Notes on IPv6 with RouterOS
7 Nov 21 — 16 July 23

- - - - - - - -

About adding IPv6 connectivity to a local network using Mikrotik RouterOS. In a second part, extending IPv6 to a second, downstream router. 


Part I

Connecting up IPv6 has two steps: getting an address prefix from the ISP, and arranging for hosts to complete their own addresses using Router Advertisements. 

These instructions assume the Routerboard is directly connected on its upstream link to an internet provider (ISP). 

They are given for the 'Webfig' browser interface but should be usable with 'Winbox'. They can also be entered from a command line in the RouterOS Terminal, or with a script if you have several devices to set up.

1. Check that your internet supplier is providing you with a connection that includes IPv6. 

More information; Normally the ISP provides a 'prefix' for your IPv6 addresses by 'prefix delegation'; your router will request the prefix from them. The prefix 'length' is indicated by a 'mask'. It should be /64 or preferably a lower figure (more addresses); /56 is good.

2. Check that IPv6 is enabled on the Routerboard: System>Packages; if IPv6 is not enabled, enable it and reboot.

3. At IPv6>Firewall, set IPv6 firewall rules e.g. the basic set from Mikrotik (ref. ii).

More information. Do not block getting the prefix from your ISP. E.g. use the suggested rule 'chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="accept DHCPv6-Client prefix delegation from upstream DHCPv6-Server." Here, fe80::/10 represents link-local addresses, which are used for getting a prefix from your ISP (as well as for communicating among nodes on your network).

Troubleshooting. Take care in setting the firewall rule for the acceptance of prefix delegation from upstream to choose the correct interface: the In.Interface in my case had to be the pppoe interface, so that the DHCP client was able to bind (see the next point).

4. Go to IPv6>DHCP client, Add New, enter your gateway WAN interface, request 'prefix', enter a 'Pool Name', and a 'Pool Prefix Length' for the pool which should be equal to or greater than the mask of the ISP-delegated prefix (fewer addresses); I used 60 for an ISP provision of /56. You should see 'searching' then 'bound' and the prefix should be shown in IPv6>Pool (don't make an entry in IPv6>Pool yourself).

'Prefix Hint' and 'Add Default Route' are not necessary. Choose 'Use Peer DNS' unless you want to use only the built-in DNS resolver.

More information; this is 'prefix delegation' from your ISP and defines your IPv6 subnet on the internet. From the prefix you claim, address 'pools' will be derived, and from them your 'global' (Global Unicast Address: GUA) IPv6 addresses. 

Troubleshooting. The gateway to choose depends on your type of connection with the ISP ; I had to use 'pppoe-out1'. A pool-prefix-length of 64 is only sufficient allow one router to provide IPv6 connectivity to the subnet(s) on its own interfaces. If IPv6>Pool does not populate automatically, 'Release' the entry in IPv6>DHCP client. Check that 'Rapid Commit' is not selected. 

Confirmation. Reboot the router and use Tools>Ping to e.g. textno.de at 2406:1e00:b310:3000:7ed3:aff:fe2b:c124 (or find another IPv6 address with ping or dig). 

5. Set up addresses in IPv6>Address for the downstream interfaces, including bridged interfaces, to provide GUA links for hosts on the router's subnet(s). For each global IPv6 address, the first, network part, will come from the Pool which you have specified. The second part (the 'interface identifier') can use EUI64, i.e. a sequence calculated deterministically from the device's hardware MAC address. 

More information; Alternatively you can set the identifier part yourself, e.g. '::1/64' or '::cafe/64' etc, with EUI64 unchecked, and it will add this to the assigned prefix as the interface identifier. Doing this will provide (somewhat more) human-recognisable gateway addresses for your LANs. 'Advertise' is checked (see point 6). 

'Link-local' addresses (LLAs) will be provided automatically for interfaces and listed here. Check that an IPv6 'default' address has appeared, in LLA form (I had 'fe80::11/64'), with the gateway set to your WAN interface, e.g. pppoe. The WAN interface doesn't need a GUA, at least when using a PPPoE connection to the internet, as that link is by way of link-local addresses. 

You should find the display at IPv6>Routes also to be populated automatically, with routes to your LAN address(es), a default upstream route (to ::/0), and an 'unreachable' route directed to your assigned GUA prefix.  

Confirmation. In Tools>Ping, with your WAN interface as the gateway, ping an IPv6 address, e.g. 2406:1e00:b310:3000:7ed3:aff:fe2b:c124.

6. The following uses 'stateless' addressing for devices on your subnets. Go to IPv6>ND>Interfaces. This is already populated with a default neighbour discovery rule. If you wish to make your own, for each downstream (LAN) interface (bridge or single interface), Add New, enable, and choose the interface. Address prefixes assigned to the subnet(s) will be shown in IPv6>ND>Prefixes.

More information; This is stateless autoconfiguration ('SLAAC', ref. ix) which makes it simple for hosts to collect an IPv6 prefix from the router for themselves (in RouterOS the DHCPv6 server is not used to distribute addresses to non-router devices). Step 6 causes the router to send out ICMP 'Router Advertisement' packets to arrange the IPv6 addressing of hosts on the link, part of the 'Neighbour Detection' (ND) protocol (ref. iii), done by the 'Router Advertisement Daemon' (RADVD). Each host then sets up its own global address using the prefix as advised plus an EUI64 sequence or an identifier chosen by you as mentioned above.

