DHCPv6-server Stateful support

Billias · August 4, 2016, 3:13pm

Hi All,

Is dhcpv6-server fully implemented?
I am fighting to setup my DHCPv6 server with stateful support but I seem not to be able to do so.

Sob · August 4, 2016, 3:32pm

It’s not there yet. Only prefixes, no addresses.

Billias · August 4, 2016, 5:00pm

And is there some estimation/ expectation when will this be?

ZeroByte · August 4, 2016, 5:39pm

I wish Mikrotik would put a little more priority onto their IPv6 feature set.
There hasn’t been any announcement I’m aware of regarding the addition of stateful DHCP host assignment capability (or even stateless dhcpv6 for SLAAC+options deployment).

flydvorkin · March 19, 2020, 9:07pm

2020 year.
Until now, there is no full stateful functions support…

ZoL83 · November 10, 2025, 7:18pm

Is possible to configure a stateful dhcpv6 server with Unique Local Address?
I try to configure it, but It can not working. No bindings, just in PD mode, just the prefix is bindig to a client.
I can not belive this situation in year 2025.
MikroTik what the …. are you doing???

CGGXANNX · November 11, 2025, 2:55am

This works on my MikroTik routers. Make sure that the ULA pool you use for the addresses has prefix-length=128. Then, on the suitable IPv6 -> ND entry of the interface, turn on Managed Address Configuration.

If you have Android devices then even with the latest upgrade they only support DHCPv6 PD, not NA.

ZoL83 · November 11, 2025, 8:55am

Thank you.
Yeah, this is my problem, the dhcpv6 server support PD only, not NA.
The clients use an unuseable prefix as an address, and generate an working address with the prefix. Other devices, example QNAP nas can not working in Stateful Address Autoconfiguration, in Stateless mode it try to use the prefix as an address. Chaos…

Now I’m using ND without Managed Address Configuration (without DHCPv6), and prefix on the bridge with Autonomus option.
It is working with NAT to reach the internet under IPv6.

CGGXANNX · November 11, 2025, 9:04am

The DHCPv6 server has been supporting giving out addresses (not only prefixes) since 7.17. From the changelog:

dhcpv6-server - added IPv6 address delegation support;

As I wrote above, in the current state (after bugfixes in the following version, like the bug that forces the pool on reboot that was fixed in 7.20.2) it currently works well.

ZoL83 · November 11, 2025, 10:15am

I tried under ROS 7.20.4
As I remember this was my last configuration:

/ipv6 dhcp-server add address-pool=IPv6LAN_pool interface=Bridge-LAN lease-time=1d name=dhcpv6 prefix-pool=IPv6LAN_pool
/ipv6 pool add name=IPv6LAN_pool prefix=fd00:0:0:11::/64 prefix-length=64
/ipv6 address add address=fd00:0:0:11::1 advertise=no interface=Bridge-LAN
/ipv6 nd set [ find default=yes ] interface=Bridge-LAN managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix add disabled=yes interface=Bridge-LAN preferred-lifetime=1d prefix=fd00:0:0:11::/64 valid-lifetime=3d

I tried the following in all variations:

/ipv6 dhcp-server add address-pool=IPv6LAN_pool interface=Bridge-LAN lease-time=1d name=dhcpv6 prefix-pool=static-only

/ipv6 pool add name=IPv6LAN_pool prefix=fd00:0:0:11::/64 prefix-length=128

/ipv6 nd prefix add disabled=no interface=Bridge-LAN preferred-lifetime=1d prefix=fd00:0:0:11::/64 valid-lifetime=3d

I couldn't achieve the desired result. Only the prefix delegated under the DHCPv6/Bindings tab. And in this case the following error message was in the log: pool6 refused… pool exthaused, no more addresses left!

CGGXANNX · November 11, 2025, 10:57am

Your first attempt with using the same pool for both address-pool and prefix-pool with prefix-length=64 of course will not work because each requires a pool with different prefix-length.

The required settings that work are:

Add ULA pool under /ipv6 pool with prefix-length=128.
Add /ipv6 dhcp-server entry on the interface with address-pool set to that pool above, prefix-pool set to static-only.
Add /ipv6 address entry for the interface. Here you can use other prefixes too (like GUA prefix), it doesn't need to match the prefix from the pool above. But of course, no one prevents you from using the same prefix as the pool.
- If using ROS < 7.21, or if you also want SLAAC working on the interface then set advertise=yes here.
- If you don't need SLAAC, and are running >= 7.21beta, the set advertise=no here, and add an /ipv6 nd prefix entry for the interface with prefix=none (this is only supported starting from 7.21),
Add /ipv6 nd entry for the interface with managed-address-configuration=yes (you can turn on other-configuration=yes too if you want).

