Hi again,
My ISP has given me a static IPV6 address and i am absolutely lost trying to set ti up 
The address is 2a00:xxxx:yyyy::2/48
Gateway is 2a00:xxxx:yyyy::1
DNS servers, i was just going to use Googles for now.
I am guessing i would also set up a DHCPv6 pool for clients?
I have scoured the internet and Youtube for some basics, but most are foreign and none cover the static IPV6 so iâm totally confused now!
Could anyone help me out with a step by step set up please?
Thank you!
It totally confused me as well; however, may I suggest to always make your router do DNS resolving first then Google such as 192.168.88.1, 8.8.8.8.
That doesnât look like correct IPv6 config. Whole /48 should be yours to use in your network. And there should be another connecting subnet between you and ISP.
Thanks guys,
Yes I think I have the router serving dns first however, should I put that at the top of the dns list if it isnât already there?
Also, I did question my isp about that addressing and routing etc but they said thatâs all there is?
Trouble with IPv6 is that itâs too new. Not really, itâs from last century, but if someone manages to ignore it for long enough, then itâs suddenly new for them. And as with other new things, people just love to explore dead endsâŚ
But itâs the same as with IPv4, thereâs no need to invent something new. Letâs say you would get public routed subnet 1.1.1.0/24. There would be another connecting subnet between you and ISP. They would have e.g. 2.2.2.1/30 on their router, you would have 2.2.2.2/30 on yours, and they would add route to 1.1.1.0/24 with gateway being your 2.2.2.2. And you could then add 1.1.1.1/24 on your LAN as whole, or you could split it into smaller networks, put e.g. 1.1.1.1/29 on LAN, connect other routers and route other parts of /24 further to them. And thatâs exactly what you want for IPv6.
What they gave you (if xxxx:yyyy are same in both) is equivalent of them having 1.1.1.1/24 on their router and you being allowed to use 1.1.1.2-245 for directly connected devices. Itâs too limited, because if youâd need to route some addresses further, itâs not possible without some tricks. In IPv4 world itâs proxy ARP. IPv6 too has something, thereâs ND proxy, but itâs again just ugly trick and not everything supports it (RouterOS doesnât).
Maybe thereâs a hope and it could be this, which is a little non-standard, but it would be fine:
In that case, youâd put 2a00:xxxx:yyyy::2/64 on WAN and then you could use the rest of /48 in LAN, e.g. 2a00:xxxx:yyyy:1::1/64 on main LAN, 2a00:xxxx:yyyy:2::1/64 for guest LAN, etc.
Thanks for the explanation.
I did try as you suggested, but no luck.
Assuming of course, i put all the info in the correct places, which in all honesty, i probably havenât.
Admittedly, i did use the quick set up feature, which after reading on here, i shouldnt have done, so i am just getting to grips with the fact i will have to reset the config and start again properly.
I will do that first and then maybe try again.
Hi Guys,
I thought i had cracked it but it appears i still cannot get out on the ipv6 web, although clients are getting ipv6 addresses, but looking at the neighbor table, they are all stale from the start.
Also, looking at the DNS cache, it appears there are some AAAA IPV6 entries from somewhere!
Turns out i had the wrong details from the isp and it was a /64.
maybe you could have a quick look at my config and see what you think!
