I have HE 6to4 tunnel. My whole LAN is connected to Mikrotik through TP-Link managed switch.
My switch supports IPV6 and I have link-local address config fe80::fa1a:67ff:fe48:61ab.
From tunnel broker I have different address 64 class : 2001.**********
How to setup my whole network to assign for some devices internally external IPV6 address.
First create an interface for the 6to4-tunnel:
/interface 6to4
add clamp-tcp-mss=no comment="Hurricane Electric IPv6-tunnel" !keepalive \
local-address=w.x.y.z mtu=1480 name=heipv6 remote-address=\
a.b.c.d
/ip neighbor discovery
set heipv6 comment="Hurricane Electric IPv6-tunnel" discover=no
Where w.x.y.z is your public IP-address and a.b.c.d is the IP-address of the HE-tunnel endpoint.
Don’t forget to accept protocol-41 traffic in your IPv4 firewall. The actual filtering of IPv6 traffic happens in your IPv6 firewall.
/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
ether1-gateway protocol=ipv6 src-address=a.b.c.d
Now set the addresses of your side of the tunnel and the inside of your network.
/ipv6 address
add address=2001:p:q:r::2 advertise=no interface=heipv6
add address=2001:k:l:m::1 interface=bridge-local
That’s it. But without firewall, your router and LAN are open to the world, so you’ll want to do some firewalling as well.
Thanks - that is almost done, but I don’t have in protocol - ipv6.
When I tried to put ipv6 is in red, when 41 is accepted, but dont see any ipv6 comment.
/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
ether1-gateway protocol=ipv6 src-address=a.b.c.d
I just wondering how to connect my ipv6 internal address to my external ipv6 address 64-bit class ?
After running firewall for ipv6 how to open selected devices from internal ipv6 to external ipv6 address?
In the webinterface you just enter the number 41, that’s correct.
I don’t understand what you mean.
/ip firewall filter
add chain=input comment="IPv6 tunnel (protocol 41)" in-interface=\
ether1-gateway protocol=ipv6 src-address=a.b.c.d
You don’t have to. Hurricane delivers traffic to your /64 at your tunnel endpoint (i.e. 2001:p:q:r::2) and the MikroTik routes it to your LAN. Don’t forget: with IPv6 there is no NAT anymore. All your addresses are public.
By the way, in my first reply I forgot to mention that you probably have to add a default route to the endpoint of the tunnel at Hurricane:
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=2001:p:q:r::1
By adding additional rules. Your basic forward chain could look like this:
/ipv6 firewall filter
add action=accept chain=forward comment="icmpv6" protocol=icmpv6
add action=accept chain=forward comment="allow access to this single host on the LAN"\
dst-address=2001:k:l:m:aa:bb:cc:dd/128 in-interface=heipv6
add action=accept chain=forward comment=established connection-state=established
add action=accept chain=forward comment=related connection-state=related
add action=drop chain=forward comment=invalid connection-state=invalid
add action=reject chain=forward comment="reject other incoming traffic to LAN"\
in-interface=heipv6 reject-with=icmp-admin-prohibited
I followed your instruction.
I think that my problem is that despite the enabled DHCP6 server my computer doesn’t get ipv6 address.
Binding
# ADDRESS DUID SERVER STATUS
0 2001:XXX:XX:XXX::/64 0xffffff server_dhcpipv6 waiting
DHCP
# NAME INTERFACE ADDRESS-POOL PREFERENCE LEASE-TIME
0 server_dhcpipv6 ether3 pool_ipv6 255 3d
I have only :
Link-local IPV6 Address : fe80::dda3:261a:aaac:4ab4
and
IPV4: address,mask and gateway
I don’t know why … ?
Because so far RouterOS DHCPv6 server does not support handing out addresses, only prefixes. You need to use standard autoconfiguration (you’ll find most of it under /ipv6 nd).
How to configure correctly DHCP6 in my case for IPV6 from HE 6to4 tunnel ?
Right now I think that something is wrong with my Mikrotik DHCP6 server configuration.
If you want to give addresses to computers in LAN, forget DHCPv6 for now. DHCPv6 server in RouterOS does not support it yet. Use autoconfiguration instead. If you did not change defaults in /ipv6 nd, you need just:
/ipv6 address
add address=2001:x:x:x::1 interface=<lan>
Where 2001:x:x:x:: is your routed prefix from HE. If you did something with defaults, reset them back:
/ipv6 nd prefix default
set autonomous=yes
/ipv6 nd
set [ find default=yes ] managed-address-configuration=no other-configuration=no
Now computers in LAN should get addresses from 2001:x:x:x::/64.
