Help needed in IPv6

RouterOS Beginner Basics
1

Hello,

I’ having a really hard time trying to get IPv6 to work. I’ll make this 3 parts: My setup, what I have, what I managed to do.

My Setup:
Internet → Mikrotik CCR2004 → OLT on port 1 → ONU
Internet → Mikrotik CCR2004 → Switch on port 2 → My PC

What I have

  • I have 2 IPv4 addresses /29 from my ISP


  • I have 1 IPv6 P2P /127 gateway


  • I have 1 IPv6 /48 prefix

What I managed to do:

  • Imanaged to get the P2P gateway to work. The trick is to write /64 at the end of the address instead of /127. I don’t know why it work, but it work.
  • I’ve added the addresses pool, but it really just set there without a way to assign addresses from it automaticly.
  • I’ve added a DHCPv6 server and devices started to take addresses and use them as LAN addresses for some reason.
  • Finally I added the address /56 directly to the interface and suddnly I have WAN addresses to all devices.
  • Regarding Port 2 that is connected to my PC, I managed to make the PC to get an address, but it didn’t work in browsing anything. Port 2 isn’t that important anyway, I use it for management.

The problen now is that I can see that each device has it’s own IPv6, but when I do IP test (aka google what’s my IP), they all show the same IP.
I think this is because I had a rule in the IPv6 firewall in the NAT section that was srcnat → Masquerade
When I removed the rule, IPv6 stopped working again.

I’ll be happy to provide any kind of information in order to get this thing working. It’s been 3 weekd and I’m very desperate!

Thank yuo very much!

2

I have a few questions beforehand:

  1. Do you receive the /48 prefix statically or per DHCP?
  2. From which port do you receive internet?
  3. Are the devices behind the router in a bridge (maybe except port 2) or overall separate?

The config so far exported and uploaded here would be a great help:

/export file=anynameyouwish

3

Hello,

This is the config:

# 2024-05-13 19:28:18 by RouterOS 7.14.3
# software id = GMER-LLMD
#
# model = CCR2004-1G-12S+2XS
# serial number = XXXXXXXXXX
/interface ethernet
set [ find default-name=ether1 ] name=Management-Eth
set [ find default-name=sfp-sfpplus2 ] name=OLT-1
set [ find default-name=sfp-sfpplus1 ] name=Office
set [ find default-name=sfp28-1 ] name=WAN-HotNet
/ip pool
add name=dhcp_pool0 ranges=172.16.0.2-172.16.15.254
add name=dhcp_pool1 ranges=172.16.20.2-172.16.20.254
add name=dhcp_pool2 ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 always-broadcast=yes \
    insert-queue-before=bottom interface=Office name=Office-DHCP
add add-arp=yes address-pool=dhcp_pool2 always-broadcast=yes \
    insert-queue-before=bottom interface=OLT-1 name=OLT-DHCP
/ipv6 pool
add name=WAN-IPv6 prefix=2a00:a042:0000::/48 prefix-length=56
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=Remote remote=64.176.170.65 target=remote
/interface detect-internet
set detect-interface-list=all
/ip address
add address=12.12.12.106/29 interface=WAN-HotNet network=12.12.12.104
add address=172.16.0.1/24 interface=OLT-1 network=172.16.0.0
add address=172.16.20.1/24 interface=Office network=172.16.20.0
add address=21.21.21.186/29 interface=WAN-HotNet network=21.21.21.184
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall address-list
add address=12.12.12.106 list=12.12.12.105/29
add address=12.12.12.107 list=12.12.12.105/29
add address=12.12.12.108 list=12.12.12.105/29
add address=12.12.12.109 list=12.12.12.105/29
add address=12.12.12.110 list=12.12.12.105/29
add address=21.21.21.186 list=21.21.21.184/29
add address=21.21.21.187 list=21.21.21.184/29
add address=21.21.21.188 list=21.21.21.184/29
add address=21.21.21.189 list=21.21.21.184/29
add address=21.21.21.190 list=21.21.21.184/29
/ip firewall filter
add action=reject chain=input dst-address=172.16.20.0/24 log=yes reject-with=\
    icmp-network-unreachable src-address=172.16.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-HotNet
add action=src-nat chain=srcnat log=yes out-interface=WAN-HotNet src-address=\
    172.16.0.1-172.16.0.43 to-addresses=21.21.21.186
add action=src-nat chain=srcnat log=yes out-interface=WAN-HotNet src-address=\
    172.16.0.44-172.16.0.87 to-addresses=21.21.21.187
add action=src-nat chain=srcnat log=yes out-interface=WAN-HotNet src-address=\
    172.16.0.88-172.16.0.131 to-addresses=21.21.21.188
add action=src-nat chain=srcnat log=yes out-interface=WAN-HotNet src-address=\
    172.16.0.132-172.16.0.175 to-addresses=21.21.21.189
add action=src-nat chain=srcnat log=yes out-interface=WAN-HotNet src-address=\
    172.16.0.176-172.16.0.218 to-addresses=21.21.21.190
add action=src-nat chain=srcnat log=yes out-interface=WAN-HotNet src-address=\
    172.16.0.219-172.16.0.255 to-addresses=21.21.21.191
/ip firewall service-port
set ftp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    12.12.12.105 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=yes target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    21.21.21.185 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=yes target-scope=10
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=2a00:a043:0000:0000::1d4 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=2a00:a043:0000:0000::1d5 interface=WAN-HotNet
add from-pool=WAN-IPv6 interface=OLT-1
add from-pool=WAN-IPv6 interface=Office
/ipv6 nd
set [ find default=yes ] dns="2001:4860:4860::8888,2606:4700:4700::1111,2001:4\
    860:4860::8844,2606:4700:4700::1001" hop-limit=64 \
    managed-address-configuration=yes pref64=::/64 ra-delay=5s \
    reachable-time=5s retransmit-interval=2s
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=qFiber-Core
/system logging
add action=Remote topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=3.asia.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key

Please notice that this config gives all devices an IP address correctly. Looks like it’s giving the address using SLAAC. But this does not allow outbound connections to anything.
The moment I add a NAT rule that is:
Chain: srcnat
Out. Interface: WAN-HotNet
Action: masquerade

I’ll be able to ping and browse IPv6 addresses correctly, but my public IP will be the gateway address.
Any other configuration will not work no matter what I do.

4

It looks like currently your remote gateway, the one sitting at 2a00:a043:0000:0000::1d4, has no idea that it should route packets destined for 2a00:a042:0000::/48 to your router (to 2a00:a043:0000:0000::1d5). Do you have access to that gateway to manually add the route?

How did you get the information about the /48 prefix? was it given to you manually by your ISP? Can you try to setup DHCPv6 Client on WAN-HotNet instead


/ipv6 dhcp-client
add interface=WAN-HotNet pool-name=WAN-HotNet-Pool prefix-hint=::/48 request=prefix

and see if the same prefix is provided to the pool “WAN-HotNet-Pool”? If yes, use that pool instead of the one that you manually added. Requesting the Prefix via DHCPv6 will normally tell the other end (the DHCPv6 server) to add the correct route for that prefix range.

5

Sorry for the late reply.

I’ll try this tonight or tomorrow and I’ll update you.
Thank you vert much!