Hi,
I’ve been trying to setup my network to support IPv6. I can’t seem to figure it out, however. Here’s a quick network diagram to help illustrate things:
I’m trying to set up IPv6 so I can port forward on the webserver and VPN server (preferably others, though) and have outside connectivity, while also remaining secure. The webserver and VPN will remain connected directly to the Hap AC2 directly, on the same ports if that matters. I already have the following config after following this guide, however, at the current moment I do not have internet access on any device (Arch Linux, Debian, Windows 10 with IPv6 enabled). How would I go about doing all of this? I am very new to networking in general, and IPv6 is completely foreign to me. I know it is a very specific use case, and as such, any and all help would be much appreciated. I already have 2 IPv6 capable VPN servers, and can set up a DHCPv6 server if needed to do this.
There is no /ipv6 firewall nat, you just permit the desired protocol/port(s) with /ipv6 firewall filter add add action=accept chain=forward … rules to the public IPv6 address assigned to the web (or other) server before the drop foward from external interface rule. Blocking ICMP is a bad idea, it breaks PMTUD.
Ah. How would I go about giving a device a static IPv6 address if the prefix changes? So far, not only is connectivity entirely broken, but the prefixes change frequently too. That is why I was unsure of how to go about this. Thanks for replying!
How to deal with variable prefixes: http://forum.mikrotik.com/t/updating-the-firewall-when-a-dynamic-ipv6-prefix-delegation-changes/144361/1
How to set a static interface identifier is device dependent. The key words to search for are EUI-64 or, preferably, “tokenized interface identifier”.
Thanks for the help! Definitely going to take a look at this. Hadn’t heard of this before so this is a huge step in the right direction.