hi all
i have 2 mikrotik one of them has valid ipv4 and ipv6 (/64)
another one just has ipv4 ( and no routing for ipv6 )
can i use ipv6 in sec device via tunnel ?

Yep - create a 6to4 tunnel interface on both routers, giving the appropriate local/remote IPv4 addresses.

You will need to be getting more than one /64 prefix from your IPv6 provider in order to do this.

suppose you have 2001:db85670::/60 as a prefix from your ISP - you could use ...5671::/64 at the second site - route this prefix to the second router across the tunnel, and on the remote site, set default gateway ::/1 to be the tunnel interface.

IF the remote site has a static IPv4 address, then you could also try using 6to4 address space (2002::/16)

You can use an online calculator to figure out your 2002:xxxx:yyyy::/48 prefix based on your IPv4 address

http://silmor.de/ipaddrcalc.html#ip46

open the IPv4 to IPv6 transitional tool
type your IP address into Customer IPv4 and leave the "using" value set to 32.
Click the ISP->Customer buton.
e.g.: 192.0.2.32 -> 2002:a0b:1621::/48

You may then use any /64 prefixes from this block that you like as the LAN interface addresses.

You'd want to put two tunnel interfaces to make this work well:
one is designed with the remote IPv4 address of the main site with "real" IPv6 addresses - build the tunnel as I explained earlier, but route your 6to4 /48 block across it at the main site (to avoid using a public 6to4 relay when communicating site to site)
On the 6to4 site, you'll want to static route to your main site's block across the site-to-site tunnel.

The other tunnel interface will need remote IP set to 192.88.99.1, and you'll want your IPv6 default gateway to be 2002:C058:6301::1
This will be the "wan" interface of your remote site's router as far as IPv6 goes, and that's where you want to put your filter rules to block new incoming connections by default.

Oh - one last thing - the IPv4 firewall's input chain will need to accept protocol 41 (where you normally put tcp or udp, put 41) - this is the 6in4 tunnel protocol number.

... and you'll want your IPv6 default gateway to be 2002:C058:6301::1

Say, do you know something I don't? AFAIK using 2002:c058:6301::1 as gateway never worked in any RouterOS version. Originally it used to be possible to have 2002::/16 6to4 using only one interface with gateway ::192.88.99.1%<6to4 interface name>, but it no longer works since 6.20 and second 6to4 interface is required. If I try to use 2002:c058:6301::1 as gateway, all it gives me, when I try to reach anything, is "address unreachable".

I forgot - you have to route 2002::/16 to the tunnel interface. Furthermore the interface has to have remote IP = 192.88.99.1

Edit
That probably requires tweaking the target scope stuff for recursive next hop...
I suppose ::/0 gateway=6to4interface should work too.

tnx
I will try
(i ask DC to give me /48 ipv6)

tnx
I will try
(i ask DC to give me /48 ipv6)

65537 network segments ought to cover it.