TMnet Streamyx/Unifi & IPv6

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

Unifi TMnet Streamyx/Unifi & IPv6, Now live!

views

rizvanrp	Oct 18 2013, 04:39 PM Return to original view \| IPv6 \| Post #1
Getting Started Elite 195 posts Joined: Sep 2006	Mikrotik Unifi PPPoE IPV6 configuration (tested on RB750 ROS 5.17 + BSRBRF01) Prerequisites : i. IPV6 RouterOS modules loaded in System -> Packages (Winbox) ii. PPPoE Client profile (default) must have IPV6 set to Yes n PPP -> Profiles -> 'default' -> Protocols (Use IPv6 = Yes) 1. Replace "ether1_vlan500_UNIFI" with the name of your Unifi PPPoE client interface : In terminal : CODE /ipv6 dhcp-client add interface="ether1_vlan500_UNIFI" pool-name="pppoev6" disabled=no 2. Terminal on my RouterOS says the commands for IPv6 addressing are invalid .. so use Winbox GUI and go into : CODE IPv6 -> Addresses Add a new IPv6 address : Address = ::/64 From Pool = pppoev6 Interface = ether2-local-master (replace with your LAN switch master port) EUI64 = No Advertise = Yes 3. Disable and enable your PPPoE client interface. It should get a new DHCPv6 prefix which will propagate to your IPv6 address list and LAN clients. CODE /interface pppoe-client disable ether1_vlan500_UNIFI; /interface pppoe-client enable ether1_vlan500_UNIFI ... Reconnect your LAN clients and it should auto negotiate an IPv6 address for them. Do not set static /64 prefixes, they appear to be dynamic and unique to your PPPoE session ID and will change upon reconnect. TCP MSS Fix : As pointed out by wKkaY, use the MTU flag in the IPv6 RA to advertise the proper link MTU to your clients : In Winbox : IPv6 -> ND Select your default ND (operates on 'all' interfaces by default), change the MTU option to 1480 (or whatever your PPPoE MTU is) : Old MSS mangle fix below (don't use this unless the above method isn't working for you) : » Click to show Spoiler - click again to hide... « Mangle rules so sites like Cloudflare will load. Clamps MSS to -20 bytes under IPv4 default which is 1440 (to match the difference between IPv4 and IPv6 header sizes). CODE /ipv6 firewall mangle add action=change-mss chain=forward disabled=no in-interface=ether1_vlan500_UNIFI new-mss=1420 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1421-65535 /ipv6 firewall mangle add action=change-mss chain=forward disabled=no new-mss=1420 out-interface=ether1_vlan500_UNIFI passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1421-65535 Faster prefix expiry : IPv6 -> ND -> Prefixes tab -> Default Set a 2H/1H valid/preferred lifetime for your prefixes : Firewall Configuration (Security): Enabling the IPv6 stack means no NAT to protect you and no firewall rules (by default) to prevent someone from hitting your Mikrotik login at ::0 or your devices behind the router. Setup these firewall rules to protect your network. Replace "ether1_vlan500_UNIFI" with the name of your Unifi PPPoE client interface : CODE /ipv6 firewall filter add action=accept chain=input connection-state=established disabled=no in-interface=ether1_vlan500_UNIFI /ipv6 firewall filter add action=accept chain=forward connection-state=established disabled=no in-interface=ether1_vlan500_UNIFI /ipv6 firewall filter add action=accept chain=input connection-state=related disabled=no in-interface=ether1_vlan500_UNIFI /ipv6 firewall filter add action=accept chain=forward connection-state=related disabled=no in-interface=ether1_vlan500_UNIFI /ipv6 firewall filter add action=accept chain=input disabled=no dst-port=546 in-interface=ether1_vlan500_UNIFI protocol=udp src-address=fe80::/16 /ipv6 firewall filter add action=drop chain=input disabled=no in-interface=ether1_vlan500_UNIFI /ipv6 firewall filter add action=drop chain=forward disabled=no in-interface=ether1_vlan500_UNIFI input chain rules affect traffic heading to ::0 (your router's public IPv6), forward chain rules affect traffic from your clients behind the router Updated firewall rules to whitelist DHCPv6 packets MTU value tag used rather than iptables6 mangle for TCP MSS fixing Lower prefix expiry (30days/7days vs 2hours/1hour) to match Unifi's dynamic IPv6 prefix distribution This post has been edited by rizvanrp**: Oct 21 2013, 08:40 PM
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 18 2013, 09:41 PM Return to original view \| Post #2
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(asellus @ Oct 18 2013, 06:55 PM) Several questions about this:- 1. Did you manage to make the routerOS dialer gets its own /64 prefix? If yes, how did you do it? All I can do is to get a link-local address assigned to the PPPoE interface by TM. 2. For the MSS clamping command, is the command that wkKaY mentioned here works much better? But at least I know now that the minimum I have to go down is 1420. Tried 1432 before and it doesn't work. 3. Have you encountered a bug where, if you recycle your PPPoE connection, which will result of routerOS being reassigned a new /64 prefix, all computers in the network will lose its IPv6 connectivity unless the computers' interface are turned off and on again? 1. Nope, it's getting a link local address then negotiating DHCPv6 over that via its DHCPv6 client. I've only seen the rp-pppoe client manage to negotiate a public IPv6 prefix using ICMPv6 RA's .. that's the client being used in TM's routers anyway. I think Mikrotik is using a modified older version of rp-pppoe or proprietary client. 2. For that MSS clamping command, I simply duplicated the mangle rules created by Mikrotiks default PPP profile (Change TCP MSS - yes) and reduced the MSS size by 20 bytes. I was seeing IPv4 headers at 20 bytes and IPv6 headers at 40 bytes .. so I figured reducing the MSS clamping rule by that difference would be enough to accommodate the larger IPv6 header size. iptables man page also seems to assume a 20 byte MSS difference : QUOTE --clamp-mss-to-pmtu Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). This may not function as desired where asymmetric routes with differing path MTU exist --- the kernel uses the path MTU which it would use to send packets from itself to the source and destination IP addresses. Prior to Linux 2.6.25, only the path MTU to the destination IP address was considered by this option; subsequent kernels also consider the path MTU to the source IP address. I'm not sure why you would need to clamp to PMTU specifically as path MTU discovery in IPv6 doesn't operate the same way as it does in IPv4 and assumes the MTU is that of the link layer interface. 3. There seem to be a few bugs in Mikrotik's IPv6 implementation. I noted a GUI/terminal bug in my guide where I wasn't able to use the exported configuration from the Winbox GUI on the terminal. The router had no issues updating its IPv6 address list upon disabling/enabling the PPPoE client interface however I'm not sure how it would behave if the session hung or was disconnected administratively at the BRAS. Router reboots also seem to cause some instability with its ability to obtain a DHCPv6 lease and distribute the /64 to LAN clients. And yeah, I had to constantly bring the client interfaces down and up in order to get it to update the prefixes. When I was testing it back at the lab in TM, accounts were assigned static /64 prefixes and I did not need to test DHCPv6 as the rp-pppoe client was able to obtain the prefix by itself. I think it should be possible to script the Mikrotik to rectify these issues though.