add admin-mac=C4:AD:34:55:CB:73 auto-mac=no comment=defconf name=bridge
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ipv6 dhcp-server
add address-pool=pool1 interface=bridge name=server1-ipv6
/ipv6 pool
add name=pool1 prefix=::/64 prefix-length=64
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=...166/22 interface=ether1 network=...0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
âdefconf: accept established,related,untrackedâ connection-state=
established,related,untracked
add action=drop chain=input comment=âdefconf: drop invalidâ connection-state=
invalid
add action=accept chain=input comment=âdefconf: accept ICMPâ protocol=icmp
add action=accept chain=input comment=
âdefconf: accept to local loopback (for CAPsMAN)â dst-address=127.0.0.1
add action=drop chain=input comment=âdefconf: drop all not coming from LANâ
in-interface-list=!LAN
add action=accept chain=forward comment=âdefconf: accept in ipsec policyâ
ipsec-policy=in,ipsec
add action=accept chain=forward comment=âdefconf: accept out ipsec policyâ
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=âdefconf: fasttrackâ
connection-state=established,related
add action=accept chain=forward comment=
âdefconf: accept established,related, untrackedâ connection-state=
established,related,untracked
add action=drop chain=forward comment=âdefconf: drop invalidâ
connection-state=invalid
add action=drop chain=forward comment=
âdefconf: drop all from WAN not DSTNATedâ connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=âdefconf: masqueradeâ
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=..***.165
/ipv6 address
add address=2a00:xxxx:yyyy::2 advertise=no interface=ether1
add address=2a00:xxxx:yyyy:1::1 interface=bridge
/ipv6 firewall address-list
add address=::/128 comment=âdefconf: unspecified addressâ list=bad_ipv6
add address=::1/128 comment=âdefconf: loâ list=bad_ipv6
add address=fec0::/10 comment=âdefconf: site-localâ list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=âdefconf: ipv4-mappedâ list=bad_ipv6
add address=::/96 comment=âdefconf: ipv4 compatâ list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=âdefconf: documentationâ list=bad_ipv6
add address=2001:10::/28 comment=âdefconf: ORCHIDâ list=bad_ipv6
add address=3ffe::/16 comment=âdefconf: 6boneâ list=bad_ipv6
add address=::224.0.0.0/100 comment=âdefconf: otherâ list=bad_ipv6
add address=::127.0.0.0/104 comment=âdefconf: otherâ list=bad_ipv6
add address=::/104 comment=âdefconf: otherâ list=bad_ipv6
add address=::255.0.0.0/104 comment=âdefconf: otherâ list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
âdefconf: accept established,related,untrackedâ connection-state=
established,related,untracked
add action=drop chain=input comment=âdefconf: drop invalidâ connection-state=
invalid
add action=accept chain=input comment=âdefconf: accept ICMPv6â protocol=
icmpv6
add action=accept chain=input comment=âdefconf: accept UDP tracerouteâ port=
33434-33534 protocol=udp
add action=accept chain=input comment=
âdefconf: accept DHCPv6-Client prefix delegation.â dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=âdefconf: accept IKEâ dst-port=500,4500
protocol=udp
add action=accept chain=input comment=âdefconf: accept ipsec AHâ protocol=
ipsec-ah
add action=accept chain=input comment=âdefconf: accept ipsec ESPâ protocol=
ipsec-esp
add action=accept chain=input comment=
âdefconf: accept all that matches ipsec policyâ ipsec-policy=in,ipsec
add action=drop chain=input comment=
âdefconf: drop everything else not coming from LANâ in-interface-list=
!LAN
add action=accept chain=forward comment=
âdefconf: accept established,related,untrackedâ connection-state=
established,related,untracked
add action=drop chain=forward comment=âdefconf: drop invalidâ
connection-state=invalid
add action=drop chain=forward comment=
âdefconf: drop packets with bad src ipv6â src-address-list=bad_ipv6
add action=drop chain=forward comment=
âdefconf: drop packets with bad dst ipv6â dst-address-list=bad_ipv6
add action=drop chain=forward comment=âdefconf: rfc4890 drop hop-limit=1â
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=âdefconf: accept ICMPv6â protocol=
icmpv6
add action=accept chain=forward comment=âdefconf: accept HIPâ protocol=139
add action=accept chain=forward comment=âdefconf: accept IKEâ dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=âdefconf: accept ipsec AHâ protocol=
ipsec-ah
add action=accept chain=forward comment=âdefconf: accept ipsec ESPâ protocol=
ipsec-esp
add action=accept chain=forward comment=
âdefconf: accept all that matches ipsec policyâ ipsec-policy=in,ipsec
add action=drop chain=forward comment=
âdefconf: drop everything else not coming from LANâ in-interface-list=
!LAN
/ipv6 nd
set [ find default=yes ] interface=bridge managed-address-configuration=yes
other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridge
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ipv6 pool
add name=pool1 > prefix=::/64 > prefix-length=64
This doesnât seem right, you should put real prefix in pool (prefix=2a00:xxxx:yyyy::/64 or something).
