add address=10.10.30.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
    10.10.30.1 ntp-server=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
    10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
    10.10.50.1
add address=10.10.70.0/24 dns-server=9.9.9.9 gateway=10.10.70.1 ntp-server=\
    10.10.70.1
/ip firewall address-list
add address=10.10.10.0/24 list="Admin access"
add address=10.10.10.1 list="Admin panel"
add address=10.10.10.25 list="DNS servers"
add address=10.10.30.63 list="DNS servers"
add address=10.10.10.0/24 list="DNS access"
add address=10.10.40.0/24 list="DNS access"
add address=10.10.30.0/24 list="DNS access"
add address=10.10.10.0/24 list=WebAccess
add address=10.10.30.0/24 list=WebAccess
add address=10.10.40.0/24 list=WebAccess
add address=10.10.10.62 list=WebServer
add address=10.10.70.25 comment="3D Printer" list="IoT - WAN access"
add address=10.10.70.18 comment="Shelly Plug - 001" disabled=yes list=\
    "IoT - WAN access"
add address=10.0.60.0/24 list=WebAccess
add address=10.10.70.17 comment="Shelly Plug - 002" disabled=yes list=\
    "IoT - WAN access"
/ip firewall filter
add action=accept chain=input comment="allow admin access from HomeVLAN" \
    dst-address-list="Admin panel" dst-port=22,8291 protocol=tcp \
    src-address-list="Admin access"
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes in-interface=vlan10
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes in-interface=vlan30
add action=accept chain=forward comment="established, related" \
    connection-state=established,related
add action=accept chain=input comment="accept established, related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow access to ReverseProxy server" \
    dst-address-list=WebServer dst-port=80,443 protocol=tcp src-address-list=\
    WebAccess
add action=accept chain=forward comment=\
    "allow access to DNS from allowed VLANs - UDP" dst-address-list=\
    "DNS servers" dst-port=53 protocol=udp src-address-list="DNS access"
add action=accept chain=forward comment=\
    "allow access to DNS from allowed VLANs -TCP" dst-address-list=\
    "DNS servers" dst-port=53,853 protocol=tcp src-address-list="DNS access"
add action=accept chain=forward comment="Allow internet for VLAN30" \
    connection-state=new in-interface=vlan30 out-interface-list=WAN
add action=accept chain=forward comment="Allow BC for VLAN30" \
    connection-state=new dst-address=10.0.10.0/24 in-interface=vlan30
add action=accept chain=forward comment="Allow internet for VLAN40" \
    connection-state=new in-interface=vlan40 out-interface-list=WAN
add action=drop chain=forward comment="Drop everything from VLAN 40" \
    in-interface=vlan40
add action=accept chain=forward comment="WAN select IoT devices" \
    out-interface-list=WAN src-address-list="IoT - WAN access"
add action=drop chain=forward comment="Drop everything from VLAN 70" \
    in-interface=vlan70
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=zerotier3-games
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=\
    10.10.10.0/24,10.0.10.0/24,10.100.0.0/24,10.147.19.0/24,10.10.15.0/24
set ssh address=\
    10.10.10.0/24,10.0.10.0/24,10.100.0.0/24,10.147.19.0/24,10.10.15.0/24
set api disabled=yes
set winbox address=\
    10.10.10.0/24,10.0.10.0/24,10.100.0.0/24,10.147.19.0/24,10.10.15.0/24
set api-ssl address=10.10.30.0/24 certificate=\
    "Self signed certificate for API"
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface=vlan10 type=internal
add interface=ether1 type=external
/ipv6 address
add address=::1 from-pool=isp-pool6 interface=vlan10
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=isp-pool6 prefix-hint=\
    ::/60 request=address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] disabled=yes interface=bridge1 ra-interval=20s-1m
add dns=2620:fe::fe,2620:fe::9 interface=vlan10 ra-interval=20s-1m
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=GenericRouter
/system logging
add action=LogToNAS prefix=BA-GenericRouter topics=info
add action=LogToNAS prefix=BA-GenericRouter topics=critical
add action=LogToNAS prefix=BA-GenericRouter topics=error
add action=LogToNAS prefix=BA-GenericRouter topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=10.10.10.25
add address=pool.ntp.org
/tool romon
set enabled=yes
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 122
Joined: Thu Dec 21, 2023 6:45 pm

Re: IPv6 routes not created

Tue May 07, 2024 1:47 pm

The command on or PC (first post) reported "noprefixroute". Can you try to turn on "Other Configuration" on the IPv6 -> ND entry of vlan10? Or maybe turn on Managed Address Configuration too?

ipv6-nd.png

In my network IPv6 didn't work for Windows clients when I didn't check that checkbox.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 545
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPv6 routes not created

Tue May 07, 2024 9:18 pm

Right now your router is not properly configured to learn upstream IPv6 route. You likely need:
Code: Select all
/ipv6/dhcp-client ... add-default-route=no ...
/ipv6/nd/add advertise-dns=no interface=ether1 ra-lifetime=none ra-preference=low reachable-time=5m

Also note that the dns option in /ipv6/nd does not work for all client devices. Some can only obtain DNS via the DHCPv6 Server option #23 (needs `other-configuration=yes` in /ipv6/nd on the LAN interface).

You can look through my post history to find similar issues I commented on, some of the them have working config exports.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 10 guests
  4. RouterOS
  5. Beginner Basics