Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Sat Oct 03, 2020 10:01 pm

Some questions on basic IPv6 configuration

Sat Oct 03, 2020 10:59 pm


I'm a casual user of a RB2011UiAS-2HnD (firmware 3.10) running v6.40.4 (stable). Yesterday I decided to dip my toes into IPv6 since my ISP have started to provide it.

First of all, I'm running a very simple home LAN here. Nothing fancy. A few nodes hooked up with wire and some over wifi. I've managed to get IPv6 to work for both computers connected by wire and mobile units over the wifi. I am however struggling a bit with some of the concepts and I hope you guys could help me out a bit with some questions.

Here's my current setup (which I've done following various guides I found googling):

DHCP Client:
/ipv6 dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid 
 #    INTERFACE                        STATUS        REQUEST                     PREFIX                                                          
 0    ether1-gateway                   bound         prefix                      2001:9b1:xxxx:xx00::/56, 12h31m18s
From what I understand this means I've successfully managed to snatch a /56 prefix from my ISP.

/ipv6 pool print 

Flags: D - dynamic 
 #   NAME                                                              PREFIX                                      PREFIX-LENGTH EXPIRES-AFTER        
 0 D poolv6                                                            2001:xxxx:xxxx:xx00::/56                               64 12h22m4s             
 1   ula-pool                                                          fd00::/64                                              64 
From what I've gathered reading (although not very carefully) RFC7368 one is for a homework recommended to use two addresses for each node, a GUA and a ULA. The latter being needed as GUAs are expected to change frequently. Is this the correct way of setting up a ULA pool though? Googling around has me a bit confused, as people seem to generate the prefix used for the ULAs based on some algorithm. Why is that necessary?

Anyway, on to addresses:
/ipv6 address print 

Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                 FROM-POOL INTERFACE                                                                       ADVERTISE 
 0 DL fe80::20c:42ff:fed8:2f/64                         bridge-local                                                                    no        
 1 DL fe80::20c:42ff:fed8:2e/64                         ether1-gateway                                                                  no        
 2  G 2001:xxxx:xxxx:xx00:192:168:88:1/64     poolv6    bridge-local                                                                    yes       
 3  G fd00::1/64                              ula-pool  bridge-local                                                                    yes       
I've only manually set up 2 and 3. I assume the other two are link local addresses that show up automatically for some reason? I'm not entirely sure why I've set up things like this. Especially why I've used the IPv4 address of my router as the last bit in 3. I got it of YouTube. Could I have used something like e.g. 2001:xxxx:xxxx:xx01:1:1:1:1/64 instead? Could I have used anything aside from /64? Also, I assume this part of the configuration has to do with SLAAC? Will 3 mean that each node on my LAN will get a ULA that is pretty much static?

Another thing I haven't quite figured out is what the IPv6 address of my router is. Can it be derived from above some how? Anyway, with the above setup I'm able to browse the internet and my IP shows as being IPv6 on the various "what's my ip" services on the web.

Now, from what I understand the configuration above means that all my nodes are directly addressable from the global internet, and that one should setup a firewall for this very reason. My version of didn't come with a default one, so I googled around a bit and found this one, which suggests the following rules:
/ipv6 firewall address-list add address=fd12:672e:6f65:8899::/64 list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" connection-state=established,related
add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation."
add action=drop chain=input in-interface=sit1 log=yes log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=xxxx::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed

/ipv6 firewall filter
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=!sit1 protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface=!sit1 src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
Most of that makes sense, but I do not understand these two commands:
/ipv6 firewall address-list add address=fd12:672e:6f65:8899::/64 list=allowed
/ipv6 firewall address-list add address=xxxx::/48 list=allowed
Why the address fd12:672e:6f65:8899::/64? What should I replace the xxxx with? I did manage to work around not figuring this out by adding ::/0 to allowed (which I guess partly defeats the purpose, but bear with me). I do however fail the ICMP test over at From what it looks like above, ICMP should go through fine?

Who is online

Users browsing this forum: markos222 and 37 guests