These configurations are enough for clients to obtain single addresses from the specified pool via DHCPv6.

Of course, if you have an ULA pool and want the devices to be able to go to the internet too, then you'll need to add SRCNAT rules to the IPv6 firewall (for example netmap rules). You can also make the binding static and swap the addresses of the static bindings to static GUA too.

CGGXANNX · November 11, 2025, 11:19am

This error message is from your old attempt to set prefix-pool to the pool that you created. But that pool has prefix-length=64 and has prefix=fd00:0:0:11::/64. Which means it was able to give out only one single prefix, after that prefix has been given out, the pool is exhausted.

You'll need something like prefix=fd00:0:0:1100::/56 if you want your pool to have prefix-length=64. That pool will then be able to give out 256 /64 prefixes.

But if you want the DHCPv6 server to give out single IP address (IA_NA), then the pool must have prefix-length=128. Then you can have prefix=fd00:0:0:11::/64 without problem, even prefix=fd00:0:0:11::/112 works (has 65K /128 addresses).

ZoL83 · November 11, 2025, 12:11pm

Ahhh so…
Thank you very much for your information and help.
I will try these.

ConiKost · December 1, 2025, 11:16pm

@CGGXANNX Since you seem to have expierence of setup DHCPv6 stateful in LAN, I have a couple of question for my understanding. Using ROS 7.20.5. I have currently a propper fd75::/64 SLAAC setup working in my LAN. Thanks in advance for helping!

I would like to setup for testing fd23::/64 by using DHCPv6 stateful on LAN for Windows and Linux clients.

I’ve also read in MikroTik docs, that prefix-length must be always 128. So I added it as:/ipv6 pool add name=pool-ipv6dhcp-ula prefix=fd23::/64 prefix-length=128

Am I correct, that I cannot add on my lan interface using the created prefix, but I need to specify manually the address? If I do try something like ::1/64and specify from-pool this gets overriden by next available address. I guess, that makes sense, since this is now DHCPv6, so I need to make the address static?

I did run for static /ipv6/address/add address=fd23::98/64 advertise=no interface=bridge1

M-Bit and O-Bit (For later) is set:

/ipv6 nd set [ find default=yes ] interface=bridge1 managed-address-configuration=yes other-configuration=yes

After enabling DHCPv6-server, I can see, that my Windows and Linuxclient are getting IPs. I did run: /ipv6 dhcp-server/add address-pool=pool-ipv6dhcp-ula interface=bridge1 lease-time=30m name=server1 use-reconfigure=yes

But I am not sure about one thing: The first client (Windows 10), which gets an IP, receives fd23:: and the second client (Linux) got fd23::1 as lease.

Is fd23:: correct? Because I do seem to have a strange behauviour. If I do run ping -6 fd23::on Linuxclient, I am getting replies from fd23::1. This doesn’t seem right, as fd23::1 is a different lease for a different client? From my understand, fd23:: is basically fd23::0? And suprisingly, Windows is unable to ping fd23::1 or fd23::98, while Linux is able to do so.

Can I somehow reconfigure the pool not to hand out fd23::as address?

Thanks!

CGGXANNX · December 2, 2025, 4:09am

You don't need to do this step anymore, since you've already configured SLAAC on the LAN with fd75::/64.

Only if you have not yet configured SLAAC on the LAN interface, you would need to do the step with /ipv6 address. The reason this step is needed is for the devices in that LAN to know about the gateway (which is the router). DHCPv6 normally provide no information about default gateway!

But since you've already configured SLAAC with fd75::/64, the devices already have the knowledge about the router being the gateway (gateway address is the link local fe80::xxx address of the router).

In case you have not yet configured SLAAC, then something like this is needed:

/ipv6 address
add address=fd23::1000:98/64 advertise=yes interface=bridge1

With advertise=yes. Also, with the suffix part further away to not to clash with the addresses given out by the pool (those have incremental suffixes).

This is a totally correct and usable IPv6 address. IPv6 has no special reservation for the address with the interface ID part being all zeros.

