Mind posting your configuration of IPv6 > DHCP Client?
Does the Status says "bound"?

This bug has been fixed years ago, it shouldn't happen again and I frankly don't think we are dealing with the same problem.

Can you post the configuration of your IPv6 DHCP Client?
Not just show that one line status.

Hi, I check back your post, so I assumed you also checked IPv6 > ND > Prefixes as described by soonwai on Sep 2023.

Now I just want to confirm what you said previously:
You check your Network Adapter properties and IPv6 address is gone?

How many devices you have on your network that exhibit this characteristic? Do they also have missing IPv6 address?
Are they all running Windows?

For TM BNG problem, the characteristic is different from what you are seeing. You will get IPv6 address, it will work for a while, it will then stop working. But you will still see IPv6 address attached to your network adapter.

If the IPv6 address is still attached to your network adapter, can you compare them to the prefix bounded in your RouterOS?

Do you use any security product other than the built-in Windows Defender?
I have come across Mcafee Endpoint Security blocking Router Advertisement randomly and it exhibit the exact same characteristic faced by you.

I am still trying to understand what is happening in your setup.
Does it work if you connect directly to the Mikrotik with a LAN cable?

Another theory would be the switch or wireless AP you are using chew up multicast packet.

Hi,
Sorry if you have to repeat the following check

IPv6 > DHCP Client. Note the prefix. Verify status is "bound".
IPv6 > ND > Prefixes. Note the prefix. There must be only 1 entry and it is "Dynamic".
IPv6 > Addresses. Note the IPv6 address for your bridge.

Are the prefix all the same?

If they are the same, do the following:
Go to Tools > Ping

Ping To: 2606:4700:f1::1
Interface: <Your dialer>

Did you get a echo reply?

When you upgrade your RouterOS, did you also upgrade the matching firmware?
Check via:
System > RouterBOARD
Current Firmware == Upgrade Firmware

This post has been edited by kwss: Jan 2 2024, 09:48 AM

Can you take a screenshot of:
Bridge > Ports

Also in the setting of your bridge:
1. Is IGMP Snooping is checked?
2. Screenshot of IGMP Snooping setting further down

Something in your Layer 2 is broken.
IGMP Snooping just provides the containment.
You need to find out why. IGMP Snooping might or might not be the best solution.

For RouterOS, this feature is documented here:
https://help.mikrotik.com/docs/pages/viewpa...pageId=59277403

There is a Monitoring and troubleshooting section. I have to say Mikrotik documentation is very bad but that's where you start.

You need a hypothesis first. In this case I suspect one of your device is flooding your Layer 2 with multicast packet until it triggered storm control. Hence you get dropped multicast packet.

When IGMP Snooping is enabled, Mikrotik stop broadcasting those packet. You did not post your IGMP Snooping configuration, so I assume it's the default. By default RouterOS will forward unknown multicast, even when IGMP Snooping is enabled, so you can rule that out already.

There are several factor to look at, any IP address or MAC that show up is doing multicast and they should all be suspect. That's the starting point.

The strategy:
Most accurate is to mirror the port and start packet capture to see if they are multicasting.
Least accurate is just unplug anything that shows up in the list one by one until it works without IGMP Snooping.

The usual trigger:
Slow device.
Example: Your access port is 1Gbps but have slower device like 100mbps or even 10mbps.

The usual suspect:
Ghost server, media server, multi function printer. Literally anything that's not your typical corporate laptop, PC, server.

Anything that offers plug and play network discovery is also a suspect.

I do not know your network at all. If you have a detailed network diagram that would be helpful for me to give you hint on where to look first.

For the packet capture, it depends on where you want to capture. You can do it on your switch if it supports port mirroring.
On RouterOS it's in Tool > Packet Sniffer.
I always use Streaming and stream it to my PC / laptop connected via LAN.
Then just Wireshark it.
From here onward it is up to you to decide what constitute normal or abnormal in your network. Like I said, I don't know your network.

I think when you reboot your router, you just need to disconnect / disable your network adapter and enable it again.
On phone, just disconnect / reconnect wifi.
This is a known problem for TM because they did not follow best practice for IPv6 deployment. Their mindset is stuck in dial-up era.
Actually many people in this forum has the exact same mindset and seems to have a distinction for business vs home user when it comes to IPv6. This is the root cause of all the issues.

