My ISP uses DHCP-PD for delegation of prefix. Currently I’m assigned a /56 prefix which I understand is the recommended subnet size for end-customers. I’m using stateless assignment of addresses to my end-points.
The router I use, RB4011 is connected to ISP on Ether1 and all other networks are configured with bridges and assigned ports, most of them run through VLANs on the sfp+ port. I have several bridges but started out with just configuring one to see if I could get it to work. It was easy to later add more subnets, just assign IP from the pool (will be explained later), configure neighbor discovery and you should be set.
So here is a brief step-by-step guide:
First of all, make sure you have the IPv6 package installed and then configure the firewall with some basic settings for IPv6. I ended up with the following minimal settings to start with:
Next thing to configure is the IPv6 DHCP-client.
/ipv6 firewall filter add action=reject chain=input comment="Reject invalid packets" \ connection-state=invalid reject-with=icmp-no-route add action=accept chain=input comment=\ "Allow established and related connections" connection-state=\ established,related add action=accept chain=input comment="Allow ICMP" protocol=icmpv6 add action=accept chain=input comment="Allow lo" in-interface=loopback add action=accept chain=input comment="Allow SSH to router" dst-port=22 \ in-interface=!ether1 protocol=tcp add action=accept chain=input comment="Allow DHCPv6" dst-port=546 protocol=\ udp src-port=547 add action=reject chain=input comment="Reject TCP connections by default" \ in-interface=ether1 protocol=tcp reject-with=tcp-reset add action=reject chain=input comment="Reject other protocols by default" \ in-interface=ether1 reject-with=icmp-admin-prohibited add action=accept chain=forward comment=\ "Allow related and established connections" connection-state=\ established,related add action=accept chain=forward comment="Allow ICMP" protocol=icmpv6 add action=reject chain=forward comment="Reject invalid packets" \ connection-state=invalid log-prefix=IPv6: reject-with=icmp-no-route add action=accept chain=forward comment="Allow any to internet" \ out-interface=ether1 add action=reject chain=forward comment="Reject TCP connections by default" \ in-interface=ether1 protocol=tcp reject-with=tcp-reset add action=reject chain=forward comment="Reject other protocols by default" \ in-interface=ether1 reject-with=icmp-admin-prohibited
If all goes well, you should be assigned a prefix from your ISP. If you have /56 prefix assigned, you can subnet that to 256 /64 networks which each contains a whopping 18,446,744,073,709,551,616 addresses. As I understand the pool will default to /64 which is exactly what’s needed for getting stateless configuration to work.
ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=IPv6-pool prefix-hint=\ ::/56 request=prefix use-peer-dns=no
The pool will be used for configuring IP-addresses on the router and if needed to delegate subnets to other routers (in that case you will have to configure IPv6 DHCP server). I choose to not have ISP provided DNS since I run internal DNS servers and they can make IPv6 address lookups (when they receive a global IPv6 address).
Now we can assign IP address to the router and on those internal networks that need IPv6 connectivity. I don’t need IP address on ether1 even if it’s the external facing interface since I don’t have any service in use yet which requires external access to that interface.
In my case I choose my bridge for LAN to be assigned an address. If you followed these steps, hopefully you now have a globally unique address. Check that with /ipv6 address print. You should be able to find a globally unique (marked with G flag) assigned from your newly created pool.
/ipv6 address add address=::1 from-pool=IPv6-pool interface=bridge-LAN
Next step is to configure Neighbor Discovery:
Lastly check IPv6 settings, you must make sure forwarding is enabled.
/ipv6 nd add advertise-dns=yes hop-limit=64 interface=bridge-LAN
/ipv6 settings print
That should be it! Now is a good time to test from a pc or other device in your LAN that you have IPv6 connectivity. I’m pinging google from a pc:
ping -6 ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:400f:809::200e] with 32 bytes of data:
Reply from 2a00:1450:400f:809::200e: time=17ms
Ping statistics for 2a00:1450:400f:809::200e:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 17ms, Average = 17ms
Congratulations, you have working IPv6!
The only real problem I had was getting my wifi to run IPv6, I only use Mikrotik accespoints which are centrally managed by the router via CAPsMAN.
After some troubleshooting, I discovered that the IPv6 settings for the AP’s needed to be configured with IPv6 forwarding disabled and I needed to add the ether interface (which is assigned to bridge1) to Neighbor Discovery.
/ipv6 settings print
/ipv6 nd add hop-limit=64 interface=bridge1 other-configuration=yes
Hopefully this will help you get started. If you find any suggestions for improvements, I’d be glad to hear about them.