I've got my home network set up and running fairly well with IPv4 using my hAP-AC router and RB3011 as a bridging switch for my home office equipment. I'd like to add IPv6 capability, but I'm cautious about exposing some devices (IoT stuff, mostly) which may not have a very robust firewall to access from outside. If I could filter IPv6 access by MAC address it would be ideal.

One aim I'm looking for specifically: I'm using a Synology NAS server to develop some websites. I would get best performance if I could set up an AAAA record in my DNS with a specific IP address for each individual website, and then have the MikroTik router forward any request for those IPs to a custom port on the server using its local address (either IPv4 or IPv6). I've implemented this using IPv4 for my highest traffic sites, but I don't have enough static IPv4 addresses to cover the development sites.

Also, I would like to begin using VLANs to segregate some equipment which really should not be speaking to the outside world and a VPN to be able to securely reach equipment from outside. I'm fairly new to both subjects, so if someone could point me to a good primer or two I'd appreciate it----Eric.

The default mikrotik firewall is pretty good. Once you enable ipv6 if you do not have it you can apply it. If you run "/system default-configuration print" (make the window size for the terminal really large first) you can see the ipv6 firewall rules and can copy and paste those. The firewall rules assume you have certain interface lists like WAN and LAN, so if you don't have those you will need to add those before copying and pasting the rules.

All IPv6 devices get public IPv6 addresses, but with the IPv6 defconf firewall, they are not accessible from the internet - only traffic in response to a request from the inside is allowed through, so it is similar security to IPv4 firewall even though the inside systems have public IPv6 addresses. You only get into trouble if your firewall is configured wrong.

All right. I have:

• Upgraded RouterOS to latest version (6.42.6).
• Enabled the IPv6 package.
• Set up a DHCP client entry on WAN1 requesting an address and prefix; it has received an address and prefix which correspond to what my ISP is showing in my Internet gateway.
• Set up a DHCP server entry on the bridge which references the address pool from the DHCP client.
• Set up a Neighbor Discovery entry on all interfaces with an Interval of 200-600 seconds, a Delay of 3 seconds, Advertise MAC address (only) checked, and a Lifetime of 1800 seconds.

And it's now been more than ten minutes since all of this was set up, and none of the other devices on my network are showing IPv6 connectivity. What more do I lack?

[Edit To Add: Other than some high explosives, of course!]

Hi Ehbowen, I have running IPv6 for 6 years now at home on Mikrotik and worked great for me. So some tips / advise for you:

(1) Does your ISP provides IPv6? If not you need to think to use an alternate solution like a 6to4 tunnel using vISP like Hurricane Electric (tunnel broker). I used tunnel broker for several years as my local ISP didn't support IPv6 in that time and worked great (very reliable and good speed) but like always in life there is a catch: Be aware that tunnel broker IPv6 blocks are being blocked by Netflix and by Microsoft (Xbox One) so you may face challenges there if you use it and you have to deal with those as I had to.

(2) For IoT I have created a separate VLAN and a separate Wi-Fi SSID. All my M2M (Machine to Machine communication) devices will be placed there and I will enable only the minimum flows from my internal network. Several of these devices doesn't have a robust security so logical network segmentation is a good practice here. So if you want IPv6 there then you probably need a larger block instead the default of /64 IPv6 block to provide IPv6 at least to your internal VLAN and to your IoT VLAN. If you don't want IPv6 on your IoT simple don't enable IPv6 in that VLAN and all the traffic in that VLAN will only talk IPv4.

(3) IPv6 is designed to assign multiple IP addresses to a single device. So if you don't want Internet IPv6 you can ignore my Point (1) that talks about Global Unicast address. If you want a private IPv6 network (similar to 10.x.x.x/8 or 192.168.x.x/16) then you can use the block fc00::/7 to assign those blocks. For that you need to use an IPv6 subnet calculator (plenty of them online by google it) to break it down at site level (i.e. /48 or /56 subnet) and once you have a site subnet you break it down in multiple /64 (one per VLAN). Also you can have both (Global Unicast for IPv6 Internet and Unique Local Addresses for private blocks). See a reference of the different type of IPv6 blocks: https://www.ripe.net/participate/member ... e_card.pdf

Good luck with your project!

All right. I have:

• Upgraded RouterOS to latest version (6.42.6).
• Enabled the IPv6 package.
• Set up a DHCP client entry on WAN1 requesting an address and prefix; it has received an address and prefix which correspond to what my ISP is showing in my Internet gateway.
• Set up a DHCP server entry on the bridge which references the address pool from the DHCP client.
• Set up a Neighbor Discovery entry on all interfaces with an Interval of 200-600 seconds, a Delay of 3 seconds, Advertise MAC address (only) checked, and a Lifetime of 1800 seconds.

And it's now been more than ten minutes since all of this was set up, and none of the other devices on my network are showing IPv6 connectivity. What more do I lack?

[Edit To Add: Other than some high explosives, of course!]

In DHCPv6 client set only to request the prefix and set a pool name. (Also check "add default route")
Then in IPv6 Address add an address to your LAN bridge:
Just change the pool name to the one you have, and change the interface name to reflect your LAN bridge or eth number.

Set up Neighbor Discovery entry to only work in your LAN Bridge. (Not all because of security.)
And yes, keep Advertise MAC address (only) checked.

This method of getting IPv6 addresses without DHCPv6 is called "Stateless address autoconfiguration" (SLAAC)

Keep in mind that Mikrotik DHCPv6 is not 100% completed. So it won't hand ipv6 addresses. (Stateful mode is not working yet.)

Also keep in mind that if you are in SLAAC mode only, then you have to set static DNS for ipv6 in your computers.

You don't need static DNS. Some devices already support DNS from RA (Linux, even Windows 10 for about a year now), but RouterOS doesn't have many configuration options for that (it just takes what's in "/ip dns"). But stateless DHCPv6 works in RouterOS and few versions back, DHCPv6 options were added, so it's possible to configure DNS using DHCPv6.

You don't need static DNS. Some devices already support DNS from RA (Linux, even Windows 10 for about a year now), but RouterOS doesn't have many configuration options for that (it just takes what's in "/ip dns"). But stateless DHCPv6 works in RouterOS and few versions back, DHCPv6 options were added, so it's possible to configure DNS using DHCPv6.

I am testing by adding the OpenDNS ipv6 in DNS section, but my Windows 10 won't take the DNS via SLAAC + DHCPv6 Server.
Maybe i am missing a check somewhere...
How can you make it work?

Edit: Found this --> interesting -- > https://blog.ipspace.net/2012/01/ipv6-n ... -just.html

If you want DNS from stateless DHCPv6, make sure you enabled other-configuration=yes in "/ipv6 nd". And of course add DHCPv6 server to your LAN interface (without pool, and it will work in stateless mode).