Ipv6 srcnat

For the last few days i tried to add ipv6 support to my home network, i read as lot of different topics here, but none of them helped.

It seems most of the ISPs are handling prefixes over dhcpv6, the thing that my isp lacks. I under no circumstances can get dhcpv6 client prefix or address

Only scenario i got the thing working is default configuration, when everything is handled by isp, setting the ipv6 interface to bridge and enabling advertising.

But i want at least control over my local network ip addresses, so IMO they should be issued by my router. Taking into account the inability to get prefix from ISP, my only option left was the old classic setup, when i get dhcpv6 and ND to issue private ipv6 addresses. I did that, but now u can't get the routing or nat to work, meaning my packets never get to internet.

I have tried a ipv6 interface on the bridge and on lte, they get IPV6 address, i set up src nat masquerade so my local ipv6 addresses can translate to the wan interface, but it just doesn't work for some reason, i think im doing something incorrectly but i don't know where

Im afraid I am unfamiliar with ipv6 source nat, but your issue seems like it can be fixed with the correct configuration.

Does your ISP have any documentation on IPv6 configurations that they support? Do they advertise IPv6 support at all?

The only things that need to be configured are usually enabling IPv6, configuring ND on an interface and DHCPv6. Unfortunately there are many ways to do that. For instance many DHCPv6 issues I’ve seen here were caused by the old default firewall filter.

It may be worth your time to post what info you can get from your isp and your configuration and see if the people here can help.

We won't be able to know either if we don't see your current configuration attempt (as a censored export) ;-).

Yeah im currently in process, so the config to understand, im not doing clean configuration, it’s a working home router with a lot of different unralated stuff, so ill try to compile something that is easy to read in a day or so.

The question is more theoretical RN, i need to understand the concept, im used to work with ipv4 and related services, but this ipv6 thing is largely unknown field to me currently, for instance i was surprised to learn that dhcp is not the only way of getting ip address in ipv6, and so on. So im currently questioning the sheer principle of my thinkinhg.

The idea is that i keep the concept of ipv4 mikrotik routing process, i get ipv6 address on the lte interface, and give out the private ipv6 adresses to the internal network devices (something like fc00::/64), then i create masquerade rule, and all should be working, right?

If the concept is flawed in its base, then i wont be wasting my time on it.

Because it is working from a router console (i can ping the ipv6 addresses), but isnt working from my internal network for some reason.

It would work, but do not use the fc00::/64 prefix to assign to your LAN. Instead, go to Unique Local IPv6 Generator and pick the random prefix displayed to you. It's presented as /48, when you use it to advertise on your LAN interface then you should use /64 as prefix length.

Also, by default ULA (addresses with those prefixes) have lower precedent than IPv4. If the domain you want to access has both A and AAAA record then the client operating system will probably prefer IPv4 and will use the A record to connect to the remote resource. They normally only use the IPv6 ULA as source address if you explicitly enter the destination IPv6 addresses of the remote hosts, or if their domain names only have AAAA records. This preference order can be modified on the non-mobile operating systems (edit /etc/gai.conf on Linux, netsh interface ipv6 set prefix ... on Windows).

One way to workaround the ULA issue is to advertise a real GUA prefix in your LAN instead, but you have to make sure that this prefix is not used by anyone else, and you'll still need NAT. One way to get such prefix is to make an account on Hurricane Electric Free IPv6 Tunnel Broker, get a free prefix, but don't use their tunnel service, only use the prefix as a "private" GUA to be used only in your LAN and that will not clash with other hosts on the internet (still requires NAT when going to WAN).

Alternatively, if your WAN interface is LTE/5G, and if you only have one LAN interface (one main bridge for example), you should be able to set the ipv6-interface property of the APN profile to the LAN interface, and the prefix received from the WAN will be advertised on that LAN interface and all clients will be able to have their own public IPv6 global unicast address (GUA instead of ULA), in that case no NAT needs to be deployed, and you don't have the problem with the lower than IPv4 precedence .

