My setup is CCR2004-16G-2S+ → Unifi U7 Pro → WiFi clients.
I have a problem where I cannot get IPv6 connectivity to work on my iPhone connected to the Unifi AP. Connectivity certainly works on other clients (like my work laptop) and I have no idea where to dig to resolve this issue.
As iOS is a bit picky about which stack to use, I tested IPv6 connectivity on iPhone by making an IPv6 only vlan that is bridged to the Unifi AP. Connected to this on the iPhone, internet is not working at all, but v6 addresses are handed out to it.
My ISP is kpn NL, who connect over PPPoE on a vlan with id 6.
In the IPv6 neighbors tab, the ip v6 address that is handed out to the iPhone shows up but it ends up as failed after a while, but this seems to be the case with other clients too and I suppose it is not problematic.
Some configs:
/interface export (AP is on ether1)
add arp=proxy-arp name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mtu=1512 name="sfp-sfpplus1 - WAN_PPPoE"
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan10 vlan-id=10
add interface="sfp-sfpplus1 - WAN_PPPoE" mtu=1508 name=wan vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=wan name=WAN-PPPoE \
user=internet
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether15
/interface bridge vlan
add bridge=bridge1 tagged=ether15,bridge1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=\
sfp-sfpplus2,ether1,ether2,ether9,ether15,ether3 vlan-ids=1
add bridge=bridge1 tagged=bridge1,ether15 vlan-ids=2
/interface list member
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan10 list=LAN
add interface=wan list=WAN
/ipv6 export
/ipv6 address
add address=::1 from-pool=kpn-ipv6-pool interface=vlan1
/ipv6 dhcp-client
add interface=WAN-PPPoE pool-name=kpn-ipv6-pool prefix-hint=::/48 request=\
prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no hop-limit=64
Unifi WiFi network settings