Also definition of /ipv6 address probably lacks prefix size (i.e. 2a00:xxxx:yyyy:1::1**/64**).
But anyway, addresses on WAN and LAN belong to same /64 network, so things still might not work.
Thanks,
I put an address in the pool, however, clients are getting an address anyway and the other one seems to have the /64 but doesnât seem to show up in this config for some reason..
/ipv6 address
add address=2a00:xxxx:yyyy::2 advertise=no interface=ether1
add address=2a00:xxxx:yyyy:1::1 interface=bridge
Not getting any ping6 response from the client to the router either.
IPv6 is not difficult, but you must understand it. Basic knowledge is:
a) address is 128 bits long, half of it is network (aka prefix), other half is for device
b) Service Provider gives you prefix and length of it show you how many subnets can you create inside it. /48 gives you 64-48=16bits=65536 networks. If you need multi-level networks then you decide if split it into 102464, 1616*256 or any other ways, so create network plan before starting splitting. If you don't plan, you get 2^N sub-prefixes and that's it.
c) one character in address is 4 bits
d) lots of zeroes can be omitted in markup, there are rules how to write shorter v6 addresses
e) usable addresses start from zero and end with f, there's no reserved network and broadcast addresses in every network
Steps to start using IPv6 in Mikrotik:
/system package enable ipv6
/system reset-configuration
/ipv6 dhcp-client add add-default-route=yes disabled=no interface=ether1 pool-name=ipv6-pool pool-prefix-length=64 request=prefix use-peer-dns=yes
/ipv6 nd set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes interface=bridge managed-address-configuration=yes other-configuration=yes
/ipv6 address add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=ipv6-pool interface=bridge no-dad=no
/ipv6 dhcp-server add address-pool=ipv6-pool disabled=no interface=bridge name=server1
There's no need for special service to share addresses, it's done automatically. Set specific addresses manually if you need it (yourprefix::1), DHCPv6 server in MT is not for sharing specific addresses, but for prefix sharing and supporting older operating systems.
Thanks for taking the time to post, however, i think i have mine set up that way, although my IPV6 is supplied static from my ISP so i cannot request any information via the DHCP client as it just keeps displaying âsearchingâ.
And clients are getting IPV6 addresses from the router.
And ping result from router to ipv6 google.
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
failure: dns name exists, but no appropriate record
ETA: i know the service is working from my ISP as my previous router was connected and using it no problem, however i would really like to get it working on the MT as A - it is a very good product and B- i dont want to go back to my previous router!
Does my supplied IPV6 gateway go on the bridge and the ::2/64 address on the gateway as i have these the other way around.
If itâs only /64, and ISP has gateway from that subnet, itâs not good at all. It works only for directly connected devices, and if you want to have something behind your router, it needs ND proxy. Current RouterOS doesnât support it. And itâs not really good way of doing it anyway.
The only positive is that you can check with your previous router, how exactly it works. Can you show some config from there? Is there really same subnet on both LAN and WAN?
Sorry meant to say that it should have been and is now /64 and not /48.
I have the old router (edgerouter) config that ill post it up in a bit when i can swap it back in without getting my ears bent
Ok previous router config..
