It is 2015, ipv6 is about 15 years old, ipv4 space is gone, and v6 is almost completely ignored by vital ros functions like hotspot.
I thought that the hotspot feature would restrict/allow (un)authorized devices based on their L2 mac address.
Of course redirecting the user to the captive portal website requires additional L3-7 handling.
The bad thing is not that redirection only works with ipv4.
As soon as you have implemented ipv6 it is completely open for everybody (i.e. also unauthorized clients)!
This means clients are having full ipv6 connectivity even if they have not authenticated yet.
At least this was my personal experience with mikrotik ipv6 hotspot.
Since I did not want to drop ipv6 I was thinking about how to workaround this bug.
Five years ago a script adding clients to ipv6 address list have been published here on this forum (link).
I thought about switching from l3 ipv6 addresses to adding l2 mac address to some kind of acl in order to better handle changing ipv6 addresses (privacy extensions).
However I wasn't happy with this solution. I do not like dynamically changing the system configuration. (though it was still better than the current ros implementation of just completely allowing unauthenticated ipv6 traffic).
My idea: Let's filter AAAA dns requests for unauthenticated clients.
Modern clients use to request A (ipv4) and AAAA (ipv6) records for a specific hostname (and then most likely prefer ipv6).
If we force end users to only use the local dns server and then filter AAAA queries arriving there, the user would only see ipv4 addresses (A record answers) while being unauthenticated - which would make ipv6 almost useless.
Skipping this AAAA filter for authenticated clients is enabling them full ipv6 connectivity.
Step 1: How to filter AAAA records
Well, in fact this was quite easy by using l7 filters.
All AAAA queries contain 0x0001c (type aaaa) 0x0001 (class in).
Since l7-filter strips out null bytes this magic string becomes 0x1c01.
So an appropriate l7-filter looks like this:
/ip firewall layer7-protocol add name=DNS_AAAA regexp="\\x1C\\x01"
/ip firewall filter add action=reject chain=pre-hs-input comment="Filter AAAA UDP DNS Requests for unauth Hotspot Users" dst-port=64872 hotspot=!auth layer7-protocol=DNS_AAAA protocol=udp reject-with=icmp-protocol-unreachable add action=reject chain=pre-hs-input comment="Filter AAAA TCP DNS Requests for unauth Hotspot Users" dst-port=64872 hotspot=!auth layer7-protocol=DNS_AAAA protocol=tcp reject-with=tcp-reset
Step 3: Force use of local dns server by filtering outgoing dst port 53 in forward chain.
You most likely won't need help on how to exactly achieve this if you have read so far.
Wasn't that easy?
I mean this cannot be a real solution, but for me this looks like being the best workaround you can have right now when using mikrotik hotspots in ipv6 environments.
Feel free to comment on this if you have any ideas, or post your configs how you are currently managing ipv6 hotspots.
Just hoping providing such a dirty workaround does not prevent mikrotik from developing real native ipv6 support.