ipv6 pd /56 help needed please

mozerd · October 17, 2017, 9:23pm

I have very little ipv6 knowledge so I am hoping that someone here can help me.
I am trying to get ipv6 working on my CCR1009. My WAN interface and my vlan interfaces all get ipv6 GA addresses but none of my vlan clients get ipv6 addresses
My ISP is Rogers who provide me with /56 prefix delegation and client address are issued using SLAAC
my redacted config is provided

# oct/17/2017 16:31:36 by RouterOS 6.41rc44
# software id = XXXX-XXXX
#
# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXXXXXX
/interface vlan
add interface=ether7 name=vlan10 vlan-id=10
add interface=ether7 name=vlan20 vlan-id=20
add interface=ether7 name=vlan30 vlan-id=30
add interface=ether7 name=vlan40 vlan-id=40
/interface list
add name=VLANs
add name="Port Scanners"
/ip pool
add name=dhcp_pool0 ranges=192.168.5.10-192.168.5.15
add name=dhcp_pool1 ranges=192.168.10.56-192.168.10.66
add name=dhcp_pool2 ranges=192.168.20.60-192.168.20.90
add name=dhcp_pool3 ranges=192.168.30.60-192.168.30.80
add name=dhcp_pool4 ranges=192.168.40.60-192.168.40.70
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no \
    interface=ether7 lease-time=5d name=LAN5
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface=vlan10 lease-time=5d name=vlan10
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
    interface=vlan20 lease-time=5d name=vlan20
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no \
    interface=vlan30 lease-time=5d name=vlan30
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no \
    interface=vlan40 lease-time=5d name=vlan40
/system logging action
set 3 remote=192.168.10.15
/ip firewall connection tracking
set enabled=yes
/ip settings
set rp-filter=strict
/interface list member
add interface=vlan10 list=VLANs
add interface=vlan20 list=VLANs
add interface=vlan30 list=VLANs
add interface=vlan40 list=VLANs
/ip address
add address=192.168.88.1/24 comment=defconf interface=combo1 network=\
    192.168.88.0
add address=192.168.5.1/24 interface=ether7 network=192.168.5.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
    192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.40.1
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.10.55 list=allowed_to_router
add address=192.168.10.50 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.88.100 list=allowed_to_router
add address=192.168.10.44 list=Printers
add address=192.168.10.36 list=Printers
/ip firewall filter
add action=accept chain=input comment="Established, Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid \
    log-prefix="invalid connection"
add action=drop chain=input comment="Drop port scanners - TELNET" \
    in-interface=ether1 src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=5d chain=input comment="Telnet Port Scans" dst-port=\
    23 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop new connections from blacklisted IP'\
    s to this router - BLACKLIST DE" connection-state=new in-interface=ether1 \
    src-address-list="sbl blocklist.de"
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router - DSHIELD" \
    connection-state=new in-interface=ether1 src-address-list="sbl dshield"
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router - SPABHAUS" \
    connection-state=new in-interface=ether1 src-address-list="sbl spamhaus"
add action=accept chain=input comment="Allowe to Router" src-address-list=\
    allowed_to_router
add action=accept chain=input comment="INPUT ICMP" protocol=icmp
add action=drop chain=input comment="INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment=\
    "Accept FastTrack Established, Related" connection-state=\
    established,related
add action=accept chain=forward comment="Accept Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log-prefix=invalid
add action=accept chain=forward comment="LANs to WAN" in-interface-list=VLANs \
    out-interface=ether1
add action=accept chain=forward comment="Allow Access for UAP AC HD" \
    src-address=192.168.5.248
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop Forward"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=vlan20 type=external
add interface=vlan40 type=external
add interface=vlan10 type=external
/ipv6 address
add from-pool=rogers-ipv6 interface=vlan10
add from-pool=rogers-ipv6 interface=vlan20
add from-pool=rogers-ipv6 interface=vlan40
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=rogers-ipv6 prefix-hint=\
    ::/56 request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid \
    log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=ether1 protocol=\
    icmpv6
add action=drop chain=forward log-prefix=IPV6
/ipv6 nd
set [ find default=yes ] advertise-dns=yes disabled=yes interface=ether1 \
    ra-lifetime=none
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/Toronto
/system identity
set name=Stargate
/system logging
set 0 action=remote
/system ntp client
set enabled=yes primary-ntp=132.246.11.229 secondary-ntp=209.87.233.53 \
    server-dns-names=time.nrc.ca,time.chu.nrc.ca
/system package update
set channel=release-candidate
/system scheduler
add interval=1d name="fetch drop malicious.rsc" on-event="/tool fetch address=\
    www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/dow\
    nloads/drop.malicious.rsc\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=oct/15/2017 start-time=00:10:00
add interval=1d name="import drop malicious.rsc" on-event=":log warning \"Disa\
    bling system Logging\";\
    \nimport drop.malicious.rsc\r\
    \n\
    \n/system logging enable 0\r\
    \n/file remove drop.malicious.rsc\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=oct/15/2017 start-time=00:11:00
/tool bandwidth-server
set enabled=no

