Alright. I have it disabled for now but I'll delete it later when I go to plug the router into the ONU.

After reading your guide about IPv6 in the PON stick thread: do I still need to move the Fasttrack firewall rule to the top of the list with the default configuration? In ROS 7.19.4 it is somewhere in the middle with default config.

I also had to do some extra settings to change my LAN IP address. Managed to change all the DHCP related info and log back in using the new IP, so hopefully I didn't miss anything.

In reality as long as the fasttrack is above the "accept forward" rule it will work.
I just tell people to move it to the top as it's the easiest to understand and won't miss when checking.

I did move mine to the top to make it stand out from all the rules. One less precedency to worry about when diagnosting ACL.

Now that I explained this, it's entirely up to you.

Thanks. I'll have a look at it again later.

There seems to be some conflict in this step. I didn't notice it earlier, but on the hAP AX2's default configuration, there is an existing ND setting targeting interface 'all'.

Should I disable/delete the default ND setting in favor of the one for just the bridge, or just modify the default ND with the 'all' interface to MTU 1480?

This post has been edited by blackbox14: Aug 9 2025, 07:53 PM

Delete the ND. There should never be an ND for "all" interface. It is a security mess. ND must only be used strictly on trusted segment of the network.
It basically means if suddenly TM or your neighbor were to listen on your eth1.500, they will get an IPv6 from your router, connect to it and use the main routing table to walk around your network. Imagine that.

EDIT:
Mikrotik seems to think they prevent it with their default firewall configuration. What if your firewall is no longer as default as they think?

Some of these Mikrotik config is just ugly. They try to make it work out of the box for Latvian ISP user. But let's be real their product is not home user friendly at all. I won't simply recommend it to people.

This post has been edited by kwss: Aug 9 2025, 08:09 PM

Yeah, I had a feeling about that based on what I read in the documentation. Surprised this is part of the default config. I can't actually remove it though. I can only disable it.

Also noticed that the ND Prefix Defaults setting under Valid Lifetime is 30 days, while Preferred Lifetime is 7 days. Is that a bit too long, or is it fine to leave that as is?

EDIT: The reason I can't remove the ND entry is because it's marked as Default, but I can't seem to find a way to be able to change it.

EDIT2: Nevermind, just changed the default one to bridge interface and MTU 1480.

This post has been edited by blackbox14: Aug 9 2025, 08:22 PM

That's what I did. Changed the default to the bridge interface with all relevant settings. LOL.
I didn't change the lifetime at all because it is irrelevant to the way how TM's broken IPv6 works.

TM is supposed to issue you IPv6 prefix statically based on your account, or based on the DUID. For some reason their BNG can't do that, won't do that. Hence this setting is effectively meaningless.

This also means that if you are hit with frequent disconnection, all your device will suddenly have broken IPv6 due to stale prefix.

I am sure this is one of the reason why people say IPv6 not stable not stable. It is TM problem. Maxis don't have this issue at all.

They haven't fixed this even now?

So let's say my house has a power outage or neighborhood network issue, what will I notice about the IPv6 the way TM does it?

In this case, nothing.
This problem has been there since day 1. Unifi rolled out IPv6 for now than 10 years already. The odd they fix it is non-zero but I would bet it's as good as zero.

You need to get hit with frequent disconnection. Plus your software must lack Happy Eyeball support.

I think all browser has robust Happy Eyeball support for many years now so this is less likely to affect user experience.

I see. For the time being I guess it is mostly browsers that IPv6 sees use on.

They had a talk about wanting to move to IPv6 for the entire country, but something that seems basic like this is left unfixed by the country's biggest ISP. Lol.

If not mistaken if app uses those high level API in Android or Apple they get Happy Eyeball too.

So I guess there's even less incentive to fix as this will not affect most use case. Maybe just wait until they get hardware / system refresh and the problem will be gone by then.

But Telco gears have very long equipment lifespan, so it could be another 10 years. It's not uncommon to have 25 years old equipment still running in some poorer places.

This is why you see a lot of poor countries still don't have IPv6. First is the equipment they use. Then it could be lack of expertise.

