I would skip IKEv2 and use Wireguard on IPv6 instead.
It works on more network.
It saves battery since you no longer need keep alive to maintain NAT session. I never turn off my Wireguard on phone and didn't get faster battery drain due to this one single change.

Option 1:
Use a DDNS provider like freedns.afraid.org.
Create a script to open the link.
Call the script from DHCPv6 client whenever the DCHP pool is updated.
Wireguard server runs on Mikrotik.

Option 2:
Can use Mikrotik DDNS but I never try this before since I already have a very elaborated setup before they introduce this feature.
If you just connect back to share file, Mikrotik Back To Home is just an app that abstract everything for very easy setup.

Option 3:
If you have a VPS anywhere, let that act as a Wireguard hub and everything else act as a spoke.
Benefit of this is low latency and you don't need to deal with the host of problem that comes with dynamic IPv6 prefix that infest TM.
You do need to configure each network manually in the Wireguard config.
Alternatively you can use orchestration tool like NetBird to help if you have a lot of spokes with a lot of network.

Option 4:
Use SaaS like Tailscale. Technically they are a Option 3 but it's their server instead of your server.


I never like setting my own VPN just to use third party service so I build Option 3 personally. Choose your own option, don't have to follow me.

It's show because behind the scene it's wireguard inside another wireguard tunnel back to Mikrotik server in Latvia. That's how they workaround CGNAT.
Tailscale is slow for the same reason.

If you can just use Mikrotik DDNS but directly wireguard to your router over IPv6, performance should be top notch.

Mikrotik didn't fix anything. TM made some changes for your BNG.

Mine still cannot do 1492.
If Mikrotik truly fix it then it should be able to do 1500 or whatever number you put in it.

Yes. Confirm not working for me.
Tested it 2x with 1500 and 1492 when 7.20b2 just release.
Tested it again when read your post.
Tested again before replying this post.

What's your location?

Well I'm at Batu Caves. Not working here.

You are the man! Works!
Thanks a lot.

My friend ah....
You know he is on TM infra. Everything from the ONU all the way to the BNG is TM punya barang.

He got frequent disconnection, it's TM punya BNG.
Same for all telco on TM infra.

I don't think this is something TM cannot solve.
Apa sarahan Digi?

Problem happen all the time. Just so co-incident it happened when he port over.

In Unifi thread also got many people suddenly get frequent disconnection.

Can you be more specific on "have a connection via ipv6"?
You mean connection to where?
Or did you mean you didn't configure ipv6 on your rb5009?
If you have configured ipv6, how did you configure it now?

If you toggle keep-alive in your pppoe client will it still disconnect?
How about you login to your skyworth and monitor the PON status?
Is it still O5 when it disconnect? Or the status change?

Welcome to the club.
You can upgrade the RouterOS whenever you want. But keep in mind that they only enable fasttrack by default in like version 7.18.
So just download the npk file from Mikrotik and drop it into the router. Then reboot it to make sure it is upgraded.

Go to System > RouterBoard.
Click Upgrade to upgrade the firmware.

Reboot again. Make sure RouterOS and firmware are both equal in version.
Hard reset the router and start your setup.

Passive PoE is a non-standard way for Mikrotik switch to provide power to their WiFi product. You cannot actually disable it as it is hardwired inside. Just use the port as is.

For TM's MTU problem, you need to use at least version 7.20 beta. You can jump straight to the beta version if you want. I am on this version from beta2 till beta7 now and it has been good for basic usage.

Yes just download one npk file and it will do both. No internet access needed during the upgrade.
In RouterOS v6, firmware and OS are separate download.
In v7, the firmware is inside the OS package but still requires a manual trigger to update it. You can set it to automatic upgrade but it still requires two reboot.

The MTU issue exist since TM "upgrade" their BNG. Mikrotik user has been living with this problem for a few years now. Not critical.
Mikrotik user has also been living with lousy IPv6 performance until recently.

You join the club at the right time when all these long known annoyance is finally ironed out.

This is Mikrotik specific.
In every router, there is a packet flow graph, which dictates what happens to the packet at each stage of a routing decision.

As part of optimization, many router manufacturer will have their own method to shortcut this process. Cisco Express Forwarding, Mikrotik FastTrack, VyOS Flowtable Offload...

In Mikrotik, this shortcut didn't exist in IPv6 until recently.
Now that it exist, there are still a lot of limitation, edge cases and gotcha when using it.

Common ones:
If you use Queue, packet won't get fasttrack.
If you use IPSec, it will chew packet aka they randomly go missing.

With L3HW Offload, you cannot use it with PPPoE. But your router don't support L3HW so this won't affect you.

Mikrotik FastPath is a totally different thing. It is just a name that says packet skip connection tracking and firewall. There is no way you can operate in this mode unless you treat it like a core router.
But then as a core router, they also have problem FastPath MPLS or VPLS, so it is still kind of the same unless your core router is really barebone.

Just enable UPnP. They have a dedicated page for this setting. Make sure you correctly annotate your Inside / Outside interface or you might open yourself to UPnP attack from the Internet.

Some people absolutely want QoS because it is the only way to get A+ in bufferbloat test. What is you current Internet speed? You might be able to make it if you predominantly do big packet.
But then again no gamer will leave their torrent running while they game, so this render the whole bufferbloat test moot as it only matter when your pipe is saturated.

