Need IPv6 for remote access - questions / quirks

RouterOS General
1

Hi There

Long time mikrotik user here (router + capman + APs at home, router at parents/places i help manage), had to learn IPv6 becasue:

  1. ISP started swaping from copper (coaxial) cables to fiber where i live, with their new gear/network being dual stack
  2. In the old network, asking to set their router to “bridge mode” also provided you with a dynamic public ipv4 addess, but in the new one, ipv4 address is always a dual nated non publicly routable one

So, i lost my wireguard remote access at home, at parents, and when this change extends to the 2 buildings i help manage IT stuff (i do general IT for a living, but i do this for free just to help), they wont:

  1. Be able to access a server thats in “place A” from “place b” (i had set up a wireguard connection between their 2 mikrotiks)
  2. People wont be able to use the access app because their server wont have a public ipv4 addess (i was using the mikrotik cloud DDNS option masked with a DNS A record in cloudflare).

I am now able to more or less operate IPv6 (had to spend a week or so reading, took some time till i noticed that many older articles were no longer valid).
I had issues at first becasue:

  1. I could get an address with the dhcpv6 client (SLAAC seems to not be supported by my ISP)
  2. Trying to get a prefix took a long time and errored out (this was because at some point i removed eth2 from the bridge, took eth1 into it, but never noticed that the bridge had the mac address of ETH2, this totaly broke DHCP-PD it seems).

Since i was unable to get a preffix (now i can, my ISP gives only /64 ones…), i got a single IPv6 address on my WAN interface, enabled masquerade and tried to distribute ULA addresses internally.

This more or less worked, with some “oddities”:

  1. i set a pool (ULA-pool1) as “fd00:0118:017:0001::/64” > sometimes when i reboot my router the bridge address reports that the pool is exausted and i had to delete it, which sometimes removes the used prefix, sometimes crashes the Hex S and its ok after reboot
  2. My CAPs (2 CAP AC and 1 HAP AC2) were not getting ipv6. plugging them directly to the HEX S fixed the issue (getting them back to the old Geovision switch which has no ipv6 options didn’t break them again. Here i thought that after “directly knowing” the HEX S LL address it worked or something).
  3. I was unable to consistently get IPv6 DNS address on windows devices (if i use the advertice option in ND android, iOS and a qnap NAS are ok, adding the DHCPv6 server with DNS option 23 seems to intermitenlty show an ipv6 DNS on my windows computers). NOTE: i have cloudflare DoH configured, with no DNS servers set and the fixed dns entires for resolving cloudflare DoH address.
  4. dunno if normal, but with the default ipv6 firewall rules, i see a lot of weird IPs with status FAILED under “neighbors” (dunno if they are attackers or whatever). If i set the default rule for allowing router advertisement to the LL address of the huawei rotuer my ISP gave me, this goes away.

Now i want to learn about using the correct prefix delegation way, BUT, i am totaly freaked out about needing a correct secure firewall in place on each device because they will have a public ip each (i kinda want to keep the single ipv6 ip in place, am i weird?).

But my TRUE needs:

  1. since IPv4 remains NON public, is there any way to use the TIKs “cloud DDNS” function with only the IPv6 address being published?
    I ask this becasue having both the A and AAAA record published makes using wireguard and the “access app” imposible (both go to the non public IPv4 address by default).

  2. Should i use ULA addresses (With no pool) for wireguard interface and clients? (will start testing that).

I don’t really need IPv6 internally, i just want to be able to regain remote access and to route traffic from this “access app” to the windows machine behind one of my mikrotiks (they currently have their own DNS record pointing to the the cloud DDNS from mikrotik. For this case i THINK i need to either get a public ipv6 address into that computer and use some DDNS client on it, OR, use the public address on the mikrotik, tell them to point THEIR dns record to the AAAA one of our router, and use ULA addresses inside my network to NAT traffic to the server?)

I started my ipv6 adventure thinking i would get a public IPv6 address on the router and nothing would change internally, but i think to understand that wont be feasibe.

2

Use freedns.afraid.org to keep your DDNS records and a scheduled script on RouterOS to update the AAAA only. I believe the script was posted somewhere here.

[1]: How do you use this pool exactly?
[2]: That doesn’t sound right. As if Neighbor Discovery was not running and LLA were learned through other means.
[3]: I use set DNS both in /ipv6/nd and via /ipv6/dhcp-server, did not notice any problems on a plethora of devices I have at home
[4]: I bet these addresses belong your delegated prefix. See RFC8981

Building Advanced Firewall is a good start. Rule of thumb is to (mostly) accept ICMPv6 in the forward chain but forbid everything else unless explicitly needed (i.e. you know what service is running where and on which port).

Other topics you touched are… extremely broad. Search the forum, check out RFCs and post specific questions here about settings or concepts. Right now it’s impossible to answer some of your questions. Better divide your questions and ask here individually, otherwise people will simply look over posts like this.

3

I came here + 2 places in reddit (tik and ipv6).

I have ipv6 running now, with a single delegated prefix.

Now i have to learn/test about:

  1. Windows machines having only ipv4 DNS (might be related to having no DNS servers listed and using DoH) - EDIT: ok, it seems fine now (except on my work laptop which has cisco umbrella, but thats normal)
  2. Wireguard working with ipv6 (i already use that dns service, with a windows client, somewhere else. Will check it here).
  3. Using the public ipv6 received from the router on a windows computer to expose a single port (the hard part in my head is how to tell the firewall the destination address, when its not fixed like i was used to in ipv4)

Thank you

4

[1]: What do you mean “no dns listed”? What you configure to advertise is what should be advertised regardless of /ip/dns settings
[3]: port needs to be open on both RouterOS (filter, forward chain) and Windows. Use address lists and DHCPv6 Client lease script to keep it up to date

5

At some point, ios/android/qnap were fine with both ipv4 and ipv6 router addresses listed under “dns”, but in windows, i only had the ipv4 one.

I might have started checking only on my work laptop, because i today checked on the personal ones which have no “cisco umbrella roaming client” isntalled, and it works just fine (both ipv4 and 6 addresses listed).

So now i have to look into that script stuff for the AAAA record (since i cant use the cloud tik one anymore it seems) and for keeping the windows pc IP updated on the firewall rule.

6

Most of my issues are gone now.

About {4}, no, my delegated address was 2800:: and i saw different stuff there.
But now they are gone. (removed my “hack” too).

I went to the link you provided about the advanced firewall.

I had rules in place (filter and mangle more than anything), but i got a few updates from there (my rules were from old times).

One thing i crashed with, i had never used the “raw” rules, i followed the recomendations, and the LAST rule for ipv6 which “drops all other icmpv6” breaks ipv6.

I have now configured a script to update a dyn record with my IPV6 address.

7

I use IPv6 for remote access routeros device (rb4011 and ax2) by https, and WireGuard endpoint address.

I use dynv6 to register my dynamic IPv6 address.

8

cool, i didn’t know that service.

I already have a script for zoneedit and i am researching one for cloudflare, but i will keep that in mind.

NEW DOUBT:

Is the PUBLIC ipv6 address usefull only for IPV6 ready networks?

I ask this because i am came to work today, and we have ipv4 only here.

Tried to test my wireguard, with no success.

Tried to ping my hostname, could not find the ip.

Tried NSLOOKUP and it finds the ipv6 address correctly.

This IPV6 quest began as a way to not loose public access to the entrance app in a windows 10 pc, but i will be in trouble if it only works for IPV6 enabled networks.