IPV6 address received 
6to4 tunnel enabled and running.
…but only one problem is that I don’t have connection to IPV6 sites
Strange is that in my IPV6 address list I added only two lines (0,1), but after reboot I have got additional (3,4,5)
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:XX:XXX::1/64 bridge-local yes
1 G 2001:XXX:XX:XXX::2/64 heipv6 no
2 DL fe80::4e5e:cff:fe43:8996/64 bridge-local no
3 DL fe80::4e5e:cff:fe43:8995/64 ether1-gateway no
4 DL fe80::fefd:0/64 heipv6 no
When I delete lines 2,3,4 and make reboot, again got same list 0-4 ;-(
My PC received from DHCP
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : XXXX Realtek PXXXXXXXXXXXXXXXX
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:XXX:XX:XXX:dda3:261a:aaac:4ab4(Preferred)
Temporary IPv6 Address. . . . . . : 2001:XXX:XX:XXX:11c:4ff9:9c4:49e9(Preferred)
Link-local IPv6 Address . . . . . : fe80::dda3:261a:aaac:4ab4%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.XX.XXX(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::4e5e:cff:fe43:8996%18
192.168.XX.XXX
DHCP Server . . . . . . . . . . . : 192.168.XX.XXX
DHCPv6 IAID . . . . . . . . . . . : 5XX2XXX5
DHCPv6 Client DUID. . . . . . . . : 00-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-14
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Once again, forget DHCPv6, it’s no use for you now. If you have only /64 routed to you, DHCPv6 server in current RouterOS can’t do anything useful for you.
fe80::* are link-local addresses, they should be there, don’t mind them.
Why you can’t connect anywhere, well, that’s a question. You’ll have to do some troubleshooting. Try traceroute to some external address and see what happens. First try it from router itself, to see if your tunnel works at all. Then try it from LAN. Start with empty IPv6 firewall at first, to be sure that you don’t accidentally block yourself. You get the idea…
Edit: One more thing, just to be sure, if you have your addresses:
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:XX:XXX::1/64 bridge-local yes
1 G 2001:XXX:XX:XXX::2/64 heipv6 no
The “XXX:XX:XXX” in 2001:XXX:XX:XXX::1 is not exactly the same as “XXX:XX:XXX” in 2001:XXX:XX:XXX::2, right?
(…)
Traceroute checked.
All firewall lines disabled.
I see only one hoop to my link-local gateway : fe80::4e5e:cff:fe43:8996%18
/ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 A S ::/0 2001:XXX:XX:XXX::1 1
1 ADC 2001:XXX:XX:XXX::/64 heipv6 0
bridge-local
The “XXX:XX:XXX” in 2001:XXX:XX:XXX::1 is not exactly the same as “XXX:XX:XXX” in 2001:XXX:XX:XXX::2, right?
This XXX:XX:XXX in “XXX:XX:XXX” in 2001:XXX:XX:XXX::1 is exactly the same as “XXX:XX:XXX” in 2001:XXX:XX:XXX::2
/ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:XX:XXX::1/64 bridge-local yes
1 G 2001:XXX:XX:XXX::2/64 heipv6 no
2 DL fe80::4e5e:cff:fe43:8996/64 bridge-local no
3 DL fe80::4e5e:cff:fe43:8995/64 ether1-gateway no
4 DL fe80::fefd:0/64 heipv6 no
Lines 2,3,4 added automaticly after router restart.
If you have same /64 on both interfaces, then it can’t work. I don’t use HE tunnel myself, but I assume you must have more than just one /64. There should be something for tunnel itself (probably also /64) and then another /64 routed to you for use on LAN.
They should not be the same network-
This XXX:XX:XXX in “XXX:XX:XXX” in 2001:XXX:XX:XXX::1 should be “XXX:XY:XXX” in 2001:XXX:XY:XXX::1
see the manual- http://wiki.mikrotik.com/wiki/Manual:My_First_IPv6_Network
he gives you two /64 networks by default - one for the tunnel itself, and one “routed lan” address.
Look at your tunnel settings on the tunnelbroker website - they tell you which /64 is routed to you.
