DHCPv6-PD over PPPoE on Tagged VLAN Links

DHCPv6-PD over PPPoE on Tagged VLAN Links

Overview

Many ISPs deliver PPPoE over a tagged (802.1Q) VLAN rather than an untagged Ethernet port. When IPv6 is also offered via DHCPv6 Prefix Delegation (DHCPv6-PD) on that same PPPoE session, the configuration requires three stacked layers:

Physical Port (ether1)
  └── VLAN interface (e.g., vlan10, VLAN ID 10)
        └── PPPoE client (pppoe-out1)
              └── DHCPv6-PD client (requests prefix from ISP)

Early RouterOS v7 releases — including v7.1rc1 — had bugs where DHCPv6-PD packets were not forwarded correctly through this stack on certain hardware (notably the RB5009). The symptoms ranged from the DHCPv6 client staying in searching indefinitely to packets being sent on the wrong interface. Upgrading to a stable v7.x release resolves most of these issues.

This guide covers correct configuration, how to isolate the failure layer using a sniffer, and workarounds for cases where upgrading is not immediately possible.

---

Prerequisites

• RouterOS v7.1 or later (stable release recommended; avoid rc/beta builds for production)
• ISP PPPoE credentials (username, password)
• VLAN ID assigned by the ISP (confirm with ISP documentation or an unmanaged pass-through test)
• IPv6 forwarding enabled: /ipv6 settings set forward=yes
• Basic knowledge of IPv6 Prefix Delegation

---

Configuration

Step 1: Create the VLAN Interface

/interface vlan add \
    name=vlan-wan \
    interface=ether1 \
    vlan-id=10 \
    comment="ISP tagged WAN"

Replace ether1 with the physical port facing the ISP and vlan-id=10 with the VLAN ID your ISP requires.

Verify the VLAN interface is running:

/interface vlan print

Step 2: Configure the PPPoE Client on the VLAN Interface

/interface pppoe-client add \
    name=pppoe-out1 \
    interface=vlan-wan \
    user="your-isp-username" \
    password="your-isp-password" \
    add-default-route=yes \
    use-peer-dns=yes \
    disabled=no

Critical: The PPPoE client interface must be the VLAN interface (vlan-wan), not the physical port (ether1). Placing the PPPoE client directly on ether1 when the ISP uses a tagged VLAN will prevent the PPPoE session from establishing.

Wait for the session to connect:

/interface pppoe-client monitor 0 once

The status must show status: connected before proceeding. DHCPv6-PD cannot start without an established PPPoE session.

Step 3: Configure the DHCPv6-PD Client on the PPPoE Interface

/ipv6 dhcp-client add \
    interface=pppoe-out1 \
    request=prefix \
    pool-name=isp-ipv6-pool \
    pool-prefix-length=64 \
    add-default-route=yes \
    use-peer-dns=yes \
    disabled=no

Critical: The DHCPv6 client interface must be the PPPoE logical interface (pppoe-out1), not the VLAN or physical interface. DHCPv6 exchanges happen inside the PPPoE session encapsulation.

Some ISPs also assign a WAN IPv6 address via IA_NA in addition to the delegated prefix. If needed:

/ipv6 dhcp-client set [find interface=pppoe-out1] request=prefix,address

Step 4: Assign Delegated /64s to LAN Interfaces

Once the DHCPv6 client reaches bound status, assign addresses from the pool to LAN segments:

/ipv6 address add interface=bridge-lan from-pool=isp-ipv6-pool advertise=yes

Enable Router Advertisements on the LAN:

/ipv6 nd add interface=bridge-lan ra-interval=30s-60s managed-address-configuration=no

Step 5: Allow DHCPv6 Through the Firewall

DHCPv6 reply packets arrive on UDP port 546 from the ISP server’s link-local address:

/ipv6 firewall filter add \
    chain=input \
    action=accept \
    protocol=udp \
    dst-port=546 \
    src-address=fe80::/10 \
    comment="DHCPv6-PD reply from ISP"

/ipv6 firewall filter add \
    chain=input \
    action=accept \
    protocol=icmpv6 \
    comment="ICMPv6 required for ND and PMTU"

Move these rules above any drop rules in the input chain.

---

Verification

Check PPPoE Session

/interface pppoe-client monitor 0 once

Expected output includes status: connected and an assigned IP address.

Check DHCPv6 Client

/ipv6 dhcp-client print

Expected output:

Flags: D - dynamic, X - disabled, I - invalid
 #  INTERFACE   STATUS  PREFIX               EXPIRES-AFTER
 0  pppoe-out1  bound   2001:db8:abcd::/56   23h57m

Check IPv6 Pool

/ipv6 pool print

Check LAN Addresses

/ipv6 address print

Expect a dynamic global address on bridge-lan drawn from isp-ipv6-pool.

Ping Test

From a LAN client, ping an external IPv6 address:

ping6 2606:4700:4700::1111

---

Troubleshooting

DHCPv6 Client Stuck in searching

The client sends Solicit messages but receives no Advertise from the ISP server.

Step 1 — Isolate the VLAN layer

Test whether the issue is VLAN-specific by connecting the router directly to the ISP without a VLAN (if the ISP supports an untagged fallback or you can test on a different port):

# Temporarily test PPPoE without VLAN
/interface pppoe-client set [find name=pppoe-out1] interface=ether1

If DHCPv6-PD succeeds on the untagged port but not on the VLAN, the problem is in the VLAN–PPPoE–DHCPv6 stack interaction (the known ROS v7.1rc1 issue).

