I tried this and did not give me a default route unfortunately.
Might need to wait a little bit for the next RA to arrive before it takes effect.
What is your ISP, did they give you any instructions regarding configuring IPv6?
My ISP is Cox, they didn’t give me any sort of instructions at all.
Could it be a firewall rule?
Do you mean /ipv6/dhcp-client/renew? No, that should not be necessary. You can try a reboot though.
See if you can sniff incoming ICMPv6 traffic on sfp-sfpplus1 to see the contents of the Router Advertisement message (ICMPv6 type 134).
Could it be a firewall rule?
Attach your /ipv6/export.
Here is my export:
[admin@MikroTik] > /ipv6/export
2023-11-08 16:06:53 by RouterOS 7.11.2
software id = AE77-3FXT
model = RB5009UPr+S+
serial number = HE508G1T60Z
/ipv6 pool
add name=pool2 prefix=2600:8801:3c20:4200::/56 prefix-length=64
/ipv6 address
add address=::4aa9:8aff:fe62:c7b7 eui-64=yes from-pool=pool2 interface=LOCAL
/ipv6 dhcp-client
add interface=sfp-sfpplus1 pool-name=pool2 prefix-hint=::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 log=yes protocol=udp
src-address=fe80::/10
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=input comment=“Allow ICMPv6 Input” protocol=icmpv6
add action=accept chain=forward comment=“Allow ICMPv6 Forward” protocol=icmpv6
/ipv6 firewall raw
add action=accept chain=prerouting comment=“defconf: enable for transparent firewall” disabled=yes
add action=accept chain=prerouting comment=“defconf: RFC4291, section 2.7.1” dst-address=ff02::1:ff00:0/104 icmp-options=
135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s” src-address-list=bad_ipv6
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s” dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=“defconf: drop packets with bad SRC ipv6” src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment=“defconf: drop non global from WAN” in-interface-list=WAN src-address-list=
not_global_ipv6
add action=jump chain=prerouting comment=“defconf: jump to ICMPv6 chain” jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=“defconf: accept local multicast scope” dst-address=ff02::/16
add action=drop chain=prerouting comment=“defconf: drop other multicast destinations” dst-address=ff00::/8
add action=accept chain=prerouting comment=“defconf: accept everything else from WAN” in-interface-list=WAN
add action=accept chain=prerouting comment=“defconf: accept everything else from LAN” in-interface-list=LAN
add action=drop chain=prerouting comment=“defconf: drop the rest”
add action=accept chain=icmp6 comment=“defconf: rfc4890 drop ll if hop-limit!=255” dst-address=fe80::/10 hop-limit=
not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: dst unreachable” icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: packet too big” icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: limit exceeded” icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: bad header” icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: Mobile home agent address discovery” icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: Mobile home agent address discovery” icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: Mobile prefix solic” icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: Mobile prefix advert” icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: echo request limit 5,10” icmp-options=128:0-255 limit=5,10:packet protocol=
icmpv6
add action=accept chain=icmp6 comment=“defconf: echo reply limit 5,10” icmp-options=129:0-255 limit=5,10:packet protocol=
icmpv6
add action=accept chain=icmp6 comment=“defconf: rfc4890 router solic limit 5,10 only LAN” hop-limit=equal:255 icmp-options=
133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: rfc4890 router advert limit 5,10 only LAN” hop-limit=equal:255
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: rfc4890 neighbor solic limit 5,10 only LAN” hop-limit=equal:255
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: rfc4890 neighbor advert limit 5,10 only LAN” hop-limit=equal:255
icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: rfc4890 inverse ND solic limit 5,10 only LAN” hop-limit=equal:255
icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=“defconf: rfc4890 inverse ND advert limit 5,10 only LAN” hop-limit=equal:255
icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment=“defconf: drop other icmp” protocol=icmpv6
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes other-configuration=yes
add advertise-mac-address=no interface=LOCAL managed-address-configuration=yes other-configuration=yes
add advertise-dns=no interface=sfp-sfpplus1 ra-lifetime=none ra-preference=low reachable-time=5m
/ipv6 nd prefix
add autonomous=no interface=LOCAL
/ipv6 settings
set accept-router-advertisements=no
/ipv6/settings/set accept-router-advertisements=yes and disable all your drop ICMPv6 firewall rules, you can work on them after you get it all to work.
Woo hoo! I started with setting the router advertisements to yes as you mentioned and now I’m pulling a dynamic gateway and I can ping out. I will work now on disabling the rest of the IPv6 rules. Thank you so much for your assistance and help.