In many poor countries their telco is basically one big L2 network with VLAN. It's that bad.

Yeah, I have heard that some of those places tried to depend on satellite networks like Starlink, but not sure how effective they are.

So in Malaysia's case, if a user were to face the stale prefix issue you mentioned after multiple disconnects, what would the user be able to do about it?

Would I just need to reboot the modem + router after everything is stable again, or do I need to do something like go into ROS and disable/re-enable IPv6?

Just disconnect / reconnect your wifi.
Or disable / enable your wired connection.
This will clear out all the stale prefix on your endpoint.

Just a note: Stale prefix is on the individual device, not on the router.

Thanks. Important to know since I've avoided using v6 until now.

Successfully set up the Mikrotik router and IPv6 is now working, many thanks again to kwss. It mostly went well except for finding out that my old TP Link router (now an AP) is capped at 96Mbps on Wifi on both 2.4 and 5GHz.

Checking now I can see a bunch of IPv6 entries saying 'radvd invalid MTU 1492'. Are these safe to ignore?



I also made a mistake thinking the IPTV port with vlan600 was not being used all this while. Turns out that a family member had plugged a smart TV into that port which I had always assumed was using WiFi. So while it is not used for Hypp TV in particular, the port was still being utilized. Does this affect security in any way, and should I do the full vlan 600 bridging to one of the ports like my previous router?

Maybe re-crimp your RJ45 cable?
If you have a wall plate, maybe replace them with those rated for CAT6A as well or redo the keystone jack.
This is a common issue if the cable or connection has high error rate. When you change hardware, some work, some don't.

For the MTU warning. In your pppoe client, set
Max MTU: 1500
Max MRU: 1500
Keepalive Timeout: <empty>
When you upgrade to v7.20, this warning will be gone.

For VLAN600, there is no security issue if you never configure it. If you want to watch it, then just create it.
If memory serve me right, the STB have a Streamyx setting that uses your Internet instead of VLAN600. You may try it and not use the VLAN altogether.

It's a direct connection via RJ45 cable between the hAP AX2 and the Archer C9. Using a CAT6 cable.

I've almost pinpointed the issue to the Archer C9 after about 3 hours of troubleshooting. Tried 2 different cables which can do the full 500Mbps when connected to my personal access point, different port on both the hAP AX2 and the Archer C9 and even factory reset to no avail. I also tried running the Archer C9 in Router mode configured as Access Point (DHCP server and NAT off) and that didn't work either.

In the hAP AX2, it shows that the Archer C9 negotiated Gigabit connection on wired. Only for some reason any wireless connection via the C9 gets capped to 96Mbps max.

EDIT: Forgot to mention that an Archer C7 AP that I have connected via a much longer, Cat5E cable does not suffer from this issue after installing the hAP AX2. I'm getting my usual speeds from it.

Alright. So this is the MTU issue that was talked about before.

The set top box is not even functioning. That TV that has been plugged into the IPTV port on the previous router is only used for watching YouTube and Netflix occasionally, so I think based on what you said it should be ok to leave as is.

This post has been edited by blackbox14: Aug 12 2025, 09:11 PM

Buy the hap ax3 to upgrade your router.
Make the ax2 your new AP.

Lol, maybe if it goes on sale for low enough. But I don't think the AX2's WiFi performs as well as the C9 for a 2-storey house based on my experience these past several days, and I need something that is at least on the C9s level. Thinking of getting a Deco mesh 2-Pack so I can just do away with the Wireless Repeater.

One last troubleshooting step I will try first is changing the C9's power adapter, if I can find a 12V 4A or 5A one lying around somewhere. I've seen faulty power adapters cause strange issues, so it's worth a shot.

WiFi is kind of like an afterthought for Mikrotik.
If you want to upgrade, might as well jump straight to WiFi 7.
But then again you just bought an all 1G port router.

Maybe install a wall mounted rack so you can install more gear.

Actually APC has a very nice looking sound proof rack. The price is of course very nice as well. At one point I did thought about buying it to put 1U server.