I already did a post about IPv6 on Mikrotik but with RouterOS 7 going out, some things have slightly changed. So, it's time for an updated guide. And, as one might expect, things are pretty much the same.
As before, prerequisite is that you get at least /64 prefix from your ISP (Comcast in my case) via DHCPv6. Also assumed is empty IPv6 configuration.
The first thing I like doing is disabling the default neighbor discovery interface. Blasting IPv6 router advertisements on all interfaces is not necessarily a good idea:
set [ find default=yes ] disabled=yes
The next step is to setup DHCP client. Within a few seconds, you should see the prefix being allocated:
add add-default-route=yes interface=ether1 pool-name=general-pool6 request=prefix use-peer-dns=no
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS REQUEST PREFIX
0 ether1 bound prefix 2601:db8:9780:ee2c::/64, 3d14h41m41s
At this time I love to allocate address ending with
::1 to the router itself:
add address=::1 from-pool=general-pool6 interface=bridge1 advertise=yes
Now it should be possible to ping its address from external computer (in this example address would be
2601:db8:9780:ee2c::1). If this doesn't work, do check if you have link-local addresses. If none are present, reboot the router and they will be regenerated.
With router reachable, it is time to delegate IPv6 prefix to internal machines too. For this purpose, setup RA (router announcement) over the bridge. While default interval settings are just fine, I like to make them a bit shorter (20-60 seconds):
add interface=bridge1 ra-interval=20s-60s
And that's all. Now your computers behind the router will have direct IPv6 route to the Internet. Do not forget to setup both router firewall and firewall of individual devices. There is no NAT to save your butt here.
PS: Here is the basic IPv6 firewall allowing all connections out while allowing only established back in:
/ipv6 firewall filter
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept connection-state=established,related comment="Accept established"
add chain=input action=accept in-interface=ether1 protocol=udp src-port=547 limit=10,20:packet
add chain=input action=drop in-interface=ether1 protocol=udp src-port=547 comment="Drop ext DHCP >10/sec"
add chain=input action=accept in-interface=ether1 protocol=icmpv6 limit=10,20:packet
add chain=input action=drop in-interface=ether1 protocol=icmpv6 comment="Drop ext ICMP >10/sec"
add chain=input action=accept in-interface=!ether1 protocol=icmpv6 comment="Accept internal ICMP"
add chain=input action=drop in-interface=ether1 comment="Drop external"
add chain=input action=reject comment="Reject everything else"
add chain=output action=accept comment="Accept all"
add chain=forward action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=accept connection-state=established,related comment="Accept established"
add chain=forward action=accept in-interface=ether1 protocol=icmpv6 limit=20,50:packet"
add chain=forward action=drop in-interface=ether1 protocol=icmpv6 comment="Drop ext ICMP >20/sec"
add chain=forward action=accept in-interface=!ether1 comment="Accept internal"
add chain=forward action=accept out-interface=ether1 comment="Accept outgoing"
add chain=forward action=drop in-interface=ether1 comment="Drop external"
add chain=forward action=reject comment="Reject everything else"
7 thoughts to “Getting IPv6 Going on RouterOS 7.1”
You are a true lifesaver.
I dont have a bridge setup, can I just replace bridge1 with ether1? or should it be lte1 (I’m on a LTE connection)
I know people talk alot about bridges but I’ve never fully understood why they are needed and they are in the stock configuration.
sorry, bridges arent in the stock config
Lte1 would be external connection in your case. ND needs to be set on internal bridge in order to be available to multiple internal interfaces. Only if you want IPv6 on a SINGLE physical interface, you can select ether2 or wherever you have your machine connected.
thanks, I setup up a bridge and will now give it a go
Thanks for this guide — I found it really helpful. I’ve now got my travel router configured with an L2TP tunnel for IPv4 (a single address with single, not double, NAT) _and_ proper IPv6. Yay!
Nicely done but the invalid traffic should be right after the established connections as the established one will be used way more than invalid so the sooner you get to it the better and faster.