Community discussions

 
storp
newbie
Topic Author
Posts: 48
Joined: Tue Nov 24, 2015 2:53 pm

First time setting up IPv6

Sun Mar 24, 2019 6:18 pm

I recently was informed my ISP (Bahnhof in Sweden) now can give me IPv6 natively. So of course, I wanted to try it out! I thought I’d share my experience of configuring IPv6 on my home network. I think it was difficult to find an easy to follow guide and I also had some problems with my accesspoints (wAP AC and cAP AC). I’m not an expert so if you see any areas for improvement please make a comment. Hopefully this short post will help others who want to get IPv6 on their Mikrotik equipment.

My ISP uses DHCP-PD for delegation of prefix. Currently I’m assigned a /56 prefix which I understand is the recommended subnet size for end-customers. I’m using stateless assignment of addresses to my end-points.

The router I use, RB4011 is connected to ISP on Ether1 and all other networks are configured with bridges and assigned ports, most of them run through VLANs on the sfp+ port. I have several bridges but started out with just configuring one to see if I could get it to work. It was easy to later add more subnets, just assign IP from the pool (will be explained later), configure neighbor discovery and you should be set.
So here is a brief step-by-step guide:
First of all, make sure you have the IPv6 package installed and then configure the firewall with some basic settings for IPv6. I ended up with the following minimal settings to start with:
/ipv6 firewall filter
add action=reject chain=input comment="Reject invalid packets" \
    connection-state=invalid reject-with=icmp-no-route
add action=accept chain=input comment=\
    "Allow established and related connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmpv6
add action=accept chain=input comment="Allow lo" in-interface=loopback
add action=accept chain=input comment="Allow SSH to router" dst-port=22 \
    in-interface=!ether1 protocol=tcp
add action=accept chain=input comment="Allow DHCPv6" dst-port=546 protocol=\
    udp src-port=547
add action=reject chain=input comment="Reject TCP connections by default" \
    in-interface=ether1 protocol=tcp reject-with=tcp-reset
add action=reject chain=input comment="Reject other protocols by default" \
    in-interface=ether1 reject-with=icmp-admin-prohibited
add action=accept chain=forward comment=\
    "Allow related and established connections" connection-state=\
    established,related
add action=accept chain=forward comment="Allow ICMP" protocol=icmpv6
add action=reject chain=forward comment="Reject invalid packets" \
    connection-state=invalid log-prefix=IPv6: reject-with=icmp-no-route
add action=accept chain=forward comment="Allow any to internet" \
    out-interface=ether1
add action=reject chain=forward comment="Reject TCP connections by default" \
    in-interface=ether1 protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment="Reject other protocols by default" \
    in-interface=ether1 reject-with=icmp-admin-prohibited
Next thing to configure is the IPv6 DHCP-client.
ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=IPv6-pool prefix-hint=\
    ::/56 request=prefix use-peer-dns=no
If all goes well, you should be assigned a prefix from your ISP. If you have /56 prefix assigned, you can subnet that to 256 /64 networks which each contains a whopping 18,446,744,073,709,551,616 addresses. As I understand the pool will default to /64 which is exactly what’s needed for getting stateless configuration to work.
The pool will be used for configuring IP-addresses on the router and if needed to delegate subnets to other routers (in that case you will have to configure IPv6 DHCP server). I choose to not have ISP provided DNS since I run internal DNS servers and they can make IPv6 address lookups (when they receive a global IPv6 address).
Now we can assign IP address to the router and on those internal networks that need IPv6 connectivity. I don’t need IP address on ether1 even if it’s the external facing interface since I don’t have any service in use yet which requires external access to that interface.
/ipv6 address
add address=::1 from-pool=IPv6-pool interface=bridge-LAN
In my case I choose my bridge for LAN to be assigned an address. If you followed these steps, hopefully you now have a globally unique address. Check that with /ipv6 address print. You should be able to find a globally unique (marked with G flag) assigned from your newly created pool.

Next step is to configure Neighbor Discovery:
/ipv6 nd
add advertise-dns=yes hop-limit=64 interface=bridge-LAN
Lastly check IPv6 settings, you must make sure forwarding is enabled.
/ipv6 settings print
forward: yes
accept-redirects: yes-if-forwarding-disabled
accept-router-advertisements: no
That should be it! Now is a good time to test from a pc or other device in your LAN that you have IPv6 connectivity. I’m pinging google from a pc:

ping -6 ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:400f:809::200e] with 32 bytes of data:
Reply from 2a00:1450:400f:809::200e: time=17ms
...
Ping statistics for 2a00:1450:400f:809::200e:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 17ms, Average = 17ms
Congratulations, you have working IPv6!