graphic pictures of all of the relevant ipv6 screens attached

Your comments would be very much appreciated. Thank You

mozerd · October 18, 2017, 3:55pm

ISSUE SOLVED
I will shortly post my new redacted config so that others may learn how I solved this problem … like anything else … once one understands the MikroTilk way it becomes much essier… not easy learning RouterOS

mozerd · October 19, 2017, 3:36pm

As promised my redacted config attached that enabled my CCR1009 to have an effective ipv6 network – this includes my WAN and VLANs – plus all HOSTS get ipv6 addresses . The Firewall rules are very specific so pay very close attention otherwise you;ll get into trouble.

# oct/18/2017 20:58:37 by RouterOS 6.41rc44
# software id = XXXX-XXXX
#
# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXXXXXX
/interface vlan
add interface=ether7 name=vlan10 vlan-id=10
add interface=ether7 name=vlan20 vlan-id=20
add interface=ether7 name=vlan30 vlan-id=30
add interface=ether7 name=vlan40 vlan-id=40
/interface list
add name=VLANs
add name="Port Scanners"
/ip pool
add name=dhcp_pool0 ranges=192.168.5.10-192.168.5.15
add name=dhcp_pool1 ranges=192.168.10.56-192.168.10.66
add name=dhcp_pool2 ranges=192.168.20.60-192.168.20.90
add name=dhcp_pool3 ranges=192.168.30.60-192.168.30.80
add name=dhcp_pool4 ranges=192.168.40.60-192.168.40.70
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no \
    interface=ether7 lease-time=5d name=LAN5
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface=vlan10 lease-time=5d name=vlan10
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
    interface=vlan20 lease-time=5d name=vlan20
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no \
    interface=vlan30 lease-time=5d name=vlan30
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no \
    interface=vlan40 lease-time=5d name=vlan40
/system logging action
set 3 remote=192.168.10.15
/ip firewall connection tracking
set enabled=yes
/ip settings
set rp-filter=strict
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=vlan10 list=VLANs
add interface=vlan20 list=VLANs
add interface=vlan30 list=VLANs
add interface=vlan40 list=VLANs
/ip address
add address=192.168.ZZ.1/24 comment=defconf interface=combo1 network=\
    192.168.ZZ.0
add address=192.168.5.1/24 interface=ether7 network=192.168.5.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
    192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.40.1
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=xxx.xxx.xxx-xxx.xxx.xxx list=allowed_to_router
add address=xxx.xxx.xxx list=allowed_to_router
add address=xxx.xxx.xxx list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=xxx.xxx.xx.xxx list=allowed_to_router
add address=192.168.10.44 list=Printers
add address=192.168.10.36 list=Printers
/ip firewall filter
add action=accept chain=input comment="Established, Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid \
    log-prefix="invalid connection"
add action=drop chain=input comment="Drop port scanners - TELNET" \
    in-interface=ether1 src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=5d chain=input comment="Telnet Port Scans" dst-port=\
    23 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow to Router from address list" \
    src-address-list=allowed_to_router
add action=accept chain=input comment="INPUT ICMP" protocol=icmp
add action=drop chain=input comment="INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment=\
    "Accept FastTrack Established, Related" connection-state=\
    established,related
add action=accept chain=forward comment="Accept Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log-prefix=invalid