About the ping issue:

First, Windows by default blocks incoming ping, you'll have to modify the Windows Defender Firewall setting to allow ICMPv6 echo request coming from ALL NETWORKS (from any addresses), not just from local network!
All the IPv6 addresses given out by the DHCPv6 server are /128 addresses. Which means they do not have a link-local scope like those /64 addresses that you have with SLAAC. If you have not configure SLAAC on the bridge for the fd23::/64 subnet with advertise=yes, then all the devices with fd23::xxxx/128 addresses obtained through DHCPv6 will need the gateway to talk to each other which means fd23:: pinging fd23::1 will have to go through the router as the gateway, same for the response.

That's why it's important that the devices have the correct gateway information (that you provide through Router Advertisement by configuring /ipv6 nd and by turning advertise=yes with at least one entry in /ipv6 address).

(as noted in the previous post, in 7.21, if you want, you don't need to turn on advertise=yes if you configure a static /ipv6 nd prefix entry with prefix=none)
Because it's routed, you can check with tracert (Windows) or traceroute -I (Linux) to see if the correct gateway is used.

Aside from the firewall (affects incoming ping), on the Windows machine you should verify whether it has received the correct gateway information (verify with ipconfig /all) that points to the fe80 address of the router.

As I wrote above, that address is not a problem (if it doesn't clash with the one you've assigned manually to the router itself). But if you don't want the DHCPv6 server to give out the address with all zeros interface ID (like fd23::), just add a static binding (or you can make the binding given out to the Windows machine static and edit the address) with some higher suffix part. All subsequent leases given out by the pool will then start with a higher suffix than that.

tdw · December 2, 2025, 4:48am

Not according to https://www.rfc-editor.org/rfc/rfc4291.html#section-2.6.1

CGGXANNX · December 2, 2025, 5:03am

The section you quoted is about anycast. Which doesn't apply to what @ConiKost is doing in his network (everything unicast only). If you scroll to the top of the RFC, there is this mention:

RFC 4291: IP Version 6 Addressing Architecture

In IPv6, all zeros and all ones are legal values for any field,
unless specifically excluded. Specifically, prefixes may contain, or
end with, zero-valued fields.

(emphasis mine)

The exception for the suffix is specified for anycast, and it's not even talking about the interface ID, which is what I wrote about in the part that you quoted from me, and which is normally 64 bit for unicast, (the part in question for anycast is the 128-n bit suffix part).

Please note that in the RFC Interface ID is in section 2.5.1 Interface Identifiers which is a subsection of 2.5 Unicast Addresses

RFC 4291: IP Version 6 Addressing Architecture

Nothing to do with anycast.

tdw · December 2, 2025, 3:49pm

I have to disagree. The all-zeros interface ID is automatically used by a router as the subnet router anycast address for each connected subnet prefix, and anycast addresses are allocated from the unicast address space.

ConiKost · December 2, 2025, 10:54pm

@CGGXANNX Thank you very much for your help. Seems now running for me. Windows 10 also now works, but I haven’t changed anything. I could be something messed up yesterday due tests.

But I have observed something I don’t understand. Why does DHCPv6 forward my ISP DNS to clients?

My PPPoE client connection is configured with use-peer-dns=no.

My ND configuration sets dns=fd75::192:168:75:1 (SLAAC).

No DHCPv6 options are set.

Why then 2a02:560:2:140::20 and 2a02:560:2:180::20, both are ISP DNS servers provided through PPPoE, are being send via DHCPv6 to clients? Can I disable that? M-Bit and O-Bit are enabled.

Both DNS servers are listed as dynamic servers on my DNS settings:

> /ip/dns/print
servers: 1.1.1.1, 8.8.8.8
dynamic-servers: 2a02:560:2:140::20, 2a02:560:2:180::20

It looks like for me, that use-peer-dns=noworks for IPv4 as intended, that dynamic IPv4 DNS servers from ISP are ignored, but dynamic IPv6 DNS servers are being always pulled. Could be this a bug? Or just unsupported by MikroTik currently? While DHCPv4 can specify DNS-servers, DHCPv6 cannot. I added option 23 as test, but this gets only added additionally, not as replacement.

CGGXANNX · December 3, 2025, 4:28am

Yes, currently when you use the DHCPv6 server in RouterOS it will pass the list of IPv6 addresses in dynamic-servers to the DHCPv6 client with no switch in setting to disable that. This is how I workaround the issue on my lab installations:

/ipv6 dhcp-server option
add code=23 name=no-dns

/ipv6 dhcp-server
set [find name="your_server_name"] dhcp-option=no-dns

After doing this only the DNS setting advertised by the /ipv6 nd entries will be used by the clients. The DHCPv6 server will only send an empty DNS server list (through the overridden option 23).