The rated MTBF is 100,000 hours at 25C. Honestly it is very low in enterprise gear space where 300,000+ hours at 40C is normal for hardware with fans; 500,000 - 700,000+ hours at 40C for model without fan.

Let say you never aircond your place and MTBF is down to 50,000 hours. That still gives you 5+ years so it is not too bad.

I don't know if Mikrotik has a standard way to do this but at least on tiny router the "Internet" port is not part of the bridge in the default setting. You then just create VLAN 500 and that's it.
If you have IPTV then you need to bridge them together with a port.

I don't really remember as I don't use the default setup. All my ports are switched to maximize hardware offload.

DO NOT enable vlan filtering without a backup. On unsupported switch chip it will stop traffic and you officially lock yourself out.
Tips: Use Safe Mode when enabling it. If you lock yourself out, just reboot and all changes you made in Safe Mode will be reverted.
Once done, disable Safe Mode and you changes will be permanent.

YOU MUST STILL BACKUP.

500Mbps is slow enough for QoS to work properly for your router. Using pcq instead of cake or fq-codel should give you more headroom as it is less CPU intensive. Test it to find out.

Assuming you start with the default config and the "Internet" port is not part of the bridge.
Go to Interface > VLAN
Add VLAN:
MTU: Set to max
VLAN ID: 500
Interface: <name of Internet port>

That's it. VLAN is done.

Go to PPP.
Add PPPoE client.
MRU: 1500
MTU: 1500
Interface: <name of VLAN you just created>
Fill in username and password.

You should have internet by now but no IPv6..

Maybe check the PON stick thread for IPv6 setup. I posted one there recently.

IP > UPnP > interface
Set your PPPoE name to external. "bridge" to internal. Then enable.

I think that's it. Left QoS.

It still works because VLAN 600 just get dropped without affecting VLAN500. There's other VLAN like 400 and 209 on TM network as well.

For NAT-PMP, the step is same as UPnP, just annotate the interface.

I need to test the QoS before I post it since I don't use it. But should be very straightforward as well.

Not sure if NAT-PMP is still used but you can actually enable both in Mikrotik. So you do get the best of both worlds

blackbox14
After you add the PPPoE client, remember:
Go to Interface > Interface List tab
Add your pppoe interface to WAN

This will simplify a lot of things, including NAT configuration.


QoS setup:
Go to Queues > Queue Types tab
Add:
Type Name: <anything you like>
Kind: cake -or- fq-codel

Go to Queue Tree tab
Add:
Name: Download-500M
Parent: bridge
Packet Marks: no-mark
Queue Type: <the name you chose above>
Max Limit: 500M

Add:
Name: Upload-200M
Parent: <pppoe interface>
Packet Marks: no-mark
Queue Type: <the name you chose above>
Max Limit: 200M

That's all.

Now you need to compare your bufferbloat with both rules enabled and disabled.
If the latency is poorer with the rules enabled, it means your CPU is not powerful enough. To verify if it is CPU problem, lower the download speed to something like 100M and upload speed to 50M.

I tried pcq but the result is not as good as fq-codel and cake.
Keep in mind RouterOS doesn't use DPDK or any form of ASIC for QoS hence performance seriously sucks donkey ball.

You must also remember QoS works by forcing packet to buffer so they can be selectively discarded. The more headroom you reserve (hence lower throughput) the better they perform.
You cannot try to tune for max throughput while still having low queuing delay. By doing that, you actually lower the chance that it will perform accordingly.

Example with arbitrary value:
By adhering to 500M max limit, the chance of it working according to spec might be 90%.
However if you increase it to 550M just to get more throughput, the chance of it working according to spec might drop to 50%.

Mikrotik keep doing things differently with different version of RouterOS. If I remember correctly the most recent one they default to using Interface List by default to configure NAT.
I know simply because I netinstall my router to due misbehaving switch chip.
There are other reason why people don't write it as well. They might not know about it. They might not use it even if they know about it. Their setup might be tiny so they never have to think about ease of changing things down the road, etc.

Imagine you have a few NAT rules and configured a massive list of firewall rules. One day you need to swap some port, or add in a 5G modem as backup. Suddenly you have to redo every single NAT and firewall rules.
With Interface List, you just need to annotate your new 5G modem and you do not even need to retest all the firewall rules.
Changing rules manually is error prone.

Yes I test with Waveform.

If you use TM Unifi, they already put in 10% extra for you in the line profile so you do not have to do that.

Real world performance differs. If your CPU is powerful enough to QoS a lot of connections, cake will give you better bufferbloat score because internally it is actually HQoS and has a built-in pacing mechanism. Test it to find out.

You can also try just QoS your upload only. Test it and see if your download latency is acceptable. This will save you CPU power because you only need to QoS a much slower upload speed.

I think I made a mistake in my previous post. 500M package is 100M upload only. Adjust accordingly.

Forwarding VLAN 400 no longer works because TM no longer tag it.
No, the NAT rule is no longer required because we are doing pure routing.
Technically when you add a static route to both the ONU and your Mikrotik, it is not on WAN Interface List, unless you annotate it that way. If so, then you need to adjust your firewall rules accordingly.
The reason is your PPPoE is the WAN link. But the native VLAN of the port itself is not a WAN link.

I have since updated my static route setting by not specifying the default gateway. Reason is I noticed they do change and render the route invalid. Specifying the interface is enough for it to work. Also note my route for Wireguard.