The only real problem I had was getting my wifi to run IPv6, I only use Mikrotik accespoints which are centrally managed by the router via CAPsMAN.
After some troubleshooting, I discovered that the IPv6 settings for the AP’s needed to be configured with IPv6 forwarding disabled and I needed to add the ether interface (which is assigned to bridge1) to Neighbor Discovery.
/ipv6 nd
add hop-limit=64 interface=bridge1 other-configuration=yes
/ipv6 settings print
forward: no
accept-redirects: yes-if-forwarding-disabled
accept-router-advertisements: yes
max-neighbor-entries: 8192

Hopefully this will help you get started. If you find any suggestions for improvements, I’d be glad to hear about them.
 
Pericynthion
newbie
Posts: 37
Joined: Tue Jan 02, 2018 8:54 pm

Re: First time setting up IPv6

Sun Mar 24, 2019 7:55 pm

Awesome - thanks for this!

I had recently transferred my working IPv6 config manually from a HexGR3 to a new 4011, and for the life of me couldn't figure out why I was getting an IPv6 address from the service provider, but none of internal clients were. Walking through this write-up I realized I'd missed the 'add address=::1' - HAH!
 
storp
newbie
Topic Author
Posts: 48
Joined: Tue Nov 24, 2015 2:53 pm

Re: First time setting up IPv6

Mon Mar 25, 2019 1:30 pm

Awesome - thanks for this!

I had recently transferred my working IPv6 config manually from a HexGR3 to a new 4011, and for the life of me couldn't figure out why I was getting an IPv6 address from the service provider, but none of internal clients were. Walking through this write-up I realized I'd missed the 'add address=::1' - HAH!
Great, glad it helped!

Btw, any admin reading this? I realize I posted in the wrong section of the forum. You can move this to "Beginner Basics" if you find it more fitting.
 
lilw
newbie
Posts: 28
Joined: Sun Jan 21, 2018 5:31 pm

Re: First time setting up IPv6

Tue Mar 26, 2019 2:51 am

I think different ISP give different way to get ipv6. With my ISP Viettel (Vietnam). I just need to setup ipv6 dhcp-client and address. It all up now. But the bug is when my pppoe disconnect, the dhcp-client can't rebind. I need to release it manually.
 
jharry
just joined
Posts: 7
Joined: Tue Feb 26, 2019 11:47 pm

Re: First time setting up IPv6

Sat Mar 30, 2019 5:14 am

When you Winbox to the router do both your ipv4 AND ipv6 addresses show up to manage the router?
 
christopherh
newbie
Posts: 29
Joined: Sun Feb 24, 2019 7:43 am
Location: Sydney, Australia

Re: First time setting up IPv6

Sat Mar 30, 2019 9:03 am

Hi there,

Given the current problems with IPv6 on Mikrotik, I would strongly suggest waiting before you deploy it. Want to know why? Read these links...

viewtopic.php?t=147076
viewtopic.php?t=147048
https://indico.uknof.org.uk/event/46/contributions/667/

Cheers,
Christopher H.
 
storp
newbie
Topic Author
Posts: 48
Joined: Tue Nov 24, 2015 2:53 pm

Re: First time setting up IPv6

Sat Mar 30, 2019 3:21 pm

When you Winbox to the router do both your ipv4 AND ipv6 addresses show up to manage the router?
No, when looking in Neighbors in Winbox a only see the MAC address and the ipv4 address.
 
storp
newbie
Topic Author
Posts: 48
Joined: Tue Nov 24, 2015 2:53 pm

Re: First time setting up IPv6

Sat Mar 30, 2019 3:23 pm

Hi there,

Given the current problems with IPv6 on Mikrotik, I would strongly suggest waiting before you deploy it. Want to know why? Read these links...

viewtopic.php?t=147076
viewtopic.php?t=147048
https://indico.uknof.org.uk/event/46/contributions/667/

Cheers,
Christopher H.
I agree, been following the mentioned threads with interest. Since I only use this for my home network it's easy to disable. But I'm pretty confident it will be fixed soon so I'm not that worried.

Who is online

Users browsing this forum: No registered users and 58 guests