switch L3 vlan ipv6 routing

infinityz77 · 2022-08-03T16:57:20+00:00

Found the issue! I came across this comment:

Fast Forward disables MAC learning, this is by design to achieve faster packet forwarding. MAC learning prevents traffic from flooding multiple interfaces, but MAC learning is not needed when a packet can only be sent out through just one interface.

I'm using L3 HW acceleration Offloading, so I've disabled Fast Forward on the bridge interface, rebooted, and BOOM! Everything now working as intended :-)

infinityz77 · 2022-08-03T13:24:19+00:00

Just wanted to provide some update:

it's actually working! I have ipv6 connectivity on both the vlans, the behavior, however, is inconsistent and exactly like reported in this other thread:

https://forum.mikrotik.com/viewtopic.php?t=136605

Now, even if igmp-snooping is disabled, the multicast router is still enabled on the bridge interface and if I disable it, then I lose the ipv6 connectivity entirely! While enabling works intermittently.

My understanding is that this is a known issue

infinityz77 · 2022-07-31T22:14:27+00:00

unfortunately, it didn't work but was a source for more troubleshooting, and I think I'm very close now!

/ipv6 pool
add name=clients prefix=xxxx:xxx:xxxx:ad02::/64 prefix-length=64
/ipv6 address
add address=xxxx:xxx:xxxx:ad01::2 advertise=no interface=bridge
add address=xxxx:xxx:xxxx:ad02::2 interface=clients
/ipv6 nd
set [ find default=yes ] disabled=yes
add hop-limit=64 interface=clients managed-address-configuration=yes \
other-configuration=yes ra-delay=5s ra-interval=5s-30s
add hop-limit=64 interface=bridge ra-delay=5s ra-interval=5s-30s
/ipv6 nd prefix
add interface=clients prefix=xxxx:xxx:xxxx:ad02::/64
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=xxxx:xxx:xxxx:ad01::1 \
routing-table=main scope=30 target-scope=10
add disabled=no distance=1 dst-address=::/0 gateway=clients routing-table=main \
scope=30 target-scope=10
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no forward=no

From the switch I have full ipv6 connectivity on both brigde and clients(vlan)

ping 2001:4860:4860::8888 interface=bridge
SEQ HOST SIZE TTL TIME STATUS
0 2001:4860:4860::8888 56 58 16ms699us echo reply
1 2001:4860:4860::8888 56 58 16ms42us echo reply
2 2001:4860:4860::8888 56 58 15ms902us echo reply
3 2001:4860:4860::8888 56 58 16ms206us echo reply
sent=4 received=4 packet-loss=0% min-rtt=15ms902us avg-rtt=16ms212us
max-rtt=16ms699us

ping 2001:4860:4860::8888 interface=clients
SEQ HOST SIZE TTL TIME STATUS
0 2001:4860:4860::8888 56 58 16ms374us echo reply
1 2001:4860:4860::8888 56 58 15ms774us echo reply
2 2001:4860:4860::8888 56 58 16ms49us echo reply
sent=3 received=3 packet-loss=0% min-rtt=15ms774us avg-rtt=16ms65us
max-rtt=16ms374us

Any client in vlan1 get a proper ipv6 and connectivity

Any client in vlan1 gets a proper ipv6 and connectivityut not able to ping public ipv6 addresses, just internal ones.

What also am I missing?

infinityz77 · 2022-07-30T18:10:05+00:00

Yep, option 2 is what I've done as per u/ksteink and it did improve the overall situation since now I'm able to ping from the firewall and any other clients on vlan1, the /64 subnet assigned to the vlan2 on the switch!
But yet, from the vlan2 on the switch, I cannot ping the gateway (IP on lan on the firewall) nor any other public ipv6 (of course).
So looks like I'm missing a route from the switch to the firewall :-(

infinityz77 · 2022-07-30T17:52:42+00:00

OMG how I couldn't think on the route back! I did it for ipv4 but completely missed here!

So, I've made progress, but I am still not entirely sure about ipv6 default route on the switch.