Suppose it is 2001:db8:10:abcd::/64
Then your IPv6 address for bridge-local should be:
2001:db8:10:abcd::1/64
The tunnel address will be a different prefix like:
2001:db8:10:1234::/64 (and your address is 2001:db8:10:1234::2/64 on this link)
The fe80:: addresses are something new in IPv6 - in IPv4, each interface usually has just one IP address, but IPv6 naturally has several.
fe80:: is an address range that is required to exist on every interface, and it is used to talk to other IPv6 speaking hosts that are connected to the same link layer - namely the same LAN - the same ethernet switch - etc…
Notice that your computer’s default gateway route (::/0) has the destination of fe80::
Note that this is one of those mysterious fe80:: addresses that keep “just appearing” on your router even after rebooting.
This is just how IPv6 works. You get used to it eventually. 
(the %18 specifies which interface’s fe80:: in particular - because EVERY interface has an fe80:: address now)
Right! my HE IPV6 data:
IPv6 Tunnel Endpoints
Server IPv6 Address:2001:XXX:X0:XXX::1/64
Client IPv6 Address:2001:XXX:X0:XXX::2/64
Routed IPv6 Prefixes
Routed /64:2001:XXX:X1:XXX::/64
I changed my addresses in IPV6
/ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:XXX:X1:XXX::1/64 bridge-l... yes
1 G 2001:XXX:X0:XXX::2/64 heipv6 no
2 DL fe80::4e5e:cff:fe43:8996/64 bridge-l... no
3 DL fe80::4e5e:cff:fe43:8995/64 ether1-g... no
4 DL fe80::fefd:0/64 heipv6 no
Chcecking on my Mikrotik router Trace route works fine
I can ping from my PC connected to LAN google dns 2001:4860:4860::8888
..but I can’t still ping external IPV6 domain name from PC connected to my LAN 
After adding to my ipv6 network details ipv6 DNS everything works fine.
Without manual DNS6 I cant resolve my domains .6.
How can I add directly to mikrotik DNS server from tunnelbroker.net - 2001:470:20::2 ???
automatic DNS - for Windows - you can’t with only a Mikrotik router.
Mikrotik’s only way to assign DNS information is in the RA packets - so Mikrotik expects the SLAAC clients to use this information to configure their dns automatically as well. If you have an Apple device, you’ll notice that these work. Windows doesn’t use the dns information in SLAAC, which is why you’re having to assign it manually.
Windows requires a DHCPv6 server in order to learn its dns information automatically.
DHCP servers come in 3 flavors for IPv6:
Prefex Delegation - assigns blocks of networks to clients so that the clients can then assign multiple lan segments inside their network
Stateless - This is what SLAAC clients want to look for after making their address/default GW settings. This is like a bulletin board in the break room at the office. It has all of the informational options, such as ntp server, tftp server, etc… and of course DNS server. This server doesn’t assign leases, hence the term ‘stateless.’
Stateful - This is what most people think of when they think of DHCP server - it works pretty much like the IPv4 DHCP service - it has a pool of addresses that it uses to assign leases to clients.
Okay - now out of these 3, Mikrotik’s DHCP server currently only supports prefix delegation mode.
In other words, you’ll either need another device / server to do stateless dhcpv6 to announce to windows clients what DNS server addresses they should use, or else you have to manualy configure this in Windows clients.
I’ve also tried to make a ipv6 network.
I’ve got a lot working but not everything.
All my hosts can get a ipv6 addres form my router.
My router has a 6to4 config from where i can ping ‘external’ adresses.
But it goes wrong on the route from my ‘local’ network to the ‘external’ network.
When i ping from the bridge interface to the ipv6 gateway(at tunnelbroker) it says no route to host.
this is my config:
/interface 6to4
add comment="IPv6 WAN" !keepalive local-address=A.B.C.D mtu=1280 name=sit1 remote-address=W.X.Y.Z
/ipv6 address
add address=2001:XXXX:XXXX:XXXX::2 advertise=no interface=sit1
add address=2001:XXXX:XXXY:XXXY:: interface=bridge-****
/ipv6 firewall address-list
add address=2001:XXXX:XXXY:XXXY::/64 list=home
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" protocol=icmpv6
add chain=input comment="Allow UDP" protocol=udp
add action=drop chain=input
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward
/ipv6 nd prefix default
set preferred-lifetime=2m valid-lifetime=5m
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:XXXX:XXXX:XXXX::1
Can you guys maybe help me?
If client says there’s no route, it probably does not have it. Check the routing table (“netsh interface ipv6 show route” for Windows, “ip -6 route” for Linux). And you also have to enable some forwarding in router’s firewall. Now you accept established and related connections, but there won’t be any, because you block all new ones in any direction. So you probably want to enable everything from LAN. And also ICMPv6, because IPv6 depends on it a lot.