Access IPv6 address behind Mikrotik on OPNsense

Hello Community,
i’m new in the Mikrotik field and try to solve an IPv6 problem.

I’m running a Mikrotik Chataeu LTE6 as Backup-WAN beside my normal Cable-Connection on an OPNSense. Internet and Fallback works fine as it should for both lines on the OPNSense.
Now i would like to connect to some services via that Mikrotik LTE WAN connection to the OPNsense via IPv6 as i´m behind a CGNAT for IPv4.
I would like to reach my NGNIX-Proxy via IPv6 on the OPNsense through the Mikrotik. LTE → Mikoritk ↔ OPNsense → LAN

1.) Mikrotik IPv6 is enabled and works. I received an IPv6 Prefix via LTE

[admin@MikroTik] > ipv6/address/print 
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
#    ADDRESS                                    INTERFACE         ADVERTISE
0 D  ::1/128                                    lo                no       
1 DL fe80::f61e:57ff:fe15:a690/64               bridgeLocal       no       
2 DG fec0:0:0:ffff::1/64                        bridgeLocal       no       
3 DG 2a00:20:c054:a8f3::/64                     bridgeLocal       yes      
4 DG 2a00:20:c054:a8f3:f61e:57ff:fe15:a690/128  bridgeLocal       no       
5 DG 2a00:20:c054:a8f3:200:ff:fe00:0/128        Vodafone LTE      no       
6 DL fe80::b76f:a4e9:f821:ba2/64                back-to-home-vpn  no       
;;; back-to-home-vpn
7 DG fc00:0:0:216::1/64                         back-to-home-vpn  yes

2.) The OPNsense behind the Mikrotik also received an IPv6 address from the Mikrotik:

3.) But i’m unable to reach the OPNSense WAN_LTE IPv6 Address from the Internet.

Here is the current IPv6 ruleset. I only tested with ICMPv6 and no HTTP/HTTPS traffic.

/ipv6 firewall filter
add action=accept chain=input comment="Permit ICMP" protocol=icmpv6
add action=accept chain=forward in-interface="Vodafone LTE" out-interface=bridgeLocal protocol=icmpv6
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid

Looks like i’m missing some firewall rules for IPv6 that traffic to the OPNsense. But it’s not clear to me how i can create them on a “dynamical base” because of the changing prefix.

• How can i forward/allow the IPv6 traffic from the Mikrotik to the OPNsense WAN_LTE ?
• Is there a workaround for the changing IPv6 prefix? Because the IPv6 will change on the WAN_LTE on the OPNsense too, by a restart of the Mikrotik.
• Maybe ULA ?

I will use the service from IPv64.net via a Portmapper and DynDNS to reach the System later also by a IPv4, too. But they tunnel the data just through IPv6 to me.
So the IPv6 connection is the base for it. On the OPNsense all IPv6 Traffic from the LTE_WAN is currently allowed.

As side note: Back-To-Home Wireguard to Mikrotik works fine via IPv6 from my mobile device via the DNS-Name generated by Mikrotik. But i would like to connect to the NGINX-Proxy on the OPNsense without VPN.

I’m helpful for any hints. Hope that my problems is well described and all needed information are there in the first step.
Thank you!

You will need a forward rule that will allow traffic from WAN to LAN with a matching protocol, port and destionation address.
In IPv6 we usually come across problems because of the dynamic prefix delegation and privacy extensions used by devices for their suffixes.
You have 2 options:

1. SLAAC tokenization or EUI64 for static suffixies, a system script that will update an addres list that later will be used as a destionation address list in the forward firewall rule and a DDNS service that will allow you to update via HTTPS requests and fetch tool in RouterOS the DNS record with the addres of the client.
2. Use a LUA prefix on your LAN, then route that traffic trough a single IPv6 GUA addres, basically IPv6 NAT. You will still need to use SLAAC tokenization or EUI64 for “static” IPv6 suffixies.
   This is what I use on my setup for the number 1 option with only GUA addreses:
   Firewall Rule with TCP port 65501 as an example:

ipv6 firewall filter add action=accept chain=forward comment="ACCEPT PORT FORWARD TCP" dst-address-list=PortForward dst-port=65501 protocol=tcp

My script to update destionation address list, is not the cleanest one, but it does it’s job:

/system script add dont-require-permissions=yes name=PortForward owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local text2 \"\$[put [/ipv6 address get [find interface=LAN-Bridge advertise !link-local] address as-string-value]]\"\
    \n:local text3 \"\$[:pick \$text2 0 [find \$text2 \":abcd\"]]\"\
    \n:local text4 \"\$text3\"\
    \n:local text5 \"2e0:4cff:fe68:eca\"\
    \n:local text6 \"\$text4\$text5\"\
    \nipv6 firewall address-list remove numbers=40\
    \nipv6 firewall address-list add list=PortForward address=\$text6\
    \n:log info  \"IPv6 PortForward address added!\""

Where:
LAN-Bridge is my bridge where I delegate a /64 from my provided /56 PD.
:ABCD is the suffix set to the interface that will be removed since we only need the prefix.
The text “2e0:4cff:fe68:eca” is my EUI64 suffix, that later will be combined with the preffix obtained from Bridge-LAN
The script removes the discarded entry number 40 with old preffix+suffix, then it adds it again with the new prefix+sufix combination.
Since my connection is PPPoE, I set the ppp profile to run the script as a “on up” action, when the internet reconnects, the script is executed and the address list entry updated automatically.

If you choose the second option, with a LUA + GUA IPv6 NAT, your destionation address will always be the same LUA prefix + EUI64/Tokenized suffix, and, you won’t need a script. Is your choice.

Thanks for your detailed answer.
I will go through both options and see which one is the better one for me.

Found also a good link to blog about the IPv6 and NAT → https://www.hitoha.moe/mikrotik-ipv6-nat-port-forward-with-ula-and-nd/