RouterOS / MikroTik router configuration export to connect to the Orange/Sosh Livebox 4 fiber ONT (IPv4 + IPv6)

routeros_configuration_orange.txt

# jan/13/2020 08:34:56 by RouterOS 6.46.1
#
# notes: \
#   - wan to orange ont on ether1; \
#   - lan to ap/switch on ether2; \
#   - ipv4 + ipv6 w/ fw rules; \
#   - using routeros dns cache for lan, proxying to the dns servers advertised by orange's dhcpv4 server; \
#   - direct plug your computer w/ wireshark to your livebox 4 fiber ethernet port and reboot it, inspect the dhcpv4 packat in wireshark and extract the value of 'authsend'; \
#   - the cos tag needs to be set to 6 to be accepted by the ont dhcpv4/v6 server (from default 0), this may not be required depending on your ont, check for the cos flag sent by your livebox 4 when sniffing its traffic
#
# model = RB750Gr3

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge-lan protocol-mode=none
add name=bridge-wan protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan speed=1Gbps
set [ find default-name=ether2 ] name=ether2-lan speed=1Gbps
set [ find default-name=ether3 ] disabled=yes name=ether3-noop speed=1Gbps
set [ find default-name=ether4 ] disabled=yes name=ether4-noop speed=1Gbps
set [ find default-name=ether5 ] disabled=yes name=ether5-noop speed=1Gbps

/interface vlan
add comment="ONT Internet" interface=ether1-wan name=vlan832-internet vlan-id=832

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip dhcp-client option
add code=77 name=userclass value=0x2b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e4c697665626f7834
add code=90 name=authsend value="0x0000000000000000000000XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add code=60 name=vendor-class-identifier value=0x736167656d

/ip pool
add name=dhcp-lan ranges=10.0.1.10-10.0.1.254

/ip dhcp-server
add address-pool=dhcp-lan disabled=no interface=bridge-lan lease-time=1w name=defconf

/ipv6 dhcp-client option
add code=11 name=authsend value="0x0000000000000000000000XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add code=15 name=userclass value=0x002b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e6c697665626f7834
add code=16 name=vendor-class-identifier value=0x0000040e0005736167656d

/queue interface
set ether1-wan queue=ethernet-default
set ether2-lan queue=ethernet-default
set ether3-noop queue=ethernet-default
set ether4-noop queue=ethernet-default
set ether5-noop queue=ethernet-default

/interface bridge filter
add action=set-priority chain=output comment="CoS should be 6 for Orange DHCPv4" dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=vlan832-internet passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-interface=vlan832-internet

/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2-lan
add bridge=bridge-lan comment=defconf disabled=yes interface=ether3-noop
add bridge=bridge-lan comment=defconf disabled=yes interface=ether4-noop
add bridge=bridge-lan comment=defconf disabled=yes interface=ether5-noop
add bridge=bridge-wan interface=vlan832-internet

/ip neighbor discovery-settings
set discover-interface-list=none

/ip settings
set rp-filter=strict

/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes

/interface list member
add comment=defconf interface=ether1-wan list=WAN
add comment=defconf interface=bridge-lan list=LAN

/ip address
add address=10.0.1.1/24 comment=defconf interface=bridge-lan network=10.0.1.0

/ip cloud
set update-time=no

/ip dhcp-client
add dhcp-options=vendor-class-identifier,clientid,userclass,authsend disabled=no interface=bridge-wan

/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.1.1 domain=home gateway=10.0.1.1 netmask=24

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200 max-concurrent-tcp-sessions=50 query-server-timeout=3s

/ip dns static
add address=10.0.1.1 name=router.lan

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN to WAN" out-interface=bridge-wan

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes

/ip ssh
set forwarding-enabled=remote strong-crypto=yes

/ip upnp
set enabled=yes

/ip upnp interfaces
add interface=bridge-wan type=external
add interface=bridge-lan type=internal

/ipv6 address
add address=::1 from-pool=dhcp-wan interface=bridge-lan

/ipv6 dhcp-client
add add-default-route=yes dhcp-options=authsend,userclass,vendor-class-identifier interface=bridge-wan pool-name=dhcp-wan request=prefix

/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input protocol=icmpv6
add action=accept chain=input dst-port=546 in-interface=bridge-wan protocol=udp src-address=fe80::ba0:bab/128
add action=drop chain=input
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward protocol=icmpv6
add action=drop chain=forward

/ipv6 nd
set [ find default=yes ] advertise-dns=no

/system clock
set time-zone-name=Europe/Paris

/system identity
set name="MikroTik Router"

/system note
set note="XXX XXX <[email protected]> - Authorized administrators only. Access to this device is monitored."

