Scripts to allow ipv6 connectivity (SLAAC) for logged-in hotspot users.
Tested on routeros v7.20.
First configure/ add ipv6 address with advertise enabled and enable ipv6 neighbor discovery
IPv6 firewall raw to only allow “authed” users
/ipv6 firewall raw
add action=accept chain=prerouting comment="Accept Hotspot Authed" dst-address=2000::/3 src-address-list=Hotspot-Authed
add action=drop chain=prerouting comment="Drop Default Hotspot" dst-address=2000::/3 src-address=2001:xxxx::/64
# Change 2001:xxxx::/64 to your ipv6 address subnet
Script for on login event (ip > hotspot > hotspot-profile > on-login)
:delay 30s
# 30 sec delay for SLAAC to settle down, probably not needed but just in case
:foreach neighbor in=[/ipv6 neighbor find where address in 2000::/3 interface=hotspot mac-address=$"mac-address"] do={
# CHANGE interface=hotspot
# loop for neighbor with specific mac in specific interface
:local addr [/ipv6 neighbor get $neighbor address]
# get the ipv6 address
:do {
# try to add the address to authed address-list
/ipv6 firewall address-list add list=Hotspot-Authed address=$addr comment=$mac dynamic=yes
} on-error={}
}
Script for on logout event (ip > hotspot > hotspot-profile > on logout)
/ipv6 firewall address-list remove [find list=Hotspot-Authed comment=$"mac-address"]
Scheduler to update the address-list (dont forget to change interface=hotspot)
add interval=5m name=UpdateHotspotIPv6 on-event="/ipv6 neighbor\
\n:foreach neighbor in=[find address in 2000::/3 interface=hotspot] do={\
\n:local mac [get \$neighbor mac-address]\
\n:local addr [get \$neighbor address]\
\n:if ([:tobool [/ip hotspot active find mac-address=\$mac]]) do={\
\n:do {\
\n/ipv6 firewall address-list add list=Hotspot-Authed address=\$addr comment=\$mac dynamic=yes\
\n} on-error={}\
\n} else={\
\n/ipv6 firewall address-list remove [find list=Hotspot-Authed comment=\$mac]\
\n}\
\n}" policy=read,write,policy,test,sniff,sensitive start-time=startup