Community discussions

MikroTik App
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Default IPv6 copy/paste for SOHO use

Sun Dec 18, 2022 10:00 pm

I have spent a hour googling and reading and looking for a simple SOHO IPv6 setup. Hopefully a copy paste with just adding interface names.

Mikrotik really should include this for routers setup factory for SOHO use.

What I need is what every other router on the market does for SOHO.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Default IPv6 copy/paste for SOHO use  [SOLVED]

Sun Dec 18, 2022 10:28 pm

There are a lot of variables is probably why Mikrotik doesn't. I have an example, or a copy pasta, below you can start with. What it is is the default ipv6 firewall rules, with ether1 being the WAN requesting through DHCPv6 an address and a prefix for local networks. It adds that received prefix to pool ISPv6, assigns the bridge a eui64 address from that pool and advertises it as a router using googles IPv6 DNS addresses.

I do not advocate copy and pasting code/configs off the internet, but this will get you going and perhaps give the basic understanding of what happens.
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ISPv6 prefix-hint=::/64 request=address,prefix
/ipv6 address
add from-pool=ISPv6 interface=bridge advertise=yes eui-64=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] dns=2001:4860:4860::8888,2001:4860:4860::8844
/ipv6 nd prefix
add interface=bridge
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Default IPv6 copy/paste for SOHO use

Sun Dec 18, 2022 11:25 pm

Nice firewall rules :) Thank you..

But if its so complex with so many variables how does every other home/SOHO router do it easily with zero config ?

There MUST be ONE simple way to do this for SOHO / Home use.

I remember spend a few days poking thru tons of posts and finally finding it and it was very simple, but, I can't find it now.

I will go try this out.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Default IPv6 copy/paste for SOHO use

Sun Dec 18, 2022 11:35 pm

I think it comes down to feature set and potential complexity. I agree with you on the need for something for SOHO, just tack on what i sent you to the QuickSet and call it a day. What the prior doesn't account for is multiple VLANS, hardware features and so on.

If you run into anything, holler back.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Default IPv6 copy/paste for SOHO use

Mon Dec 19, 2022 7:27 am

Yep :) that did work. I started without the firewall rules and just did a accept for everything on the firewall. Then added in the firewall.

It was weird. At first it did not grab a IPv6. I needed to manually renew. I assume had a rebooted it would have grabbed it. Seems fine.

I have a config I copy paste in segments for each router I do. I will add this to my to-do list for a new blank router.

All I needed to do to the above was change the WAN and LAN interface names. IPv6 interface lists would be nice :)

Thank you. I am hopeful the above will help others. The basics for IPv6 need to be included with the fact config for SOHO / Home router configs.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default IPv6 copy/paste for SOHO use

Mon Dec 19, 2022 10:10 am

Most (if not all) of config posted by @cfikes is default IPv6 config. So devices that come with default config (SOHO devices) will have it enabled if IPv6 is installed/enabled when device is reset to defaults. This is true with ROS v7 (has IPv6 enabled by default) but not with ROS v6 because IPv6 is not installed by default. If IPv6 package is installed at later time, it's default config will not be applied ... but will be shown in /system default-configuration print never the less.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default IPv6 copy/paste for SOHO use

Mon Dec 19, 2022 11:59 am

 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Default IPv6 copy/paste for SOHO use

Mon Dec 19, 2022 3:07 pm

All I needed to do to the above was change the WAN and LAN interface names. IPv6 interface lists would be nice :)
Interface lists know nothing of higher level protocols, they can be used in IPv4 and/or IPv6 firewall rules.

For info: DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server from which the address/prefix/other information was received - this works if the DHCPv6 server and the default gateway have the same link-local address, but otherwise fails.

If the WAN connection is IPoE the correct method is to use received router advertisments (RA) which unfortunately are not displayed by RouterOS, as discussed in other forum posts, and was completely broken in early releases of RouterOS v7. The default IPv6 settings include forward=yes and accept-router-advertisements=yes-if-forwarding-disabled, and as you are using forwarding between WAN and LAN you need to set accept-router-advertisements=yes. It would be nice if Mikrotik implemented RFC7084/RFC9096.

