[NEWBIE] IPv6 firewall no NAT category

kajizta · July 5, 2024, 2:23pm

Hello, everyone.

I have ipv6 subnet /64 and i need set up ipv6 for my local network. My ISP router located on ::1/64 address in same subnet.
I thought set up “ipv6 nat”, but my RB3011 (RouterOS v6.48.6) doesn’t have IPv6 - Firewall - NAT section to setup NAT on IPV6.
Basically, i need have ipv6 address in ifconfig.co, for example.

rextended · July 5, 2024, 3:52pm

What’s the point of doing NAT with IPv6 for a home user with only one internet line??? (***)

Whatever happens, RouterOS v6 does not have IPv6 NAT.
You have to use RouterOS v7, and it must really be worth it.
Why don’t you use IPv6 directly without wasting time with NAT?

(***) Obviously… etc. etc. etc.

sindy · July 5, 2024, 4:01pm

RouterOS 6 indeed does not support IPv6 NAT. One of the reasons for that is that one of the main goals of IPv6 development was to make NAT unnecessary. The real life has taken another path, but regardless that, a normal home user with a single uplink should normally not be forced to use IPv6 NAT.

So if you absolutely need IPv6 NAT, you’ll have to move to RouterOS 7, but maybe you can talk to your ISP and get a real IPv6 service with at least a /56 prefix that can be split into 256 /64 ones, rather than a single /64 with a numbered uplink interface? Or at least a single /64 but with PPPoE so that the complete /64 could be handled by your 3011, since the ends of a PPPoE tunnel do not need to have their own global addresses? Maybe it is enough to set a bridge (bypass, transparent) mode on your ISP device and let the Mikrotik deal with all the routing stuff?

If you can settle that with the ISP and you can therefore keep using RouterOS 6, you should nevertheless move on to the most current long-term version, which is currently 6.49.13.

rextended · July 5, 2024, 4:09pm

Just add this two DNSv6 if already you do not have in ip / dns some static or dynamic DNSv6

2606:4700:4700::1111

2001:4860:4860::8888

and for the configuration, assuming your provider provide 2a03:dead:beef:7366::/64
/ipv6 pool
add name=dhcpv6-pool prefix=2a03:dead:beef:7366::/64 prefix-length=64

/ipv6 address
add address=::1 eui-64=yes from-pool=dhcpv6-pool interface=<LAN_INTERFACE_OR_BRIDGE_NAME>

/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=<LAN_INTERFACE_OR_BRIDGE_NAME>

/ipv6 route
add distance=1 dst-address=2000::/3 gateway=fe80::LINK-LOCAL_ISP_ADDRESS%<WAN_INTERFACE>
tahnks @sindy: fixed (one) error, is not WAN on ipv6 address but <LAN_INTERFACE_OR_BRIDGE_NAME>

sindy · July 6, 2024, 9:31am

@rextended, I think I understand your idea, but in order that it worked, I'd say the address must be attached to the LAN interface, not WAN...

rextended · July 7, 2024, 6:55pm

Ops… yes, is local bridge… is untested, I wrote

Usually I do all with pppoe on my clients