I’ve tried all the possible remedies like adding an address from the prefix to LAN, but I still can’t get IPv6 DHCP to work at all. Is this a known problem or is there something else I haven’t tried yet? EDIT: It looks like I can get good IPv6 addresses on clients but nothing shows up in the Bindings section.
Start with a description what you want to achieve.
Mikrotik’s DHCP Server is meant for Prefix Delegation: you get prefix from service provider and create pool from it (with possibility to set size of sub-prefixes taken from it). When you assign IPv6 address to the router from the pool, first sub-prefix is taken and used for it. When you create a DHCPv6 Server, you’re able to delegate next sub-prefixes to the next routers.
I’m using it to assign publicly routable IPv6 addresses to LAN devices, using a /64 prefix pool acquired from the router’s DHCP client.
You can’t, it will only respond to PD requests.
If your Mikrotik is routing you need more than one /64 from the upstream router - one for the Mikrotik WAN - upstream router, one for the LAN - client devices, repeated for additional LANs. (It is possible to route via link-local addresses, but not recommended see https://www.ripe.net/publications/docs/ripe-690 section 4.1)
# get prefix from upstream, put it into pool
/ipv6 dhcp-client add add-default-route=yes disabled=no interface=ether1 pool-name=ipv6-pool request=prefix use-peer-dns=yes
# start Network Discovery
/ipv6 nd set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes interface=bridge managed-address-configuration=yes other-configuration=yes
# assign address from first sub-prefix from the pool. now clients in your network should get IPv6 addresses using SLAAC method.
/ipv6 address add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=ipv6-pool interface=bridge no-dad=no
# DNS settings are in the same place for both protocols: IP -> DNS
# NB: IPv6 stack is completely separate from IPv4, so you have also separate firewall and if you didn't reset router configuration after enabling ipv6 module, then you need to add default firewall rules:
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
Now my devices are getting SLAAC addresses, but now the router can’t route IPv6 properly because there is a route for the prefix for both the WAN and LAN ports. Both have the same distance, and I can’t get rid of the one that points to WAN. This seems like another v7 bug, so that’s sad.
If you have the same prefix on both ports it not working has nothing to do with v7. You either need to request an address (for upstream device - Mikrotik) and a prefix (for Mikrotik to downstream devices) - the two should be different /64s, or if you do not request an address you should only have a link-local address on the port to the upstream device.
This was the fix, I just had to disable getting an address on the DHCP client so the router could add a proper route to the bridge.