RB5009 and a DS Lite problem

Fanes · Sun Mar 03, 2024 7:19 pm

Hi folks,
new mikrotik user here. I just bought a RB5009 to use as DSL router in my home setup.
I get a connection to my provider and all IPv6 operation seems to be running fine with my configuration (attached below).

The DS lite tunnel is setup, but not working. I tried several example configs, but none is working.
Maybe someone of you can spot the mistake and give me a hint, what to try.

Setup of the RB5009 starts with a reboot and holding the reset button till the sfp-led is flashing, then connecting via ssh and pasting the attached config.
So it's just the password change before filling it up with the config. Firewall rules etc are the default settings.

Thanks in advance for any help.

Mikrotik-RB009-Fanes-Forum.txt

Fanes · Mon Mar 04, 2024 9:33 pm

I tried to get a bit more into the problem.
The PPPoE and DS-Lite tunnel should be according to RFC like that:

# Add PPPoE Interface for DSL-uplink to my provider
/interface/pppoe-client/add interface=ether1_WAN name=pppoe-1und1 user=123abc password=yyyyyyy use-peer-dns=yes disabled=no add-default-route=yes allow=pap,chap,mschap2 

# Add PPPoE Interface to WAN-List
/interface/list/member/add interface=pppoe-1und1 list=WAN

# Add DHCP-Client for PPPoE v6 connection - request prefix only
/ipv6/dhcp-client/add interface=pppoe-1und1 request=prefix prefix-hint=::56 pool-name=1und1_v6 use-peer-dns=yes pool-prefix-length=56 rapid-commit=yes

# Get an DHCP address from the given pool for the pppoe Interface
/ipv6/address/add from-pool=1und1_v6 interface=pppoe-1und1 

# Add DS-Lite Tunnel (no real dual stack available sadly) AFTR: aftr.online.versatel.de - 2001:1438:fff:30::1
/interface/ipipv6/add !keepalive name=DS-Lite-Tunnel remote-address=2001:1438:fff:30::1 local-address=::

# Add IPv4 address for the DS-Lite tunnel
/ip/address/add interface=DS-Lite-Tunnel address=192.0.0.2/29 network=192.0.0.0

# Add route for IPv4 traffic to DS-Lite-Gateway
/ip/route/add dst-address=0.0.0.0/0 gateway=192.0.0.1

Routing should be fine, I see the tx counters go up for the DS-Lite Tunnel.
Do I need to add the DS-Lite Tunnel to the WAN Interface list?
Or any special firewall settings?
IPv6 is working as mentioned in the last post, so as a WAN interface it should fit in the default firewall rules.

Has anyone a DS-Lite setup and can ping the 192.0.0.1 on the provider side? I can't do that, but I don't know if this is the default or a sign, that my tunnel is faulty.

Greetings
Florian

halz · Tue Mar 05, 2024 7:31 pm

Hello! A small world, I also have 1und1 with an RB5009 and am trying to get DS-Lite to work. It appears to be very very close, but something is still missing on the router.

I have been running a separate 1und1 DSL connection with a working DS-Lite/AFTR setup at the same time as trying to get this working with a separate 1und1 fiber connection. At the moment, the RB5009 (right side of the screenshot) is correctly emitting packets to the AFTR gateway-- or at least, the packets look the exact same as what are coming from the working Fritzbox (using its internal traffic capture feature). Just still trying to track down what needs to be altered on the Mikrotik to have it route the return traffic correctly.

Ping'ing 192.0.0.1 from within the tunnel on the RB5009 does not return a response. I have not been able to test from within the Fritzbox, unfortunately. I believe it would return a response if it was working, however.

Earlier during the setup, I noticed that the Mikrotik was happy to emit malformed packets into the ipip6tunnel: the packets would look like this attached image.

