Setting IPv6 on Mikrotik

If your ISP offers IPv6 and you have Mikrotik router, it would be shame not to make use of it. My setup assumes you get /64 prefix from your ISP (Comcast in my case) via DHCPv6. Also assumed is empty IPv6 configuration.

First I like to disable default neighbor discovery interface. Blasting IPv6 router advertisements on all intefaces is not necessarily a good idea:

/ipv6 nd
set [ find default=yes ] disabled=yes

Next step is to setup DHCP client. Withing a few seconds, you should see the prefix being allocated:

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 request=prefix
:delay 5s
print
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS REQUEST PREFIX
0 ether1 bound prefix 2601:600:9780:ee2c::/64, 3d14h41m41s

At this time I love to allocate address ending with ::1 to the router itself:

/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge1 advertise=yes

Now it should be possible to ping its address from external computer (in this example address would be 2601:600:9780:ee2c::1). If this doesn’t work, do check if you have link-local addresses. If none are present, reboot the router and they will be regenerated.

With router reachable, it is time to delegate IPv6 prefix to internal machines too. For this purpose, setup RA (router announcement) over the bridge. While default interval settings are just fine, I like to make them a bit shorter (20-60 seconds):

/ipv6 nd
add interface=bridge1 ra-interval=20s-60s

And that’s all. Now your computers behind the router will have direct IPv6 route to the Internet. Do not forget to setup both router firewall and firewall of individual devices. There is no NAT to save your butt here.

PS: Here is the basic IPv6 firewall allowing all connections out while allowing only established back in:

/ipv6 firewall filter
add chain=input action=drop connection-state=invalid comment="Drop (invalid)"
add chain=input action=accept connection-state=established,related comment="Accept (established, related)"
add chain=input action=accept in-interface=ether1 protocol=udp src-port=547 limit=10,20:packet comment="Accept DHCP (10/sec)"
add chain=input action=drop in-interface=ether1 protocol=udp src-port=547 comment="Drop DHCP (>10/sec)"
add chain=input action=accept in-interface=ether1 protocol=icmpv6 limit=10,20:packet comment="Accept external ICMP (10/sec)"
add chain=input action=drop in-interface=ether1 protocol=icmpv6 comment="Drop external ICMP (>10/sec)"
add chain=input action=accept in-interface=!ether1 protocol=icmpv6 comment="Accept internal ICMP"
add chain=input action=drop in-interface=ether1 comment="Drop external"
add chain=input action=reject comment="Reject everything else"
add chain=output action=accept comment="Accept all"
add chain=forward action=drop connection-state=invalid comment="Drop (invalid)"
add chain=forward action=accept connection-state=established,related comment="Accept (established, related)"
add chain=forward action=accept in-interface=ether1 protocol=icmpv6 limit=20,50:packet comment="Accept external ICMP (20/sec)"
add chain=forward action=drop in-interface=ether1 protocol=icmpv6 comment="Drop external ICMP (>20/sec)"
add chain=forward action=accept in-interface=!ether1 comment="Accept internal"
add chain=forward action=accept out-interface=ether1 comment="Accept outgoing"
add chain=forward action=drop in-interface=ether1 comment="Drop external"
add chain=forward action=reject comment="Reject everything else"

11 thoughts to “Setting IPv6 on Mikrotik”

  1. Thanks a lot! I wished it was possible to copy and paste this into the Terminal, though. It was quite tedious to type it out :-)

    1. You can … simply use ssh (putty on windows) to connect via ssh to your mikrotik – using ssh/putty you can use cut&paste.

  2. I did the ipv6 configuration and none of my devices are getting ipv6 addresses, other than the fe80:: stuff. Do I need a dhcp server?

  3. Hey there! Thanks for the tutorial!

    I did everything exactly as you mentioned but every time I reboot the router both the address pool and all of the IPv6 routes disappear. The DHCP client config is still active but the bridge isn’t able to get an address because the pool is gone. Any idea what could be going on?

  4. Thanks for that! Works great just had to replace with my interfaces but copy/paste and works in 100% Thank You great job!

  5. Excellent tutorial! Thanks for posting and helping all ipv6 newbies out there. One remark/question – is there a reason you request only prefix but no address when setting up the DHCP client?

    1. It’s just a matter of style. Since I already assign prefix::1 to the router, additional IP is not needed. Since I don’t want it, I don’t request it. Requesting extra IP doesn’t hurt but there is no need for it if you manually assign address from IPv6 pool as I do here.

  6. Hello, thanks for the tutorial.

    My ISP don’t use DHCPv6, so I just skipped the DHCPv6 Client config and jumped to the RD part

    But it just works when I define the ipv6 address on the ether1 (WAN) interface and not on the bridge.

    With that in place I can ping the gateway on the ISP side ::1, an after manually adding a route to 2000::/3 via MY_PREFIX::1 as GW.

    How can I make my devices behind it, on the bridge(ether{2.3,4,5}) to get the Routing Anouncements too ?

    When I try to define another ipv6v address to the bridge interface, I get an error that the pool is exausted, I really don’t know what it means.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.