add action=accept chain=forward comment="LANs to WAN" in-interface-list=VLANs \
    out-interface=ether1
add action=accept chain=forward comment="Allow Access for AP's" \
    src-address=xxx.xxx.xxx
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="DROP Forward"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=vlan20 type=external
add interface=vlan40 type=external
add interface=vlan10 type=external
/ipv6 address
add from-pool=rogers-ipv6 interface=vlan10
add from-pool=rogers-ipv6 interface=vlan20
add from-pool=rogers-ipv6 interface=vlan40
/ipv6 dhcp-client
add add-default-route=yes comment="delgate ISP-assigned prefix" interface=\
    ether1 pool-name=rogers-ipv6 prefix-hint=::/56 request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment=established connection-state=\
    established in-interface=ether1
add action=accept chain=input comment=related connection-state=related \
    in-interface=ether1
add action=accept chain=input comment=icmp in-interface=ether1 protocol=\
    icmpv6
add action=accept chain=input comment=dhcpv6 dst-port=546 in-interface=ether1 \
    protocol=udp
add action=drop chain=input comment="drop input" in-interface=ether1
add action=accept chain=forward comment=established connection-state=\
    established in-interface=ether1
add action=accept chain=forward comment=related connection-state=related \
    in-interface=ether1
add action=accept chain=forward comment="Allow from LAN to WAN" \
    connection-state=established,related disabled=yes out-interface=ether1
add action=accept chain=forward comment=icmp in-interface=ether1 protocol=\
    icmpv6
add action=accept chain=forward comment=SSH dst-port=xxxx in-interface=ether1 \
    protocol=tcp
add action=drop chain=forward comment="drop forward" in-interface=ether1
/ipv6 nd
set [ find default=yes ] advertise-dns=yes disabled=yes interface=ether1 mtu=\
    1500 ra-lifetime=none reachable-time=5m
add advertise-dns=yes hop-limit=64 interface=vlan10 reachable-time=5m
add advertise-dns=yes hop-limit=64 interface=vlan20 reachable-time=5m
add advertise-dns=yes hop-limit=64 interface=vlan40 reachable-time=5m
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/Toronto
/system identity
set name=Stargate
/system logging
set 0 action=remote
/system ntp client
set enabled=yes primary-ntp=132.246.11.229 secondary-ntp=209.87.233.53 \
    server-dns-names=time.nrc.ca,time.chu.nrc.ca
/system package update
set channel=release-candidate
/tool bandwidth-server
set enabled=no

Apparently RouterOS ipv6 ND does not work properly. My understanding is that from Winbox ND is supposed discovery all your networks etc. — IT DOES NOT — what I had to do what ADD them in — then everything started to work to my satisfaction.

Disappointed to learn that there is no ping6 capability from within Terminal and the workaround offered is IMO convoluted.
Also disappointed to learn that ipset is not an option. ipset is 10,000% faster

pe1chl · October 19, 2017, 5:55pm

I think you should first learn a bit more about RouterOS and IPv6 in general before making such statements…
What you “discovered” about address assignment is in fact completely normal - a router should not obtain its addresses automatically
using SLAAC, you should set them. It can advertise the network to other hosts.
/ping can ping IPv6 addresses without workaround and without requiring a separate ping6
And the “ipset” function is available within RouterOS as “Address Lists”.

mozerd · October 19, 2017, 7:06pm

@pe1chl
Yes, I absolutely agree that I need to learn a lot more “How to do things the MikroTik way”.