Requesting an IPv6 WAN address is usually not necessary. On receiving a router advertisment containing prefix information (they all should) and the autonomous address-configuration flag set the WAN interface will automatically be assigned a GUA formed from the prefix and EUI-64 address generated from the interface MAC address, in just the same way non-router endpoints such as PCs would. Note this RA prefix is not the same as that obtained through DHCPv6 prefix delegation.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Default IPv6 copy/paste for SOHO use

Tue Dec 20, 2022 3:01 am

Most (if not all) of config posted by @cfikes is default IPv6 config. So devices that come with default config (SOHO devices) will have it enabled if IPv6 is installed/enabled when device is reset to defaults. This is true with ROS v7 (has IPv6 enabled by default) but not with ROS v6 because IPv6 is not installed by default. If IPv6 package is installed at later time, it's default config will not be applied ... but will be shown in /system default-configuration print never the less.
Focus on the ALL. I figured mikrotik would rather I post something default of it was going to be copy and pasted.
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Default IPv6 copy/paste for SOHO use

Tue Dec 20, 2022 10:54 am

But if its so complex with so many variables how does every other home/SOHO router do it easily with zero config ?

There MUST be ONE simple way to do this for SOHO / Home use.
The more "everyday feature" IPv6 gets, the more common knowledge there will be. Lets compare IPv4 and IPv6 standard configurations and not special cases:
IPv4: get IPv4 ADDRESS for router using DHCPv4 client, share internal IPs and network configuration using DHCPv4 server, filter, NAT filter internal traffic using FIREWALL
IPv6: get IPv6 PREFIX for router using DHCPv6 client, share (external) addresses from prefix using ND, filter traffic using FIREWALL (ALLOW/DENY), NATing is not mandatory.

Main things to replace in mind with IPv6:
a) first half of IPv6 address is network, second half is device
b) subnets of different sizes of aka prefixes are shared to clients. If ISP gives you /56, then you have 64-56=8 -> 2^8 subnets available for you for splitting.
c) public addresses for internal clients are OK, for firewall it's easier to ALLOW/DENY than to SRC-NAT(masquerade) or DST-NAT (portforward).
d) don't keep the static internal addresses mindset in IPv6, it's possible in IPv6, but not with Mikrotik, also there are clients (Android) that only support autoconfiguration, so you can't get rid of SLAAC.
e) it's client devices, not router, that decides how many addresses to use, how to use them and how often to change them. DNS for internal devices is currently harder part in Mikrotik
f) there are tons of IPv6 addresses for you in every prefix, so get and set different IPv6-address for every service in your router/device, so you can easily enable/disable them in FIREWALL

In ROSv6 you have to enable ipv6 module and reset configuration to get standard firewall rules, in ROSv7 IPv6 is built-in, so you already get standard firewall rules with reset configuration.

Simple example:
# get prefix from ISP and put into prefix pool. From prefix pool you can split it further to your needs using DHCPv6 server, but DHCPv6 server is not needed if you do not need to split prefix.
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=ISPv6 request=prefix

# get subnet from pool and get set address from it to the bridge. In IPv6 network's min and max addresses are not reserved, so you may get prefix:: aka prefix::0 for the bridge
/ipv6 address add from-pool=ISPv6 interface=bridge advertise=yes
# enable Network Discovery to respond to clients' request
/ipv6 nd set [ find default=yes ]
/ipv6 nd prefix add interface=bridge
Last edited by kalamaja on Tue Dec 20, 2022 1:55 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default IPv6 copy/paste for SOHO use

Tue Dec 20, 2022 11:53 am

Focus on the ALL.

One can disagree with MT's policy but I can understand that the most powerful devices come without default config. MT somehow expects those devices to be configured by networking pros who are supposed to know things better. If a non-pro is faced with configuring such devices ... then she's in trouble, neh? It is expected that those pro devices will be used in very different use cases and including default config (which would cover only a fraction of use cases) is simply not necessary.

IMO posting default config can be helpful but also bad at the same time because the will often not be motivated to learn (enough) ROS. And one of skills that comes very handy on non-pro devices is knowledge about how to retreive and read default configuration.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Default IPv6 copy/paste for SOHO use

Tue Dec 20, 2022 2:33 pm

Focus on the ALL.

IMO posting default config can be helpful but also bad at the same time because the will often not be motivated to learn (enough) ROS. And one of skills that comes very handy on non-pro devices is knowledge about how to retreive and read default configuration.
I can get behind this 100%

Who is online

Users browsing this forum: jfox, mszru, tesme33 and 34 guests