6to4 Tunnel via Hurricane Electric on MikroTik - Address Validity Issue

snailbat · December 24, 2025, 7:36am

I’m trying to set up a 6to4 tunnel via Hurricane Electric’s Tunnel Broker, but I’m having trouble understanding why the assigned IPv6 addresses are showing up as Invalid.

My ISP provides a static IPv4 address via DHCP as a service:

/ip dhcp-client print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE  USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS
;;; defconf
0 ether1     yes           yes                bound   95.31.176.92/30

After configuring the 6to4 tunnel, the IPv6 addresses appear with the Invalid flag:

/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=95.31.176.92 mtu=1280 name=sit1 remote-address=216.66.80.30
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f0a:684::1 scope=30 target-scope=10
/ipv6 address add address=2001:470:1f0a:684::2/64 advertise=no disabled=no eui-64=no interface=sit1

Interface status looks okay:

/interface 6to4 print
Flags: R - RUNNING
Columns: NAME, MTU, ACTUAL-MTU, LOCAL-ADDRESS, REMOTE-ADDRESS, DSCP
#   NAME   MTU  ACTUAL-MTU  LOCAL-ADDRESS  REMOTE-ADDRESS  DSCP
;;; Hurricane Electric IPv6 Tunnel Broker
0 R sit1  1280        1280  95.31.176.92   216.66.80.30    inherit

But the IPv6 address is marked as invalid:

/ipv6 address print
Flags: I - INVALID; D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
#     ADDRESS                    INTERFACE  ADVERTISE
0 IDL fe80::3:5f1f:b07a/64     sit1       no
1 I G 2001:470:1f0a:684::2/64  sit1       no

The default route also shows as inactive:

/ipv6 route print
Flags: I - INACTIVE; s - STATIC
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#    DST-ADDRESS  GATEWAY               ROUTING-TABLE  DISTANCE
0 Is 2000::/3     2001:470:1f0a:684::1  main           1

IPv6-in-IPv4 (protocol 41) is explicitly allowed in the firewall:

/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
 0    ;;; Allow Protocol 41 for 6to4 Tunnel
      chain=input action=accept protocol=ipv6-encap
 1    chain=output action=accept protocol=ipv6-encap
...

Any ideas why the address and route remain Invalid and Inactive? Is there something missing in the configuration or a MikroTik-specific requirement I’m overlooking?

> /system/routerboard/print
       routerboard: yes           
        board-name: hAP ac lite   
             model: RB952Ui-5ac2nD
     serial-number: 71AF053C2238  
     firmware-type: qca9531L      
  factory-firmware: 3.36          
  current-firmware: 7.20.6        
  upgrade-firmware: 7.20.6

Thanks in advance!

snailbat · December 24, 2025, 8:53am

My apologies to the community! I forgot to run:

/ipv6/settings/set disable-ipv6=no