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 18 2013, 10:01 PM Return to original view \| Post #3
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(wKkaY @ Oct 18 2013, 09:56 PM) I'm fairly sure that it is Linux, not rp-pppoe, which does that. If you disable the autoconf sysctl, you will not see any ICMPv6 route solicitations sent. Oh okay. I had to set 4 additional commands inside the rp-pppoe config to get it to obtain an IPv6 address so I assumed it was rp-pppoe My bad, it was pppd's config This post has been edited by rizvanrp**: Oct 18 2013, 10:03 PM
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 19 2013, 12:55 PM Return to original view \| Post #4
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(wKkaY @ Oct 18 2013, 10:15 PM) Well in the case of PPPoE, the MTU of the host's link layer is bigger than the router's. AFAIK there's two ways to handle this - 1) through RA announcements about the smaller MTU (not sure whether this is honored by popular OSes), or 2) MSS clamping (which breaks end-to-end principle). The fallback is PMTU discovery. Setting a smaller MTU in the RA's seems the possible using the IPv6 -> ND option in RouterOS QUOTE(asellus @ Oct 19 2013, 11:16 AM) The highlighted part is what annoyed me to date with this router. Never encountered the problem before with the HE tunnel maybe because HE gives out static /64 and /48. Do you know how to script this so that there is no need to recycle the Ethernet/wireless interfaces in the computers/tablets in the network when a /64 has been assigned? My new TP-Link TL-WR1043ND with OpenWRT that I have prepared for my other Streamyx 1Mb account doesn't suffer from that problem. I just tested using both my Windows/Linux boxes. i. Manually changing the IPv6 address in ROS or disabling/enabling the PPPoE client (sending a PPPoE terminate request and obtaining a new /64 prefix), the Mikrotik sends out an RA and the clients will have the previous + current /64's bound ii. A BRAS session reset from the headend results in the same behavior from the client .. so hung sessions or administrative disconnects shouldn't be a problem My Linux client doesn't seem to be unaffected when having multiple /64 prefixes on the interface. Refreshing the client interface may only be needed if you want to purge the older invalid prefixes but it doesn't seem to affect the ability for the clients to utilize IPv6 as long as one of the prefixes is valid. I've tried getting the Routerboard to force the clients to drop the older prefix but nothing seems to work so far. Interestingly, during one of the server side session terminates I requested.. I was reassigned the same IPv4 address but my IPv6 prefix was incremented by 1.. so it seems the IPv6 prefix isn't being derived from the IPv4 value but rather the session identifier itself.
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 21 2013, 01:43 PM Return to original view \| IPv6 \| Post #5
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(wKkaY @ Oct 21 2013, 06:27 AM) I've been investigating the MTU issue more closely now that I have IPv6 working at home. I think it's a problem specific to Mikrotik. MTU for the PPPoE interface is set to 1480 by default. So if you use clamp values that you found through googling, they might not work if calculated to assume an MTU of 1492. Further compounding the problem, it appears that a ICMPv6 Packet Too Big isn't sent back to the host in this case. In my opinion, the best solution on the Mikrotik is to set your IPv6 -> ND -> MTU advertisment to match your PPPoE interface MTU. Doing it this way is less hackish than writing mangle rules for the router to change the TCP MSS. Furthermore the MTU hint will be usable by protocols other than TCP. Agreed, the mangle rules have an additional disadvantage of using more resources on the router. Setting the MTU flag in the RAs seems to work My only remaining issue is getting rid of the expired v6 prefixes once the session is killed. My home server interface currently looks like this.. : CODE inet6 addr: 2001:e68:5420:15bf:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:15bd:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:15bc:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:15bb:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:15ba:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:15b9:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:15b8:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:1590:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:1585:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: 2001:e68:5420:1583:16da:e9ff:fe98:e847/64 Scope:Global inet6 addr: fe80::16da:e9ff:fe98:e847/64 Scope:Link inet6 addr: 2001:e68:5420:1583:46:f4ff:fe2c:93f0/64 Scope:Global inet6 addr: 2001:e68:5420:1581:46:f4ff:fe2c:93f0/64 Scope:Global
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 21 2013, 07:16 PM Return to original view \| Post #6
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(Alpha Wolf @ Oct 21 2013, 06:43 PM) I was having the same issue with RA clients preferring the older prefixes over the newer ones, thus accumulating a long list of v6 addresses. For wireless devices, his can be fixed by disconnecting and reconnecting to the network. But this can be troublesome. The solution is to shorten the lifetime these prefixes remained preferred in the RA deamon. Most ISP provide static prefixes as v6 prefixes are meant to be static in general, hence why RA deamons have it set to 1 day or more. For some reason, TM is handing out dynamic prefixes. If your router uses radvd like mine for RAs, you can configure this in the config file within the prefix section: Otherwise, look for settings related to the time advertised prefixes remain valid. Adjustable in IPv6 -> ND -> Prefixes -> Default for RouterOS No Unifi at my site so maybe someone else with a Mikrotik can test if it works
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 21 2013, 08:47 PM Return to original view \| Post #7
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(wKkaY @ Oct 21 2013, 08:39 PM) Ahh yeah Windows has that problem. I did some reading and found one way to address it: the routers sends a 0-second ValidLifetime RA to "clear" the prefix. This probably isn't supported by Mikrotik though. RA is sent immediately after configuration is applied, should be able to script this right? CODE /ipv6 nd prefix add autonomous=yes disabled=no interface=ether2-master-local on-link=yes preferred-lifetime=0s prefix=2001:e68:dead:beef::/64 valid-lifetime=0s This post has been edited by rizvanrp: Oct 21 2013, 08:47 PM
Card PM	Report Top Like Quote Reply