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description âWAN inbound traffic forwarded to LANâ
enable-default-log
rule 10 {
action accept
description âAllow established/related sessionsâ
state {
established enable
related enable
}
}
rule 20 {
action drop
description âDrop invalid stateâ
state {
invalid enable
}
}
rule 30 {
action accept
description âAllow IPv6 icmpâ
protocol ipv6-icmp
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description âWAN inbound traffic to the routerâ
enable-default-log
rule 10 {
action accept
description âAllow established/related sessionsâ
state {
established enable
related enable
}
}
rule 20 {
action drop
description âDrop invalid stateâ
state {
invalid enable
}
}
rule 30 {
action accept
description âAllow IPv6 icmpâ
protocol ipv6-icmp
}
rule 40 {
action accept
description âallow dhcpv6â
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description âWAN to internalâ
rule 10 {
action accept
description âAllow established/relatedâ
state {
established enable
related enable
}
}
rule 20 {
action drop
description âDrop invalid stateâ
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description âWAN to routerâ
rule 10 {
action accept
description âAllow established/relatedâ
state {
established enable
related enable
}
}
rule 20 {
action drop
description âDrop invalid stateâ
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description Local
duplex auto
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ethernet eth5 {
description Local
duplex auto
speed auto
}
ethernet eth6 {
description Local
duplex auto
speed auto
}
ethernet eth7 {
description Local
duplex auto
speed auto
}
ethernet eth8 {
address 192.168.2.1/24
description Local2
duplex auto
speed auto
}
ethernet eth9 {
address ..***.166/30
address 2a00:xxxx:yyyy::2/64
description Internet
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth10 {
duplex auto
speed auto
}
ethernet eth11 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
address 2a00:xxxx:yyyy:1::1/64
description Local
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
}
}
}
protocols {
static {
route6 ::/0 {
next-hop 2a00:xxxx:yyyy::1 {
interface eth9
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
dns {
forwarding {
cache-size 300
listen-on switch0
name-server 2606:4700:4700::1111
name-server 1.0.0.1
name-server 2606:4700:4700::1001
name-server 1.1.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description âmasquerade for WANâ
outbound-interface eth9
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name domain.local
gateway-address ..***.165
host-name ubnt
login {
user ******** {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 127.0.0.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
}
ipv6 {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 192.168.1.38 {
facility all {
level info
}
}
}
time-zone UTC
Itâs not just one /64. You have 2a00:xxxx:yyyy::2/64 on WAN (eth9) with gateway 2a00:xxxx:yyyy::1, and 2a00:xxxx:yyyy:1::1/64 on LAN (switch0). You can have this with RouterOS, no problem.
But looking at your previously posted config, you can forget about DHCPv6 server giving addresses to clients, RouterOS doesnât support that yet, itâs only manual config or SLAAC (autoconfiguration) for now. So you need:
/ipv6 nd
set [ find default=yes ] interface=bridge managed-address-configuration=no other-configuration=no
/ipv6 nd prefix
add autonomous=yes interface=bridge
You could have other-configuration=yes and use DHCPv6 do give out IPv6 DNS resolvers, but thatâs currently a little unfinished too, so it can be either what you have in routerâs â/ip dnsâ, or you have to create DHCP option manually. But it doesnât really matter if clients resolve DNS over IPv6 or IPv4, both support all record types.
Thanks.
Must admit i have been tweaking and didnt do backup before so i have to go through the config and try and put it all back together.
DO i still need an ipv6 pool?
With a single static /64 prefix avilable for LAN and SLAAC you donât âŚ
Thanks MKX.
Latest config but still no luck..
I am sure i have missed something somewhere!
/interface bridge
add admin-mac=C4:AD:34:55:CB:73 auto-mac=no comment=defconf name=bridge
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ipv6 pool
add name=pool1 prefix=::/64 prefix-length=64
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=...166/22 interface=ether1 network=..120.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
âdefconf: accept established,related,untrackedâ connection-state=
established,related,untracked
add action=drop chain=input comment=âdefconf: drop invalidâ connection-state=
invalid
add action=accept chain=input comment=âdefconf: accept ICMPâ protocol=icmp
add action=accept chain=input comment=