/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

/system resource irq rps
set ether1-wan disabled=no
set ether2-lan disabled=no
set ether3-noop disabled=no
set ether4-noop disabled=no
set ether5-noop disabled=no

/system watchdog
set watchdog-timer=no

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server ping
set enabled=no

My setup is as follows:

• Sosh (by Orange) fiber subscription, 300Mbps symmetric;
• Orange ONT (Huawei), plugged on the MikroTik router eth1 port;
• MikroTik RB750Gr3: https://www.amazon.com/Mikrotik-RB750Gr3-5-port-Ethernet-Gigabit/dp/B01MSUMVUB;
• RouterOS version v6.46.1 on the MikroTik (older versions may not work with IPv6, due to the DHCPv6 client);
• Apple Time Capsule Gen 4 used in bridge mode as a switch + WiFi AP, plugged on the MikroTik router eth2 port;
• Eaton 550VA ~300W UPS.

Requirements before setup:

• Livebox 4 (not in use in final setup, but please get this configured and working first with your fti/ ; you'll need it to sniff its DHCPv4 authentication traffic with the ONT in order to get the hex-encoded credentials sent in authsend by your final Mikrotik router).

Goal:

• Replace the Livebox 4 with my own router, get it to work with both IPv4 and IPv6.

Notes on the configuration example provided:

• Make sure you replace all "XX", "XXX" and "XXXXXXX..." sequences.
• Also, user / password configuration is not included, so please configure your RouterOS user first w/ a secure password.

⚠️ Changes I made after the RouterOS configuration was exported on jan/13/2020 (not in the configuration above, apply diff if needed):

1. Replace ISP peer DNS resolvers w/ Cloudflare's 1.1.1.1:

• Reason: more stable due to ~1h outage of ISP DNS resolvers and also much more secure as it enforces DNSSEC on all resolved domains;
• Configuration:

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200 max-concurrent-tcp-sessions=50 servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001 verify-doh-cert=yes

• Also disable use-peer-dns on dhcp-client for IPv4 and IPv6 stacks so that RouterOS does not mix up custom resolvers with ISP ones:

/ip dhcp-client
add dhcp-options=[...your rules here] use-peer-dns=no

/ipv6 dhcp-client
add dhcp-options=[...your rules here] use-peer-dns=no

2. Add a new property on the IPv6 DHCP Client:

• Reason: might soon be required by ISP (Orange France), as it was shared by other users on online forums which saw it appear on their updated ISP-provided Livebox routers;
• Configuration:

/ipv6 dhcp-client option
add code=17 name=vendor-opts value=0x000005580006000e495056365f524551554553544544

3. Forcibly renew DHCP leases if fiber goes down:

• Reason: it happened once that there was a maintenance somewhere in the street fiber connections, my ONT lost optical connection for about ~15 minutes, and once fiber came back unfortunately the Internet connection did not. I had to power cycle the MikroTik router, which fixed the issue. My guess is that the ISP expected the router DHCP Client to send back a request, which RouterOS did not as it believed it was still in bound state (as it cannot physically see when the fiber connection is lost). The fix consists of sending periodic ping probes to WAN servers to test for IP connectivity on each protocol version, if all IPs fail to respond then it means the connection is most likely down, therefore we should put the DHCP client down, and back up again, which puts it in a searching... state (note that simply calling renew does not work; using release works but it allocates a new IPv4, which I don't want). This has been tested and fixes the issue I had, replicated by unplugging the fiber from the ONT, waiting more than 10 minutes, confirming that no packets could be routed to WAN anymore, and then executing the script and confirming WAN routing worked back again. Note that it is important to ping at least 2 different providers, as you do not want the WAN connection to be deemed down if eg. the Google Public DNS target IPs are all down (more providers is better, 2 providers is the minimum);
• Configuration:

/system script
add dont-require-permissions=no name=connection-check-wan policy=read,write,test source="\
    \n  :local interface \"bridge-wan\"\
    \n  :local attempts 3\
    \n  :local backoff 500ms\
    \n\
    \n  :if ([ /ping 1.1.1.1 interface=\$interface count=\$attempts ] = 0 \\\
    \n          && [ /ping 8.8.8.8 interface=\$interface count=\$attempts ] = 0) do={\
    \n    :log warn \"toggling WAN IPv4 interface down and up again...\"\
    \n    /ip dhcp-client disable [ find interface=\$interface ];\
    \n    :delay \$backoff;\
    \n    /ip dhcp-client enable [ find interface=\$interface ];\
    \n    :log error \"forced WAN IPv4 rebinding due to loss of connectivity\"\
    \n  }\
    \n\
    \n  :if ([ /ping 2606:4700:4700::1111 interface=\$interface count=\$attempts ] = 0 \\\
    \n          && [ /ping 2001:4860:4860::8888 interface=\$interface count=\$attempts ] = 0) do={\
    \n    :log warn \"toggling WAN IPv6 interface down and up again...\"\
    \n    /ipv6 dhcp-client disable [ find interface=\$interface ];\
    \n    :delay \$backoff;\
    \n    /ipv6 dhcp-client enable [ find interface=\$interface ];\
    \n    :log error \"forced WAN IPv6 rebinding due to loss of connectivity\"\
    \n  }\
    \n"

/system scheduler
add interval=10m name=connection-check-wan on-event=connection-check-wan

For some reason, ipv6 was disabled on my router, I had to add: /ipv6 settings set disable-ipv6=no.