Migrating a Hurricane.net tunnel to RB5009

smn · December 7, 2025, 9:19pm

I'm migrating one he.net 6to4 tunnel from a pfSense router to a R5009 with a default configuration. Conveniently he.net provides command lines to create the 6to4 tunnel. Also, the online Mikrotik documentation suggests adding an ipv6 address, enabling DNS and advertising.

So how do I get packets moved through the sit1 interface? Anonymized export below:

/interface bridge
add admin-mac=MACMACMAC auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3

/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=MYLOCALIP mtu=1280 name=sit1 remote-address=TUNNEL4

/ipv6 address
add address=2001:470:ffff:ffff::2 interface=bridge
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:ffff:ffff::1 scope=30 target-scope=10
/ipv6 address
add address=2001:470:ffff:ffff::2 interface=bridge
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:ffff:ffff::1 scope=30 target-scope=10

With this config, I try to get to get ipv6-test.com but nothing ipv6 checks. Is there something I've overlooked?

tdw · December 7, 2025, 9:42pm

You don’t appear to have just cut sections from the config as there are duplicate /ipv6 address and /ipv6 route entries, and it doesn’t follow the example.

There should be two /ipv6 address entries, the HE Client IPv6 address on the tunnel interface with advertise=no, and an address from the HE Routed /64 on the bridge for the LAN.

smn · December 7, 2025, 10:08pm

Why or how there are multiple ipv6 firewall statements as it came that wayI've cleaned them up, hopefully in the proper order.

Updated ipv6 firewall below, if I guess correctly on which ones to delete.

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/ipv6 address
add address=2001:470:7:ffff::2 advertise=no interface=bridge  <-- client IPv6
add address=2001:470:8:ffc:: interface=bridge  <--routed /64 just added

/ipv6 address
add address=2001:470:7:ffff::2 advertise=no interface=sit1
add address=2001:470:8:ffc:: interface=bridge  <- added

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

Still no tunnel traffic through sit1. Do I need to add sit1 to the WAN or LAN? Any more suggestions?

tdw · December 7, 2025, 10:27pm

You could add sit1 to the WAN interface list for completness, but it shouldn’t stop things working as this list is not referenced in the firewall rules.

Can you ping the the HE Server IPv6 address from the Mikrotik itself? In the /interface 6to4 settings local-address=MYLOCALIP should be your public static WAN IP, as set in the HE control panel, it can be omitted if you only have a single WAN interface.

smn · December 7, 2025, 10:40pm

I have a single WAN interface. I can ping the HE.net server: side of the tunnel.

I think adding the sit1 to the WAN interface did it. I'm seeing substantially more traffic now:

I can ping the he.net DNS ipv6 server, too. Client on the network may not yet be seeing the route but sit1 traffic is somewhat intermittent. So now this is a routing thing?

tdw · December 8, 2025, 2:45am

Try changing this either to address=2001:470:8:ffc::1, as the all zeros address has special meaning, or include eui-64=yes automatically generate an interface address based on the MAC. Otherwise it could be the /ipv6 nd settings.