I actually disabled all the other rules as well. Is there a base ruleset I should be using? The implicit drop at the bottom is disabled as well.
This is what I use based on RFC 4890 and RFC 7084. Some site-specific and script-based rules are omitted, but if you follow RFC recommendations you can implement them.
/interface bridge
add comment="Trap to block routes with firewall" name=trap protocol-mode=none
/interface list
add name=WAN
add name=LAN
add name=TRAP
/interface list member
# add interface=... list=WAN
# ...
# add interface=... list=LAN
# ...
add interface=trap list=TRAP
/ipv6 route
add comment=RFC6890 dst-address=100::/64 gateway=trap
add comment=RFC6890 dst-address=2001::/32 gateway=trap
add comment=RFC6890 dst-address=2001:2::/48 gateway=trap
add comment=RFC6890 dst-address=fc00::/7 gateway=trap
add comment=RFC6890 dst-address=fe80::/10 gateway=trap
add comment=RFC6890 dst-address=::/128 gateway=trap
add comment=RFC6890 dst-address=2001:db8::/32 gateway=trap
add comment=RFC6890 dst-address=2001:10::/28 gateway=trap
/ipv6 firewall address-list
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=::/128 list=unspecified
add address=ff02::1:ff00:0/104 list=ns_multicast
add address=ff02::16/128 comment="MLDv2 Report multicast" list=mld_multicast
add address=ff02::/16 comment="Link-Scoped IANA Multicast" list=no_forward_ipv6
add address=ff32::/16 comment="Link-Scoped Unicast-based Multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=reject chain=forward comment="Trap: Reject All Established, Related from WAN" connection-state=established,related log=yes log-prefix=\
"trap-wan related" out-interface-list=TRAP reject-with=icmp-address-unreachable
add action=reject chain=forward comment="Trap: Reject All from LAN" in-interface-list=LAN log=yes log-prefix=trap-lan out-interface-list=TRAP reject-with=\
icmp-address-unreachable
add action=drop chain=forward comment="Trap: Drop All" log=yes log-prefix=trap-wan out-interface-list=TRAP
add action=accept chain=forward comment="Accept Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop Bad Forward IPs" log=yes log-prefix=bad src-address-list=no_forward_ipv6
add action=jump chain=forward comment="Jump to Invalid" connection-state=invalid jump-target=invalid
add action=accept chain=forward comment="Accept IPsec ESP" log=yes protocol=ipsec-esp
add action=accept chain=forward comment="Accept HIP" protocol=139
add action=jump chain=forward comment="Jump to ICMPv6" jump-target=icmpv6-forward protocol=icmpv6
add action=accept chain=forward comment="Accept Untracked" connection-state=untracked
add action=drop chain=forward comment="Drop All from WAN" in-interface-list=WAN
add action=accept chain=forward comment="Accept All from LAN" in-interface-list=LAN
add action=drop chain=forward comment="Drop All"
add action=accept chain=input comment="Accept Established, Related" connection-state=established,related
add action=jump chain=input comment="Jump to Invalid" connection-state=invalid jump-target=invalid
add action=accept chain=input comment="Accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Accept UDP Traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="Accept DNS over TCP from LAN" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS over UDP from LAN" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Accept DHCPv6 Client Prefix Delegation from WAN" dst-port=546 in-interface-list=WAN protocol=udp src-port=547
add action=accept chain=input comment="Accept DHCPv6 Client from LAN" dst-port=547 protocol=udp
add action=accept chain=input comment="Accept LAN" in-interface-list=LAN
add action=drop chain=input comment="Drop All"
add action=drop chain=icmpv6-forward comment="RFC4890: Drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=drop chain=icmpv6-forward comment="RFC4890: Drop Renumbering " icmp-options=138:0-255 protocol=icmpv6
add action=drop chain=icmpv6-forward comment="RFC4890: Drop Node Information Query" icmp-options=139:0-255 protocol=icmpv6
add action=accept chain=icmpv6-forward comment="Accept All"
add action=accept chain=invalid comment="Accept Invalid RST from LAN" in-interface-list=LAN protocol=tcp tcp-flags=rst
add action=accept chain=invalid comment="Accept Invalid FIN from LAN" in-interface-list=LAN protocol=tcp tcp-flags=fin
add action=reject chain=invalid comment="Reject Invalid from LAN" in-interface-list=LAN log-prefix=lan protocol=tcp reject-with=tcp-reset
add action=drop chain=invalid comment="Drop Invalid"