If anyone is interested in IPv6 best practice for service provider, there is an article here:
https://www.ripe.net/publications/docs/ripe-690

What's the model of your Mikrotik?
I think it's better we do it the easy way.
Unplug everything from your Mikrotik, plug in just one computer and see if the problem occur.

Plug in more stuff and repeat the test.

When you said still occurring, it's with everything disconnected, including all wifi devices?

Disable everything, in every tab, under IPv6 > Firewall. For your model it will work.

Do not buy another Mikrotik. It's a brand that live in the past where IPv6 is like refugee. Not even second class citizen.

If your use case is simple home use, any consumer brand perform better.

Mikrotik bad OS is the problem, not IPv6.
TM didn't following even one of best practices is the problem, not IPv6.

Telling people to disable IPv6 simply because you feel Mikrotik equals superiority is plain wrong.

I am gonna suggest something you hate. Can you netinstall your RouterOS and reconfigure again?

It's a Mikrotik problem.
It's TM problem.
So many people complain about gaming and others but you never say it's IPv4 problem.

It is an option if the user decide that's the way forward, given the full context and list the actual problem.

I already gave him the option to disable IPv6 Firewall and never buy another Mikrotik again if his use case don't need it.

However I have a problem with people wording it as IPv6 is not mature, blah blah and disable until 2025.

It's time to move away from dual-stack network. It's double the work, double the trouble and it didn't solve IPv4 exhaustion problem.

People who insist to stay on IPv4 is clearly incompetent and lazy. Everyone who run dual-stack are appeasing to them.

That's your opinion and I have no problem if user chose it given they have full context and know what is the problem.

You gotta be kidding me when you said it's not double the work and double the trouble. You clearly don't run a huge network. I wrote about it in Unifi forum when somebody else imply the same thing.

If you need perimeter security to save you, your security is clearly broken. The default IPv6 firewall rules in Mikrotik merely emulate NAT by allowing established connection and drop the rest.

This post has been edited by kwss: Jan 6 2024, 11:30 PM

I said it merely emulates NAT by accepting established connection and drop everything else.
I didn't say it do NAT per RFC or what not.

You are going further and further away by bringing in XLAT464, name drop Cisco, etc.
You tell people to disable IPv6 without context I will call you out again, and again, and again.

Enlighten me what Mikrotik default IPv6 firewall rule does. I am ready to learn from you how it beats client side firewall, or even when there's no open port client side.

The rules you posted confirm exactly what I mention. Accept established connection and drop everything else. Obviously you posted your custom rule there as well but the gist is that it emulate NAT. Whatever connection not established will be dropped, hence the term NAT firewall.

I just did a project for pure IPv6 core using Segment Routing v6. IPv4 is at the edge using stateless NAT64 and NAT46 to provide IPv4 as a Service.

You dislike XLAT464, you have your reason. I never mention it, never bring it up. You keep talking as it's the one and only way forward.

Yes dual stack need to die. It is going to die.
Incompetent people like you don't want it gone because you don't need to do IPv6.

Still waiting for enlightenment how that IPv6 rule beats client-side firewall. Suddenly get more name drop Xbox, DHCPv6, SLAAC, Allah, Bhudha, Shodan.

Shodan really? Those are IPv4. Papa is old. Don't cheat old people.

This rule did it. Not sure why you keep harping on iptable. How Mikrotik did it delivers what I described.

I did it for hyperscaler, not eyeball network. But I am sure the same method works with CGNAT, where they get their address via IPv4 as a service. CPE side continue as its with dual stack.

See, you quickly say my method don't work for you without any context, as if I don't know Steam don't work with NAT64 or XLAT464.

I glossed over because you are blaming one security issue on IPv6, plus you lie about Shodan.

So many IPv4 network get hacked everyday yet nobody call it the IPv4 problem. Everything that showed up in Shodan is very well IPv4 problem, or is it?
When the term "IPv6" appear, suddenly it's all IPv6 fault.
Is it a Layer 3 protocol problem or is it a general security issue?

ipv6.speedtest.net?

Because I am not sure if it fits your requirements. Speedtest.net lack a lot of details.

speed.cloudflare.com provides more detail and more real world but you cannot control which server you use. Its tuned for eyeball network use case.

Plus none of them measure IMIX forwarding speed. They are all purely big packet "top speed" test.