local IPv6 on VLAN network

My network is segmented into VLANs and I have some IPv4 rules to allow them to access each other a bit (this is mostly for IoT stuff). I’m now using some Matter devices and they use IPv6 and I’m having some issues. My understanding of IPv6 is cursory, I read about it years ago when it was going to happen and then it didn’t happen and I forgot it.

I think the devices are happily getting link local IPv6 addresses and v6 is working on the VLANs/broadcast domains. My ISP doesn’t support IPv6 so there is no prefix coming in from outside so I think that none of the devices is getting more than just the link local address. Link local addresses do not route as far as I know and even though the VLANs are bridged together I’m not sure whether the MikroTik routes them between VLANs, doesn’t seem to.

I think what I want is a private IPv6 range per VLAN which is advertised so clients pick it up and make a private routable address. This in my mind is the equivalent of assigning VLAN10 to 10.10.0.0/16 and VLAN12 to 10.12.0.0/16 just with IPv6 in the fc00:/7 range. I would like to separate the addresses enough to apply similar rules to route between the VLANs as I have with IPv4, ie I don’t think I want to just have a big pool of fc00:/7 across the VLANs and put everything into one big IPv6 subnet 121 bits long.

So questions

1. am I right that the link local addresses don’t route even if the VLANs are all on the same bridge? I know bridges are L2 so perhaps they actually just do.
2. Do I want to do something similar to segmenting the private IPv6 space per VLAN or am I completely off the rails?
3. How do I do any of this?
4. What post in this forum explaining all this did I not find?

I’m assuming that you have newish Matter-enabled devices and what they actually do is use Open Thread under the hood. In this case:

1. You’re correct
2. Typically no: let Thread Border Router (likely the smart home hub device) to manage its network
3. Put the devices on the same link (VLAN), everything else should be automatic
4. https://openthread.io/guides/thread-primer/ipv6-addressing and other guides on that website

About ULA: Although the full ULA range is fc00::/7, the fc00::/8 half is currently not used, and for your local networks, you should only use the other half, fd00::/8. From this range, the 40 bits after fd should be “random” (the “global” id part). That means you should not use trivial prefixes such as fd00::/64, but should use something like https://www.unique-local-ipv6.com/ to get random /48 prefixes (8 bit for fd plus 40 “random” bit).

With this random prefix, you can assign static values for the following 16 bit to get individual /64 prefixes that you can assign to your VLAN interfaces (or bridge interfaces, VPN, PPPoE clients, etc…). When your subnets use SLAAC (if you want compatibility with all devices then you have to use SLAAC because DHCPv6 is not universally supported) then the prefix length for your subnets must be /64.

Example: You get fdf0:cafd:9aec::/48 from the generator, you can then assign fdf0:cafd:9aec:12::/64 for VLAN12 and fdf0:cafd:9aec:10::/64 for VLAN10 (yes I know that 0x12 being hexadecimal is not 12 and 0x10 is not 10, but it’s better than having to mentally convert the hex values 0xc and 0xa)

The “random” prefix should become handy when you later have the need to merge multiple networks (for instance when a corporation acquires new subsidiaries), or when you need to connect the LANs of remote offices (via VPN). The risk of address spaces clashing should then be minimal, compared to IPv4 where both offices might use the same 192.168.1.0/24 range.

In RouterOS, to assign address prefixes to interfaces (such as VLAN interfaces) and enable SLAAC on them, go to IPv6 → Addresses and add entries with the chosen ULA prefixes and turn on the Advertise flag.

For example

/ipv6 address
add address=fdf0:cafd:9aec:10::1/64 interface=vlan10
add address=fdf0:cafd:9aec:12::1/64 interface=vlan12

(Note: you can omit the /64 here and it will implicitly be added)

fdf0:cafd:9aec:10::1 and fdf0:cafd:9aec:12::1 will be the addresses of the router on the two respective interfaces (like when you assign .1 to the router in IPv4). You can of course chose any other 64 bit value for the suffix part (4 blocks of 16bit hex) instead of ::1. The corresponding /64 routes will be automatically added to the main routing table.

Verify in IPv6 → ND that you either have the default entry for the “all” interface, or manually create ND entries for the vlan10 and vlan12 interface.

If you use the default MikroTik firewall (defconf) and want to enable forwarding by default between the interfaces, add them to the LAN interface list because default forwarding is only enabled for interfaces in the LAN list.

Don’t forget that for most of modern operating systems, ULA IPv6 addresses have lower priority than IPv4. If a domain resolves to both an A entry and an AAAA entry with ULA address, the IPv4 address will be preferred.

Thanks - that’s exactly the answer I was looking for, I can do that quite easily. I’m still trying to keep as much IoT stuff in one VLAN as possible and yes a lot of it does use link local addressing and doesn’t even care about getting a proper prefix. However I’ve read enough to suggest that having properly routed IPv6 and some firewall rules will make a few operations across VLANs work properly.

I do really wish that v6 had taken off the way it was meant to, I guess now it’s never really going to happen.