âdefconf: accept to local loopback (for CAPsMAN)â dst-address=127.0.0.1
add action=drop chain=input comment=âdefconf: drop all not coming from LANâ
in-interface-list=!LAN
add action=accept chain=forward comment=âdefconf: accept in ipsec policyâ
ipsec-policy=in,ipsec
add action=accept chain=forward comment=âdefconf: accept out ipsec policyâ
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=âdefconf: fasttrackâ
connection-state=established,related
add action=accept chain=forward comment=
âdefconf: accept established,related, untrackedâ connection-state=
established,related,untracked
add action=drop chain=forward comment=âdefconf: drop invalidâ
connection-state=invalid
add action=drop chain=forward comment=
âdefconf: drop all from WAN not DSTNATedâ connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=âFasttrack DNS TCPâ
dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=âFasttrack DNS UDPâ
dst-port=53 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=âdefconf: masqueradeâ
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=...165
/ipv6 address
add address=2a00:xxxx:yyyy:1::1 interface=bridge
add address=2a00:xxxx:yyyy::2 advertise=no interface=ether1
/ipv6 firewall address-list
add address=::/128 comment=âdefconf: unspecified addressâ list=bad_ipv6
add address=::1/128 comment=âdefconf: loâ list=bad_ipv6
add address=fec0::/10 comment=âdefconf: site-localâ list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=âdefconf: ipv4-mappedâ list=bad_ipv6
add address=::/96 comment=âdefconf: ipv4 compatâ list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=âdefconf: documentationâ list=bad_ipv6
add address=2001:10::/28 comment=âdefconf: ORCHIDâ list=bad_ipv6
add address=3ffe::/16 comment=âdefconf: 6boneâ list=bad_ipv6
add address=::224.0.0.0/100 comment=âdefconf: otherâ list=bad_ipv6
add address=::127.0.0.0/104 comment=âdefconf: otherâ list=bad_ipv6
add address=::/104 comment=âdefconf: otherâ list=bad_ipv6
add address=::255.0.0.0/104 comment=âdefconf: otherâ list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
âdefconf: accept established,related,untrackedâ connection-state=
established,related,untracked
add action=drop chain=input comment=âdefconf: drop invalidâ connection-state=
invalid
add action=accept chain=input comment=âdefconf: accept ICMPv6â protocol=
icmpv6
add action=accept chain=input comment=âdefconf: accept UDP tracerouteâ port=
33434-33534 protocol=udp
add action=accept chain=input comment=
âdefconf: accept DHCPv6-Client prefix delegation.â dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=âdefconf: accept IKEâ dst-port=500,4500
protocol=udp
add action=accept chain=input comment=âdefconf: accept ipsec AHâ protocol=
ipsec-ah
add action=accept chain=input comment=âdefconf: accept ipsec ESPâ protocol=
ipsec-esp
add action=accept chain=input comment=
âdefconf: accept all that matches ipsec policyâ ipsec-policy=in,ipsec
add action=drop chain=input comment=
âdefconf: drop everything else not coming from LANâ in-interface-list=
!LAN
add action=accept chain=forward comment=
âdefconf: accept established,related,untrackedâ connection-state=
established,related,untracked
add action=drop chain=forward comment=âdefconf: drop invalidâ
connection-state=invalid
add action=drop chain=forward comment=
âdefconf: drop packets with bad src ipv6â src-address-list=bad_ipv6
add action=drop chain=forward comment=
âdefconf: drop packets with bad dst ipv6â dst-address-list=bad_ipv6
add action=drop chain=forward comment=âdefconf: rfc4890 drop hop-limit=1â
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=âdefconf: accept ICMPv6â protocol=
icmpv6
add action=accept chain=forward comment=âdefconf: accept HIPâ protocol=139
add action=accept chain=forward comment=âdefconf: accept IKEâ dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=âdefconf: accept ipsec AHâ protocol=
ipsec-ah
add action=accept chain=forward comment=âdefconf: accept ipsec ESPâ protocol=
ipsec-esp
add action=accept chain=forward comment=
âdefconf: accept all that matches ipsec policyâ ipsec-policy=in,ipsec
add action=drop chain=forward comment=
âdefconf: drop everything else not coming from LANâ in-interface-list=
!LAN
/ipv6 nd
set [ find default=yes ] interface=bridge
/ipv6 nd prefix
add interface=bridge
/ipv6 route
add distance=1 dst-address=::****::1/128 gateway=ether1
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks for your patience guys.
This is nonsense:
/ipv6 route
add distance=1 dst-address=****:****:****::1/128 gateway=ether1
You want:
/ipv6 route
add dst-address=::/0 gateway=2a00:xxxx:yyyy::1
You sir, deserve the âForum Guruâ title as you have nailed it.
Thanks everyone for your help, itâs much appreciated.
Now, does anyone wanna buy an Edgerouter?