Edit: It looks like the missing piece is that some ip firwall mangle route marks need to be added for the traffic to get routed in/out of the tunnel properly. Still troubleshooting (this thread was the tip-off viewtopic.php?t=44827)

Fanes · Wed Mar 06, 2024 12:48 pm

Hi Halz,

I think I found my error. I used (and hoped) for a ::/56 prefix, BUT I should have known from former tests with my opnsense firewall, that 1und1 just gives you a /64.
If you just use a ::/64 prefix request, then disable your pppoe, (important) delete all ipv6 from the former pool in the /ipv6/addresses, then re-enable the pppoe..... it should work.
It played with it a bit, and everytime I tried with a ::/56 my DS-Lite tunnel stopped to work. MY problem seem to have been in this area.

I think in your screenshot the blue line is strange. The line above is what I would expect, especially knowing the aftr.online.versatel.de address is the destination address in the line above the blue.

halz · Wed Mar 06, 2024 2:39 pm

Thanks, got it working after all here as well. It seems like in my case, the /56 prefix delegation is working A-OK via the following:

/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=1und1-pool request=prefix
...
[admin@MikroTik] /ipv6/pool> print
Flags: D - DYNAMIC
Columns: NAME, PREFIX, PREFIX-LENGTH, EXPIRES-AFTER
#   NAME        PREFIX                  PREFIX-LENGTH  EXPIRES-AFTER
0 D 1und1-pool  2001:9e8:960:3000::/56             64  2d23h36m16s

What I ended up doing was setting

/ipv6/settings/set accept-router-advertisements=yes

in order to get a SLAAC address on the 'PPPoE Client' interface with the correct prefix (it was at least different than what I was picking up through the delegated prefix). Previously I was attempting to assign an address to the pppoe client interface from the delegated prefix pool.

Also needed to make sure that "check-gateway" was disabled for the 0.0.0.0/0 route to 192.0.0.1 and that the route was not marked 'unhealthy'. Since the icmp check fails, the route was being marked unhealthy and traffic would not be routed over it.

Observing that neither 192.0.0.1 nor aftr.online.versatel.de/2001

fff:30::1 will respond to ICMP even while this is working. However, 192.0.0.1 does report back during icmp traceroute, so one may use

ping -t 2 192.0.0.1

to get a TTL exceeded response back from it. But this does not seem possible to configure into the "check-gateway" route option. Ohwell.

Fanes · Wed Mar 06, 2024 3:37 pm

Yes, the router says he got a /56, but try to give out /64 to subnets. I got a "pool exhausted" message in the addresses box every time.
Do you use multiple subnets and got it working with IPv6? If that's the case I'll need to try again

halz · Thu Mar 07, 2024 2:30 pm

Yes, its working with up to 256 /64 subnets (coming off the /56)

/ipv6 address
add from-pool=1und1-pool interface=bridge
add from-pool=1und1-pool interface=vlan100
add from-pool=1und1-pool interface=vlan200

coming up with addresses...

[admin@MikroTik] /ipv6/address> print where advertise
Flags: G - GLOBAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
 #   ADDRESS                 FROM-POOL   INTERFACE  ADVERTISE
 4 G 2001:9e8:943:d500::/64  1und1-pool  bridge     yes
 7 G 2001:9e8:943:d505::/64  1und1-pool  vlan100    yes
10 G 2001:9e8:943:d506::/64  1und1-pool  vlan200    yes

where the pool is..

/ipv6/pool> print
Flags: D - DYNAMIC
Columns: NAME, PREFIX, PREFIX-LENGTH, EXPIRES-AFTER
#   NAME        PREFIX                  PREFIX-LENGTH  EXPIRES-AFTER
0 D 1und1-pool  2001:9e8:943:d500::/56             64  2d23h30m59s

Fanes · Sun Mar 10, 2024 6:07 pm

With a bit of fiddeling around and parts of your config (prefix-request=::/56, but prefix=::/64) I got it working too

The only way I could get it to give proper addresses/ranges to the vlan-interfaces was your cli version of it.

/ipv6 address
add from-pool=1und1-pool interface=bridge
add from-pool=1und1-pool interface=vlan100
add from-pool=1und1-pool interface=vlan200

From Winbox it wasn't accepted.

RB5009 and a DS Lite problem

RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Re: RB5009 and a DS Lite problem

Who is online