IPV6 Starlink issue

sandyvdb · May 30, 2025, 11:46am

Hi,

I am trying to enable IPV6 on Rputeros. Our ISP is starlink and followed different sites, but it still hangs on “searching”.
If I connect directly to my pc then it gets IPV6 address.

How can I fix this issue?

sandyvdb · May 30, 2025, 11:58am

my configuration

# 2025-05-31 01:02:18 by RouterOS 7.20beta2
# software id = Q40I-6P42
#
/interface bridge
add mvrp=yes name=LOCAL_LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=Switch1
set [ find default-name=ether3 ] disable-running-check=no name=Switch2
set [ find default-name=ether5 ] disable-running-check=no name=WAN
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no name=ether5
/interface vlan
add interface=LOCAL_LAN name=419-Guest vlan-id=5
add interface=LOCAL_LAN name=419-Main vlan-id=4
add interface=LOCAL_LAN name=Management vlan-id=1
add interface=LOCAL_LAN name=Posey vlan-id=3
add interface=LOCAL_LAN name=Servers vlan-id=2
/interface list
add name=LAN
add name=WANs
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Management_Pool ranges=10.0.0.50-10.0.0.100
add name=Servers_Pool ranges=10.0.1.150-10.0.1.200
add name=Posey_Pool ranges=10.0.2.10-10.0.2.200
add name=419-Main_Pool ranges=10.0.3.10-10.0.3.200
add name=419-Guest_Pool ranges=10.0.4.10-10.0.4.200
/ip dhcp-server
add address-pool=Management_Pool interface=Management lease-time=8h name=DHCP_Management server-address=10.0.0.254
add address-pool=Servers_Pool interface=Servers lease-time=8h name=DHCP_servers server-address=10.0.1.254
add address-pool=Posey_Pool interface=Posey lease-time=8h name=DHCP_Posey server-address=10.0.2.254
add address-pool=419-Main_Pool interface=419-Main lease-time=8h name=DHCP_419-Main server-address=10.0.3.254
add address-pool=419-Guest_Pool interface=419-Guest lease-time=8h name=DHCP_419-Guest server-address=10.0.4.254
/port
set 0 name=serial0
set 1 name=serial4
/interface bridge port
add bridge=LOCAL_LAN interface=Switch1
add bridge=LOCAL_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=LOCAL_LAN interface=Switch2
add bridge=LOCAL_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether5
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192 soft-max-neighbor-entries=7000
/interface bridge vlan
add bridge=LOCAL_LAN tagged=Switch1,Switch2 vlan-ids=1-5
/interface list member
add interface=WAN list=WANs
add interface=Switch1 list=LAN
add interface=ether2 list=LAN
add interface=Switch2 list=LAN
add interface=ether5 list=LAN
add interface=Management list=VLAN
add interface=Servers list=VLAN
add interface=419-Guest list=VLAN
add interface=419-Main list=VLAN
add interface=Posey list=VLAN
/ip address
add address=10.0.0.254/24 interface=Management network=10.0.0.0
add address=10.0.1.254/24 interface=Servers network=10.0.1.0
add address=10.0.2.254/24 interface=Posey network=10.0.2.0
add address=10.0.3.254/24 interface=419-Main network=10.0.3.0
add address=10.0.4.254/24 interface=419-Guest network=10.0.4.0
/ip dhcp-client
add default-route-tables=main interface=WAN
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.254 netmask=24
add address=10.0.1.0/24 dns-server=8.8.8.8 gateway=10.0.1.254 netmask=24
add address=10.0.2.0/24 dns-server=8.8.8.8 gateway=10.0.2.254 netmask=24
add address=10.0.3.0/24 dns-server=8.8.8.8 gateway=10.0.3.254 netmask=24
add address=10.0.4.0/24 dns-server=8.8.8.8 gateway=10.0.4.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" connection-state=new in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WANs
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=WAN
/ip service
set www-ssl disabled=no tls-version=only-1.2
/ipv6 dhcp-client
add interface=WAN pool-name=starlink-v6 rapid-commit=no request=prefix use-interface-duid=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 list=prefix_delegation
add address=::/128 comment="dhcp6 client server value" list=prefix_delegation
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address-list=prefix_delegation
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=!LOCAL_LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface=!LOCAL_LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no hop-limit=64 managed-address-configuration=yes mtu=1280 other-configuration=yes ra-interval=3m20s-8m20s
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/system identity
set name=Home
/system logging
add topics=dhcp
/system package update
set channel=testing

mezdej · October 13, 2025, 6:19am

did you solve it?

CGGXANNX · October 13, 2025, 7:47am

@mezdej IIRC Starlink DHCPv6 server does not send response with the link-local source address, but with a GUA address as source. That's why the rule "defconf: accept DHCPv6-Client prefix delegation." of the default firewall with the condition src-address=fe80::/10 is not matching the response packets.

As a temporary fix, first remove that src-address=fe80::/10 from the rule. If DHCPv6 client works, try to find out the real IP address of the Starlink's DHCPv6 server and add it to an allowed address list and use the list in the rule. You can find the real IPv6 address of the DHCPv6 server by temporary turning on "Log" on that rule and look in the log output.

In fact, in the config @sandyvdb posted above, he already created such list, looks for prefix_delegation in his export. But there are two issues with his configuration:

First is that prefix_delegation list does not contain the Starlink DHCPv6 server IP addresses, only ::/128. Or maybe it's a placeholder and he has censored the real IP address.
Second is that he did use it in a rule with src-address-list=prefix_delegation, however in the wrong place. Instead of editing the original rule at the top of the table and replacing src-address=fe80::/10 with src-address-list=prefix_delegation, he made copies of the firewall rules and placed them way down below the original rules. Because the firewall is processed from top to bottom in a chain, those rules down below are not hit and the DHCPv6 response traffics are already dropped by the drop rules above them.