Sorry if this is off topic, but just to satisfy my curiosity is it common for ISPs that use LTE to not provide a customer prefix? I suppose this would be an attempt to limit service to one device or something. I am not from the service provider world, but personally have not heard of such an thing and am interested.

Some info on supplying ipv6 prefixes. (More for older mobile stuff)

Where they only handed out a single /64 and it was supposed to be assigned to the lan side of
the router, with the router <-> provider connection only using link local addresses.

RFC 7278 - Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link

RFC 7849: An IPv6 Profile for 3GPP Mobile Devices

Usually you get a /64 prefix assigned, and you are allowed to share that to the other devices behind. See section 5.2 and 5.3 of RFC 6459 RFC 6459 - IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS).

Thanks, very interesting reading. So still using SLAAC with stateless DHCPv6 but handing out a single /64.

Edit: Perhaps I was reading that backwards. If the RA M bit is 0 and the O bit is 1 this implies no DHCP address information (get it from the RA prefix option) but other info like DNS is provided.

It’s too late for me to be reading RFCs

I had a similar issue, and the solution could apply to your problem as well.

The default IPv6 firewall has a rule that only allows prefix delegation received from link local addresses:

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10

My problem was that my ISP was not replying the DHCP request from a link local address, but from a GUA.

I diagnosed the issue through by running the packet sniffer on the WAN interface, where I could see the DHCP requests being sent - and answered.

Ultimately I resolved the issue by changing src-address to allow everything (::/0), and later modifying the src-address to the prefix used by the ISP.

The consequence of the change is somewhat covered in this thread:
IPv6: Security of modified defconf - RouterOS / Security - MikroTik community forum

even if i disable all firewall rules completly, i still cant get prefix or address using dhcpv6 client

The documents linked above describe the process of assigning addresses using only SLAAC without needing DHCPv6. Since they are standards docs I assume there is a way to configure RouterOS to support this. Perhaps if you shared a bit more about your device and configuration the experts here could come up with one.

As I wrote above, if your WAN interface is LTE, you can try setting ipv6-interface to your LAN interface (if you only have one).

sure i get it, i tried on bridge, and on lte id doesnt matter the result is the same

what part of configuration i should post?

all related to ipv6, lte config and routing table for ipv6?

i currently have autoconfiguration from isp that is working, but i dont really get HOW it’s working ) considering i cant get prefix manually, but can get it automatically.

Best just follow the usual advice here:

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )

Well i tried to export and noticed i got nothing in /ipv6/address, routes, prefixes and so on. Seems this is related to auto-configuration from provider side, i can see that when i print, and get nothing when export, so i just post screenshots related to ipv6

So this here i what i get from ISP automatically (except lte adapter config, firewall, nd config (not prefix), and dhcp client(disabled)). And the question is, can i somehow get this working w/o autoconfig.

Be it the same prefix on my side, or reconfigure to route traffic through the lte adapter ipv6 from local link or local private ipv6

image880×188 5.91 KB

image568×345 10.7 KB

image676×378 10.7 KB

image954×783 22.7 KB

My empathy for @anav is growing. When people here ask for a full export it’s not for what you can see (or not see) in the config, it’s what everyone else can see. Sometimes the answers are not where you would expect them.

I am out of my realm here in LTE land, but looking at what you posted you do have “interface lte apn IPv6-Interface” set to bridge, and the bridge is showing that it has a GUA /64. I would expect any device doing SLAAC on the bridge interface to be able to get an address through ND. Perhaps there is a piece missing still that others can help with.

As @eltikpad has wrote, you've set ipv6-interface=bridge and that part appears to be working:

• Your bridge interface has the /64 GUA prefix and advertise turned on.
• The default route and the /64 route with the bridge as gateway is ok.
• Your /ipv6 nd entry is ok for the bridge interface.

Now in theory, if you have devices on the bridge interface, they should have IPv6 addresses in the prefix range through SLAAC. Could please verify that?

With the firewall configuration however, which appears to be an old version of defconf, you have to make sure that the bridge interface is member of the LAN interface list, otherwise traffic from the client devices will not be forwarded to the internet (blocked by the last defconf filter rule at the bottom).