/ipv6 firewall raw
add action=accept chain=prerouting comment="Accept unspecified for DAD from LAN" dst-address-list=ns_multicast icmp-options=135:0-255 in-interface-list=LAN \
protocol=icmpv6 src-address-list=unspecified
add action=accept chain=prerouting comment="Accept unspecified to MLD from LAN" dst-address-list=mld_multicast icmp-options=143:0-255 in-interface-list=LAN \
protocol=icmpv6 src-address-list=unspecified
add action=drop chain=prerouting comment="Drop from bogon IPs" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="Drop to bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="Drop from bad src IPs" src-address-list=bad_src_ipv6
add action=jump chain=prerouting comment="Jump to ICMPv6 chain" jump-target=icmpv6 protocol=icmpv6
add action=drop chain=icmpv6 comment="Drop MLD Query from WAN" icmp-options=130:0-255 in-interface-list=WAN protocol=icmpv6
add action=drop chain=icmpv6 comment="Drop MLDv1 Report from WAN" icmp-options=131:0-255 in-interface-list=WAN log=yes log-prefix=mld1-report protocol=\
icmpv6
add action=drop chain=icmpv6 comment="Drop MLDv1 Done from WAN" icmp-options=132:0-255 in-interface-list=WAN protocol=icmpv6
add action=drop chain=icmpv6 comment="Drop MLDv2 Report from WAN" icmp-options=143:0-255 in-interface-list=WAN log=yes log-prefix=mld2-report protocol=\
icmpv6
add action=drop chain=icmpv6 comment="Drop Node Information Query from WAN" icmp-options=139:0-255 in-interface-list=WAN protocol=icmpv6
add action=drop chain=icmpv6 comment="Drop Extended Echo Request from WAN" icmp-options=160:0-255 in-interface-list=WAN protocol=icmpv6
add action=drop chain=icmpv6 comment="Drop Router Advertisements from LAN" icmp-options=134:0-255 in-interface-list=!WAN log=yes log-prefix=ra protocol=\
icmpv6
add action=return chain=icmpv6 comment="Back to Prerouting"
@DarkNate also linked a great article. However, I do recommend understanding what you accept and drop. In my opinion RFCs are written better than some of the blogs you might stumble upon in Goggle.
@Kentzo your approach has duplicity and redundant config, for example with your “trap”. Why would you increase computation costs? Use Route-To-Blackhole directly.
In addition, the content in the article is backed by various RFCs and BCPs and BCOPs, all hyperlinked widely across the article if you bothered to scrutinise. The author is far from “random”, if you check their public credentials.
The reason for the trap interface is that it is used for rules that are site-specific and were omitted. Among other things it was necessary to reject packets sent to unallocated subnets of the delegated prefix with appropriate ICMP.
These rules perform sufficiently on my CPE that runs on somewhat old RouterBOARD, but I do have only a handful of devices.
I did not depreciate the author of the linked article, but rather other sources, less versed. But if I were to nitpick I would criticize blanket drop and blackhole rules: local hosts deserve rejection with appropriate ICMP errors. Note that linked RFCs advocate similarly. That it’s not trivial to configure RouterOS like this is whole other matter.
This opens a door for DDoS/DoS of the control plane. That’s why blackhole was invented in the first place.
Especially in a network pumping 100s of Gigabits of traffic, if you do ICMPv4/v6 replies? Your control plane will turn to mush. Route to blackhole wins.
This is not an excuse for mistreating LAN hosts. Keep blackholes to outsiders if you cannot invest in appropriate hardware layout and engineering.
I think it is a mistake to apply techniques developed for business-on-budget applications to prosumer cases which my firewall is for.
Disagree. We route to blackhole even on expensive high-end Juniper MXes and PTXes.
Follow up question. So I moved the /64 pool to another interface and I can ping out and hit IPv6 addresses with no problem, but when I try to browse them I can’t. I confirmed I do have DNS enabled and I can ping the DNS servers. Any suggestions?
Do the hosts that cannot “browse” have a DNS server listed in their system settings? Can they resolve AAAA records via that DNS?
I’m looking at one of my Ubuntu hosts. It has an IPv6 address, and it has a DNS server provided by the ISP, and I added in Google DNS. When I try to resolve using nslookup or dig, it can’t resolve anything, but I can ping the external DNS servers.
Weird it was another firewall rule. So everything is allowed now and it’s work, I missed a couple of rules in the raw section.