rizvanrp	Oct 21 2013, 09:35 PM Return to original view \| Post #8
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(wKkaY @ Oct 21 2013, 08:57 PM) Hmm you might be on to something! Mikrotik wiki has a code snippet that can be used together with that: http://wiki.mikrotik.com/wiki/Manual:Scrip...ce_have_changed Something like this maybe? CODE :log info "IPv6 Check Start"; :local poolname "pppoev6"; :local intname "ether1-gigabit-master"; :global oldV6; :local newV6; :set newV6 [/ipv6 pool get $poolname prefix]; :if ([ :typeof $oldV6 ] = "nothing") do={ :set oldV6 $newV6 } :if ($newV6 != $oldV6) do={ :log info "Mismatch -- killing old prefix"; :log info "Current -- $newV6"; :log info "Previous -- $oldV6"; :ipv6 nd prefix add autonomous=yes disabled=no interface=$intname on-link=yes preferred-lifetime=0s prefix=$oldV6 valid-lifetime=0s; :ipv6 nd prefix remove [/ipv6 nd prefix find prefix=$oldV6]; :set oldV6 $newV6; } :log info "IPv6 Check Stop"; I was trying to grab the prefix directly from the interface but no luck, kept getting garbage so I ended up pulling from the DHCPv6 client pool instead Updated the if check for the previous IPv6 prefix This post has been edited by rizvanrp**: Oct 21 2013, 10:17 PM
Card PM	Report Top Like Quote Reply

