Hello
Does anyone have a working configuration ?
T-mobile only gives a single address /64 to routeros no prefix.
Do I need to setup NAT for this? If so what type of NAT?
I'm trying to avoid having a double NAT
But I can't seem to find a way to make IPV6 work with T-Mobile home internet without having to use NAT
Is it possible to have IPv6 firewall only while T-Mobile gateway is providing the IP address to clients, routeros device would be a bridge but also running firewall?
Thanks for the help.

Well, another one ISP who think that ipv6 "is the same as" ipv4. Single /64 for WAN port is ok, but push them that they need to read the docs and also give you /48 or /56 for LAN. Their implementation is totally wrong.

You are correct.
In the mean time in stuck with the problem.
Any suggestions?

Nowadays, most MNOs typically assign a /64 prefix to mobile devices and the same applies to T-Mobile. For details regarding T-Mobile, Google "T-Mobile IPv6 /64 Prefix" or call T-Mobile tech support.

If you want/need subnetting using a stationary broadband router, here are some options:
- Request a /48 or /56 prefix from the T-Mobile. Explain that you need it for a stationary broadband router.
- Use ULA and NAT66.
- Request additional /64 prefixes.
- Split the /64 prefix internally and use NAT66. This is a nonstandard approach and you'll need to use DHCPv6 since it won't work with SLAAC.

Well, I think it's possible to src-nat via wan /64 and use link-local only for LAN, but I haven't such experience, can't give some detailed advise.

As previously mentioned, T-Mobile assigns a /64 prefix as standard and it might be pretty hard to explain the different subnet options if you're not familiar with IPv6.

As a personal side note, the initial intent with IPv6 was to provide everyone with enough subnet space (prefixes) and host addresses to directly address all possible devices eliminating the need for src-nat. However IMO the IPv6 adoption plan has gone totaly awry. For instance, I encounter more ULA/NAT66 implementations than I would ever expect although some are regulated for specific use cases like for banking, etc.

Total agree thanks

I think for now NAT is the way to go
That's exactly what i can't find, a working example of how to configure it for T-Mobile single /64
Everything that I find is for a customer that gets prefixes from other carriers
Anyone out there with a working config willing to share it ?

How do I split the /64 internally and use NAT66?

IPv6 subnetting works just like IPv4, meaning you divide the /64 prefix into smaller parts, each of which has to use its own DHCPv6 server for the respective subnet.

There are plenty of resources online. For more detailed information, Google "subnet IPv6 /64 prefix" and "MikroTik NAT66."

However, I’d start by asking T-Mobile for a larger prefix such as /48 or /56.

They won't do it
It's useless to talk to them
I'll follow your advise

Is it true ipv6 DHCP in routeros doesn't work, I keep reading that every time I search about the subject
Otherwise I would NAT a single /64 address no different than ipv4 but I can't find any guide in how to NAT66 on routeros that applies to my scenario

It's working alright, though you'll need to be more specific about your intentions regarding subnetting and NATting, for example if you plan to use ULA or specify a prefix, etc. Additionally, including a brief overview of your network topology might help members of this forum better understand your needs.

It's working alright, though you'll need to be more specific about your intentions regarding subnetting and NATting, for example if you plan to use ULA or specify a prefix, etc. Additionally, including a brief overview of your network topology might help members of this forum better understand your needs.

its a simple home network nothing fancy no vlans etc.

T-Mobile gateway (IPv6) ---> mikrotik RB5009UG+S+IN (main router and capsman controller) ---> 3 other mikrotiks configured as access points for wireless stuff in the house (using capsman)

IPv6 subnetting works just like IPv4, meaning you divide the /64 prefix into smaller parts, each of which has to use its own DHCPv6 server for the respective subnet.

There are plenty of resources online. For more detailed information, Google "subnet IPv6 /64 prefix" and "MikroTik NAT66."

However, I’d start by asking T-Mobile for a larger prefix such as /48 or /56.

yes i have done that not much comes up when you look for "NAT66 Mikrotik", there is a lot of theory out there but not specific examples for a simple NAT configuration the way you would with IPv4

Mike,

Here's what you need to do:

1. Get a public GUA IPV6 /48 block from Hurricane electric. If you sign up for a free account they will give you a /48. Don't use the tunnel though as you won't be able to build a tunnel. T-Mobile's CGNAT will block it. You are signing up just to get a /48 GUA. Don't waste your time trying to get IPV6 to work with ULAs. Your computers will prefer IPV4 over ULA IPV6 and your browsers will keep picking IPV4 over IPV6 ULA. Many people say this works, but I could never get my browsers to pick the IPV6 ULA. There is a hack that you have to apply to every single computer to do it. I don't know that it will work on a mobile device though when you use ULAs.
2. Create a private pool on your RB5009 using the /48 GUA that you received from HE
3. Assign a /64 to each of your VLANs. You say you don't use VLANs so just assign a /64 to your bridge.
4. Go to IPV6/Firewall/nat and build a rule where the source address is the block that you got from HE and out interface list = WAN.

I've had T-Mobile internet for 2+ years. It's in a dual WAN config with Spectrum. It took me a while to get this to work.

Yes I'm using IPV6 NAT -- and in general everybody recommends that you don't do that. However when you only get a /64 you don't have any good options. On my RB5009 ether1 goes to Spectrum and ether2 to the T-Mobile 5G router. T-Mobile's 5G router only gets a /64 from T-Mobile. It doesn't have any ability to do prefix delegation even if you do manage to get someone at T-Mobile who even understands what you are asking for when you ask for a /48 or /56. I have over 500 business internet lines with them and I still can't get anyone on the wireless side to comprehend why I want a /48 or /56 at each site. Their entire network is designed to support a phone and any device connected to it. Their internet service behaves in the same way.

/ipv6 pool
add name=HE-Private-Pool prefix=<HE GUA prefix obtained in step 1>::/48 prefix-length=64

/ipv6 address
add disabled=no eui-64=no from-pool=Hurricane-Private-Pool interface=VLAN_110
## do this for each VLAN. If you don't use VLANS then assign it to your bridge.

/ipv6 dhcp-client
## this statement gets you an IPV6 address on your uplink to T-Mobile's 5G router.
add comment="WAN2 connected to T-Mobile router" disabled=no interface=ether2-WAN2 \
pool-name=T-Mobile request=address

/ipv6 firewall nat
add action=masquerade chain=srcnat comment=\
"IPV6 NAT when ether2 is connected directly to T-Mobile Router" out-interface-list=WAN \
src-address=<GUA block from HE>::/48

Good luck! Hopefully I've pointed you in the right direction. If you only have T-Mobile as your ISP and you only use ether1 as your WAN port then replace ether2 in the steps above with ether1.

The moment you are forced to use NAT66/NPTv6 etc, you are breaking IPv6 specs and going back to NATted IPv4 world.

I'd suggest raising hell and going public on their support on Twitter etc and ask them from a /56 PD as per BCOP-690.

I understand and agree. No mobile vendor in the US gives you anything but a /64. They are all in the dark ages. I have also spoken to their architects and they won't commit to anything other than a /64 at this time.

I also pay for 500 business internet lines across the US and that doesn't get me any benefit either.