Perhaps you need to READ my post again … I was not referring to Address assignments — I was referring to Network DISCOVERY
In Winbox and ipv6/ND the default did not work using the default – Reachable Time had to be set to a value greater than 0 – Once I added the subnets and set reachable time to a value of 300 all my hosts received addresses via SLAAC

Your version of how ipset works certainly is very different than mine and bears no resemblance to what I am used to. it’s quite apparent that I as the admin user do not have access to ipset via RouterOS that enables me to generate address lists in a manner that is highly secure and highly optimized like I can with some other Routers. For example under Linux one can self generate the blacklist via script from various blacklist sources and use ipset.. I have no need to see thousands upon thousands of ip addresses displayed under Lists
A simple script::

#!/bin/vbash
  
basedir=`dirname $(readlink -f $0)`
  
rm $basedir/net_block $basedir/address_block 2>/dev/null 
  
echo "-N addtmp nethash --hashsize 1024 --probes 4 --resize 20" >> $basedir/tmp_address_block
echo "-N nettmp nethash --hashsize 1024 --probes 4 --resize 20" >> $basedir/tmp_net_block
  
#Get and split block lists into tmp_address_block, tmp_net_block files
curl http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt 2>/dev/null | awk -v dirpath="$basedir" '!/(^($|[:space:]*#)|(.*\/.*))/{print "-A addtmp " $0 >> dirpath"/tmp_address_block"}/.*\/[0-9][0-9]/{print "-A nettmp " $0 >> dirpath"/tmp_net_block"}'
curl https://www.spamhaus.org/drop/drop.txt 2>/dev/null | awk -v dirpath="$basedir" '!/(^($|[:space:]*;))|(.*\/.*)/{print "-A addtmp " $1 >> dirpath"/tmp_address_block"}/.*\/[0-9][0-9] ;/{print "-A nettmp " $1 >> dirpath"/tmp_net_block"}'
curl https://www.spamhaus.org/drop/edrop.txt 2>/dev/null | awk -v dirpath="$basedir" '!/(^($|[:space:]*;))|(.*\/.*)/{print "-A addtmp " $1 >> dirpath"/tmp_address_block"}/.*\/[0-9][0-9] ;/{print "-A nettmp " $1 >> dirpath"/tmp_net_block"}'
curl https://www.okean.com/sinokoreacidr.txt 2>/dev/null | awk -v dirpath="$basedir" '!/(^($|[:space:]*#))|(.*\/.*)/{print "-A addtmp " $1 >> "/config/scripts/blacklist_loader/tmp_address_block"}/.*\/[0-9][0-9]/{print "-A nettmp " $1 >> dirpath"/tmp_net_block"}'
curl http://www.myip.ms/files/blacklist/general/latest_blacklist.txt 2>/dev/null | awk -F'\t' -v dirpath="$basedir" '!/(^($|[:space:]*#))|(.*\/.*)|(.*:.*)/{print "-A addtmp " $1 >> dirpath"/tmp_address_block"}/.*\/[0-9][0-9]/{print "-A nettmp " $1 >> dirpath"/tmp_net_block"}'
curl http://lists.blocklist.de/lists/all.txt 2>/dev/null | awk -v dirpath="$basedir" '!/(^($|[:space:]*#))|(.*\/.*)|(.*:.*)/{print "-A addtmp " $1 >> dirpath"/tmp_address_block"}/.*\/[0-9][0-9]/{print "-A nettmp " $1 >> dirpath"/tmp_net_block"}'
  
#Strip duplicates from tmp files into files ready for loading
awk '!x[$0]++' $basedir/tmp_address_block > $basedir/address_block
awk '!x[$0]++' $basedir/tmp_net_block > $basedir/net_block
  
#Delete tmp files
rm $basedir/tmp_address_block $basedir/tmp_net_block
  
#Load network group block list
sudo ipset -! -R < $basedir/net_block
sudo ipset -W nettmp Net_Block
sudo ipset -X nettmp
  
#Load address group block list
sudo ipset -! -R < $basedir/address_block
sudo ipset -W addtmp Add_Block
sudo ipset -X addtmp

/ping [:resolve ipv6.google.com]
works — but can you SAY convoluted 4sure!
ping6 -C 6 google.com is far more efficent and scalable.and yes I do understand that its not the RouterOS way of doing things
and its my opinion that the MikroTik RouterOS way is not the Linux way