Step 2 — Run a packet sniffer

Capture on the PPPoE interface to confirm Solicit packets are being sent:

/tool sniffer set filter-interface=pppoe-out1 filter-mac-protocol=ipv6
/tool sniffer start
/tool sniffer stop
/tool sniffer packet print detail

Look for DHCPv6 Solicit packets (destination ff02::1:2, UDP src-port 546, dst-port 547). If Solicits are absent, RouterOS is not sending them — check that the client is not disabled and the interface name is correct.

If Solicits appear but no Advertise replies return, the ISP server is not responding. This can mean:

• DHCPv6 is not enabled on the ISP side for your account
• The DUID RouterOS presents is rejected by the ISP
• Firewall is blocking UDP 546 inbound

Step 3 — Check DUID

/ipv6 dhcp-client print detail

Some ISPs bind the delegated prefix to a specific DUID. If you replaced hardware, the DUID changed and the ISP server will ignore requests until the old binding expires or is manually released. The duid field shown in print detail is read-only — RouterOS auto-generates a DUID-LL from the MAC address and it cannot be set manually. If the ISP requires a specific DUID, you must wait for the old binding to expire on the ISP side or contact the ISP to release it.

Step 4 — Upgrade RouterOS

On RB5009 hardware running v7.1rc1, DHCPv6-PD over tagged PPPoE has a known defect where the DHCPv6 Solicit is sent on the underlying physical or VLAN interface instead of the PPPoE tunnel. Upgrading resolves this:

/system package update check-for-updates
/system package update download
/system reboot

After upgrade, re-verify with a sniffer that Solicit packets appear on pppoe-out1.

PPPoE Connects but DHCPv6-PD Never Starts

RouterOS starts the DHCPv6 client when the interface transitions to up. If the client was added before the PPPoE interface existed or while it was down, it may not retry automatically.

Force a restart:

/ipv6 dhcp-client disable [find interface=pppoe-out1]
/ipv6 dhcp-client enable [find interface=pppoe-out1]

Also verify the PPPoE interface name matches exactly:

/interface pppoe-client print
/ipv6 dhcp-client print

Prefix Received But LAN Has No IPv6

1. Confirm pool was populated:

   /ipv6 pool print

2. Confirm from-pool address was added to the LAN interface:

   /ipv6 address print

3. Confirm ND RA is sending on the LAN:

   /ipv6 nd print

4. Confirm ICMPv6 is not blocked on the forward chain.

Link-Local Address Missing on pppoe-out1

DHCPv6 uses link-local addresses as the source for Solicit/Request messages. If the PPPoE interface has no link-local address, DHCPv6 cannot start.

/ipv6 address print where interface=pppoe-out1

If only global addresses appear (or none), the link-local should be auto-generated when the interface comes up. If missing, check whether IPv6 is globally disabled:

/ipv6 settings print

Ensure disable-ipv6=no.

VLAN Interface Not Passing Tagged Frames

On some switch-chip hardware (including RB5009), VLAN interfaces must be correctly configured to pass tagged frames. Verify the VLAN interface is on the correct physical port and that no bridge VLAN filtering is stripping the tag before it reaches the VLAN interface:

/interface vlan print detail
/interface bridge vlan print

If the physical port is part of a bridge with hardware offloading, the bridge’s VLAN filtering may need to be configured to pass the ISP VLAN untagged to the VLAN interface. Alternatively, remove the physical port from the bridge and use the VLAN interface directly:

/interface bridge port remove [find interface=ether1]

---

Complete Configuration Reference

# Enable IPv6 forwarding
/ipv6 settings set forward=yes

# VLAN toward ISP
/interface vlan add name=vlan-wan interface=ether1 vlan-id=10

# PPPoE on the VLAN
/interface pppoe-client add \
    name=pppoe-out1 \
    interface=vlan-wan \
    user="isp-username" \
    password="isp-password" \
    add-default-route=yes \
    use-peer-dns=yes \
    disabled=no

# DHCPv6-PD on the PPPoE interface
/ipv6 dhcp-client add \
    interface=pppoe-out1 \
    request=prefix \
    pool-name=isp-ipv6-pool \
    pool-prefix-length=64 \
    add-default-route=yes \
    use-peer-dns=yes

# Assign /64 to LAN from delegated pool
/ipv6 address add interface=bridge-lan from-pool=isp-ipv6-pool advertise=yes

# Router Advertisements to LAN
/ipv6 nd add interface=bridge-lan ra-interval=30s-60s

# Firewall: permit DHCPv6 reply and ICMPv6
/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked
add chain=input action=accept protocol=icmpv6
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 \
    comment="DHCPv6-PD reply from ISP"
add chain=input action=drop connection-state=invalid
add chain=input action=drop comment="drop all other input"

---

See Also

• IPv6 Prefix Delegation and DHCPv6 — Full DHCPv6-PD reference
• IPv6 Configuration — General IPv6 setup and SLAAC
• IPv6 NDP and Router Advertisements — RA and ND configuration
• RouterOS documentation: /interface pppoe-client, /ipv6 dhcp-client, /interface vlan