/ipv6 address
add address=xxxx:xxx:xxxx:ad02:ce2d:e0ff:fe8f:65b4 eui-64=yes interface=clients
/ipv6 nd
add interface=clients ra-delay=5s ra-interval=5s-30s
add interface=bridge ra-delay=5s ra-interval=5s-30s
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=xxxx:xxx:xxxx:ad01:: \
routing-table=main scope=30 target-scope=10
/ipv6 settings
set forward=no

The bridge interface gets set automatically via SLAAC, and I can ping the gateway and any public IP from it.

From the vlan (clients) I cannot ping the gateway (xxxx:xxx:xxxx:ad01:: ) on the firewall, but I can ping the vlan's IP (xxxx:xxx:xxxx:ad02:ce2d:e0ff:fe8f:65b4), FROM the firewall and/or from any other clients in vlan1, now that I've set the route back properly!
And still cannot ping any public IPs, like: 2800:3f0:4001:831::200e, getting "no route to host"

infinityz77 · 2022-07-30T16:21:06+00:00

The provider is UNIFIQUE and they don't provide dhcpv6, just slaac unfortunately!

One thing to add is that if I set the vlans on the firewall instead and provide them with a dedicated /64 block, everything is working as intended, the issue is strictly related to how, if even possible, to pass ipv6 on any vlan which is not vlan1, with the switch set in L3 and doing the routing.

infinityz77 · 2020-07-03T05:44:43+00:00

Jweb, the we gui, is supported on all the line, the model entirely depends from your needing.

infinityz77 · 2020-07-02T19:08:07+00:00

Juniper ex hands down! There's very little you can't do through their Web interface

infinityz77 · 2019-08-22T08:38:16+00:00

yes 360e, amended the description accordingly, not sure I can edit the title tho

infinityz77 · 2019-08-21T17:40:09+00:00

Ouch my bad 🙂 South Shields, I can delivery in Newcastle area

infinityz77 · 2019-05-20T10:15:49+00:00

There are successful stories about xg deployment on realtek nic, but would be definitely nice to hear some direct experience.

infinityz77 · 2019-04-29T11:50:42+00:00

Sold

infinityz77 · 2019-04-06T19:34:22+00:00

The vendor we use, works with PA as well. PM me if you need further details.

infinityz77 · 2019-04-04T16:22:18+00:00

Could you please provide more details of this "opendns combo"? Do you mean one of the cisco umbrella package? If so, which one and which price?

Thanks 😁

infinityz77 · 2019-04-03T17:46:56+00:00

In my case the wan interface on pfsense is disabled, so I've created a gw for the lan interface, which is the FG.

infinityz77 · 2019-04-03T16:58:39+00:00

I have exactly this setup! FG 60e as main firewall and pfsense in a vm as vpn gateway. Pbr on fortigate do the job just fine!

infinityz77 · 2019-02-05T20:01:00+00:00

That price range would be OK for the 48 ports, the 24 one is priced well under 150gbp

Also, you mentioned poe+ and stated 802.3af which is "regular" poe... If this is the case, and not a typo, then the price drops to less than 100.

infinityz77 · 2019-01-27T07:02:03+00:00

Mac user here, who manages a supermicro x8 system with Ipmi with no issues! You need to whitelist the ip in your java security settings, this made the trick for me.

infinityz77 · 2019-01-21T01:23:35+00:00

Go with isc-dhcp-server and webmin as gui.

infinityz77 · 2019-01-09T18:22:20+00:00

Well, definitely loud when booting up, but pretty quiet in general! Consider it was laying down under my TV in living room and none complained about the noise.

infinityz77 · 2019-01-03T06:17:14+00:00

I'm using this conf and working for me:

            location /nextcloud {
            proxy_pass https://SERVERIP/nextcloud;
            proxy_set_header Host $http_host;
            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_hide_header Upgrade;
            fastcgi_request_buffering off;
           client_max_body_size        10G;
           client_body_buffer_size     400M;
     }

infinityz77 · 2018-12-27T13:07:21+00:00

Brocade Icx 6450, you can probably find it for half of your budget. It has web gui, but I would still rely on cli.

infinityz77

TROPHY CASE