rizvanrp	Feb 23 2014, 03:04 AM Return to original view \| Post #9
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(klseet @ Feb 23 2014, 02:23 AM) Both my house (VIP10) & office (Biz10) are in the same area and seem to connect to the same exchange: [attachmentid=3864633] But I'm not getting any v6 on office Biz10... Call TM tech support, they sent 2 guys but can't resolve, they forward the case to network team .... The thing is, if I use my home a/c (@unifi) login at office then I can get v6 But if I use my office a/c (@unifibiz) login at home, there is no v6 ... So it seem to me the v6 feature is somehow "tag" with a/c, regardless of location I try to explain this to TM, they check & re-check both the a/c, insist there are the same TM's tech explanation is that, it could be "the network path is different for the Biz a/c, also v6 has not fully deployed yet ...." so basically TM can't do anything now, I'll just have to wait ... Kinda of strange & usual to me, I thought it should deploy by area rather than by login a/c Does anyone here experience the same ? Hey seet, if I'm not mistaken Unifibiz static IP users get a static /56 IPv6 prefix as well (at least this is what I'm seeing on one of my BIZ10 lines). It could be possible that they haven't provisioned a prefix for your account.
Card PM	Report Top Like Quote Reply

rizvanrp	Feb 25 2014, 03:25 PM Return to original view \| Post #10
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(warlove3 @ Feb 25 2014, 11:32 AM) Dynamic IP BIZ account also need to apply? lol, i wonder how they allocate the address to us It seems only biz accounts created after the IPv6 implementation have a v6 prefix assigned to them. Those on biz accounts created prior to that need to request for a v6 prefix.. non biz users get a dynamic lease based on the PPPoE session.
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

Add Reply Options

Change to:

0.0368sec

0.43

7 queries

GZIP Disabled
Time is now: 27th November 2025 - 12:25 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.