IPv6 struggle

masaykh · December 30, 2024, 7:52pm

Hello community.

# 2024-12-30 09:26:09 by RouterOS 7.16.2
# software id = NAY9-JVHV
#
# model = C52iG-5HaxD2HaxD
# serial number = *******
/interface bridge
add fast-forward=no name=bridge1 port-cost-mode=short
/interface wifi channel
add band=2ghz-ax disabled=no name=channel2
add band=5ghz-ax disabled=no name=channel5
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no group-key-update=1h \
    name=sec1
/interface wifi configuration
add chains=0,1 channel=channel2 country="United States" datapath=datapath1 \
    disabled=no mode=ap name=cfg2 security=sec1 ssid=Litevska46 tx-chains=0,1
add chains=0,1 channel=channel5 country="United States" datapath=datapath1 \
    disabled=no mode=ap name=cfg5 security=sec1 ssid=Litevska46 tx-chains=0,1
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg5 disabled=no
set [ find default-name=wifi2 ] configuration=cfg2 disabled=no
/ip pool
add name=dhcp_pool0 ranges=192.168.7.1-192.168.7.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=20h30m name=dhcp1
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 hw=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 hw=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 hw=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 hw=no interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic lldp-mac-phy-config=yes \
    lldp-max-frame-size=yes lldp-med-net-policy-vlan=1 lldp-vlan-info=yes
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg2 \
    supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=cfg5 \
    supported-bands=5ghz-ax
/ip address
add address=10.14.193.82/30 interface=ether1 network=10.14.193.80
add address=192.168.7.254/24 interface=bridge1 network=192.168.7.0
/ip dhcp-server network
add address=192.168.7.0/24 dns-server=10.255.255.10,10.255.255.20,8.8.8.8 \
    gateway=192.168.7.254
/ip dns
set servers=10.255.255.10,10.255.255.20,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.7.0/24 src-address=\
    192.168.7.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.14.193.81 routing-table=main \
    suppress-hw-offload=no
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ipool request=\
    address,prefix
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge1 \
    managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridge1
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=AP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.255.255.10
add address=10.255.255.20
/tool sniffer

My first Mikrotik but I’m not so new to networking.

I have working ipv4 with no issues.
bridge1 and it`s slave interfaces wifi1 and wifi2 are in internal network - ether1 is wan interface
DHCP client is able to receive ipv6 address and prefix
and configured DHCP server able to deliver it to client (my laptop)
i can ping from router outside world ipv6 addresses (cloudflare dns \ google)
But i cant reach any outside resources from laptops that are behind router
I can ping from laptop router via link-local address (and vice-versa as well)
but sending ping to 2606:4700:4700::1111 (cloudflare dns) not getting any response

what i tried:

adding IPv6 → Firewall → Forward policy with “all to all” and “bridge1 to ether1” - no change
adding IPv6 → Firewall → Nat - srcnat with accept with dst iface of ether1 - no change
adding IPv6 → Firewall → Nat - srcnat with masquerade and dst iface of ether1 - no change
adding IPv6 → Firewall → Nat - srcnat with srcnat and setting of ipv6 address i got from dhcp as TOaddress - no change

i have feeling im missing something simple that will actually enable the “routing” of the packets

please help and thank you beforehand for your time

masaykh · December 30, 2024, 8:58pm

I removed in above example dhcp server and set on my laptop ip of router as my gateway but nothing changed

mkx · December 31, 2024, 11:06am

Two things:

disable add-default-gateway on /ipv6 dhcp-client. The way it’s now might work (depends on how your ISP does things), but it’s not the correct way.
Instead set accept-router-advertisements=yes under /ipv6/settings.
more crucially: assign IPv6 address to LAN interface (bridge) to enable IPv6 in your LAN segment:

/ipv6/address
add address=::1/64 from-pool=ipool interface=bridge1

The above takes one prefix from pool, affixes it with as many zeroes as needed and 1 as last 16-bit part and sets this address to bridge1 interface. Implicit (default) setting of advertise=yes then allows SLAAC to work … and establishes IPv6 route zowards LAN clients.

Item #1 above might not be necessary since you can access internet from router directly (and probably router from internet), but as I wrote it’s the correct way and if it works, then set it this way. If it doesn’t, then revert to your current settings.

masaykh · December 31, 2024, 12:51pm

i found thread with your answers that really helped me
http://forum.mikrotik.com/t/ipv6-configuration-under-router-os-7/170929/1

what i did was:
1.

/ipv6 dhcp-client set add-default-gateway=no

/ipv6/settings set accept-router-advertisements=yes

/ipv6/address add address=::1/64 from-pool=ipool interface=bridge1

thank you!