BUT: I also see that you have a vlan1 interface. What do you have on this interface? If vlan1 is the main interface where all your devices are attached too, then you would have to modify the APN to set ipv6-interface=vlan1 instead, and you would also have to add vlan1 to the LAN interface list! The /ipv6 nd entry also needs to be updated with the correct interface (you can create a copy and set the interface in the copy to vlan1).

As I wrote in the previous post, setting ipv6-internet in the APN setting only works for one single LAN interface. If you have multiple of them, the other interfaces will need to have other prefixes (such as ULA or the one from Hurricane Electric) manually added and NAT will need to be configured for those subnet.

About the "old defconf firewall" mention: The "defconf: accept UDP traceroute" rule from your screenshot still have port=33434-33534. This was a security hole has been corrected in the defconf firewall that comes with newer RouterOS version, that you can find here Buying - RB1100AHx4 Dude Edition - Questions about Firewall - #4 by rextended. The parameter has been changed to dst-port=33434-33534.

Hi eltikpad,

Resolving issues, is not guesswork, or taking stabs in the dark, its a process that is well known and works, from my experience in the software/systems world.

First step is not trying various solutions for the OPs output, which is merely an opinion at the start.
but to do a very basic requirements analysis.
a. identify all the users/devices involved
b. identify the traffic they need.

The second step is to understand the intent of the network system and the equipment involved, and thus a network diagram with sufficient detail ( subnets etc) is worth a 1000 words!!

The last step is to provide FACTS, evidence of what the current state of the configuration is at.
This also shows the reader, more of the authors intent.

With a clear understanding of what traffic needs to be accomplished, how the network is cobbled together and seeing what is currently in place, troubleshooting the issue is far easier. We can validate the current setup based on facts and turn the original opinion into a plan and course of action.
One can also ensure that any advice, is based on solving the issue from the "whole" perspective not juss focusing on any particular config line,,,,,,,,,( since the config is very much interrelated ).

IMHO, new users should be directed to read a brief introduction prior to posting on the forum. They should then be encouraged to write their post, which would be reviewed by mods, and either approved and released into the wild, or returned stating what areas need improvement to meet a basic standard."
The brief introduction should have embedded links to topics ( like how to export a config, sources for free networking diagram apps, examples of each of the above steps, etc. )

In this concept, new posters are educated on how to communicate effectively to get their issues resolved in an efficient and accurate manner. If unorganized, they learn to organize their thoughts into a coherent post, containing the necessary information - it would not surprize me if some solved their own issues prior to posting, going through their own, what was my plan to begin with!

For those assisting, it is much easier to see errors, understand the intent of the network, see the issues at their core and finally to come up with both a reasonable solution, that works within the totality of the traffic flows occurring, and also be able to spend more time on explanation. It would not surprize me to see the length of threads drastically reduced. In, addition, most posts would get faster attention. Nothing slows down a response more than an incomplete or incoherent post etc........ Thus the experience for all would be vastly improved.

After doing such work for 18 years, its a no-brainer. It boggles my mind that a firm that is heavily involved in software processes, takes such a laissez-faire attitude with ensuring their forum works well for their customers. Coding and testing is based on a rigourous, disciplined set of processes and engineers going through years of training to execute these processes. The only conclusion I can think of that makes sense is that the head of forum development must be an ARTS major. Certainly was never involved in instruction/education, or engineering.

Thanks for your thoughts on the matter.

Just to clarify things. This configuration i posted as screenshots earlier, as well as this config is WORKING configuration. Everything is working, and yes, neighbours have ipv6. What i want to understand here, taking into account that im new to ipv6, can i replicate the config ISP giving me to be able to issue prefixes and keep ipv6 static on my internal network, if thats not an option, how can i get classic private network behind NAT result. I know how to do this in ip4, but obvously lack some needed ipv6 knowledge to get it working in ipv6 env

Here is full config with IPs, macs, serial and software id being anonymized. As i stated in previous post, some things im unable to export (seems because they are dynamic and ISP autoconfiguration result) and they are listed as screenshots in the post above.

config.rsc (17.2 KB)