Troubleshooting. If prefixes are not shown in IPv6>ND>Prefixes, check that 'Advertise' is checked in IPv6>Addresses.

Confirmation. Reboot, and on a device on the router's LAN check if it now has an IPv6 address, and from it confirm IPv6 connectivity to a site like ipv6-test.com.

7. [optional] Extending IPv6 connectivity to a downstream router. Said to be 'very easy' (ref iv), but in my experience not so easy. If you need to do this, see the next section.  


Part II

Extending IPv6 connectivity to a downstream router, also called 'chaining' or 'cascading' routers. IPv6 DHCP, not SLAAC, is used for the link between the routers.

1. The 'edge' router (connected with the ISP) will now be called the 'upstream' router, and another Routerboard, in a 'core' location, the 'downstream' router. With IPv6 connectivity already working on the upstream router as described in steps 1-7 above...

2. For this to work, the upstream router needs to be getting from the ISP a prefix shorter than /64 (more addresses), e.g. /56. Refer to point 1. in part I above. So in IPv6>DHCP client on the upstream router set 'Pool Prefix Length' to less than /64, but greater than the prefix length supplied by your ISP. I used /60.

More information; The 'pool' that each router uses is a pool of subnets, not a pool of addresses. 'Pool Prefix Length' gives the length in bits of the subnets that a Pool will distribute when needed--the larger the prefix length numerically, the fewer addresses are in each subnet assigned from the Pool. This is not about the length of IPv6 addresses--always /128--or about the length of their 'network part'--here, always /64. 
The size of the Pool must be larger than the size of the prefix spaces it distributes, so the prefix pool length on the downstream router must be numerically larger (fewer addresses) than the prefix pool length on the upstream router. Therefore router cascading won't work if the ISP supplies you a only /64 prefix (ref. v). The current recommendation is for ISPs to provide clients with a persistent /56 prefix (ref vi).

3. Extending IPv6 to a downstream router uses DHCP rather than SLAAC, i.e. uses the upstream DHCPv6 server for 'prefix delegation' to the downstream device. Still on the upstream router, go to IPv6>DHCP server and make a new entry. Provide a name for the server. The Address Pool6 is the Pool defined previously. The interface is that by which you will be connecting to your downstream router. 

Troubleshooting. To add the IPv6 address pool name permanently to the upstream DHCPv6 server, I had to use the Terminal. Manual entry of the pool name in Webfig seemed to work but the value later disappeared, and the downstream client (point 8. below) did not 'bind' to the pool. This occured in several versions of RouterOS 6 and it seems to be a bug. When an entry was added for a DHCPv6 server on the command-line, and the downstream client 'Renewed', the downstream client indicated 'bound' (and on the upstream router, DHCP Server>Bindings was populated). See ref. x.

4. In the IPv6 firewall on the upstream router, allow Neighbour Discovery Protocol packets, e.g. Accept on Input Chain Protocol 17 (udp) to Destination Port 5678 from in-interface-list LAN.

5. Still in the firewall on the upstream router, allow Router Solicitation from downstream, e.g. Accept on Input Chain Protocol 17 (udp) to Destination Port 547 from in-interface-list LAN.

The following steps are performed on the downstream router. 

6. Check that IPv6 is enabled (cf. point 2 in Part I).

7. Check that the IPv6 firewall is not blocking Router Advertisements, if necessary by adding a new filter rule in IPv6>Firewall>Filter Rules on the 'input' Chain with Action 'accept' for Protocol '17 (udp)' for Destination Port '546'. Add another rule on the Input Chain to 'Accept' udp packets for Destination Port '5678' for the Neighbour Discovery Protocol. Check also that input of icpmv6 packets is accepted here as well.

8. In IPv6>DHCP client Add New, enter the upstream interface, enter a new name for this router's pool, request 'prefix', and choose a prefix length greater (smaller pool) than the pool prefix length of the upstream router (I used /62). The pool should display in IPv6>Pool.

More information. This is the pool from which clients of this router will draw their address information. IPv6>Neighbors should now show the upstream router.

Troubleshooting.  Some sources (e.g. ref vii) indicate that 'Add Default Route' may need to be checked as a workaround. If the DCHP Client keeps 'Searching...', check that the upstream router DHCP Server's Address Pool6 is correct. See also point 3 above, in Troubleshooting.

Confirmation. Reboot and use Tools>Ping to e.g. textno.de at 2406:1e00:b310:3000:7ed3:aff:fe2b:c124. 

9. Set up addresses for hosts on interfaces at IPv6>Addresses following step 5 in Part I above. These will be GUAs; the link-local addresses (which begin with fe80::) will appear automatically. Also set up Neighbour Discovery in IPv6>ND>Interfaces for this router's downstream LANs following step 6 in Part I above.

More information. The IPv6 link-local addresses (LLA) used by routers to communicate between themselves are usually generated from the devices' MAC addresses by a simple algorithm. The page (ref. viii) explains it and shows the conversion between MAC and link-local addresses. 

10. In IPv6>Settings, the default setting for 'Accept Router Advertisements' is 'yes if forwarding disabled'.

Troubleshooting. It has been claimed (e.g. ref. vii) that this may need to be set to 'yes' in some circumstances.

Confirmation. Reboot, and on a device on the downstream router's LAN check that it now has an IPv6 address, and from it confirm IPv6 connectivity at a site like ipv6-test.com.

Further troubleshooting. If IPv6 is connected through to the downstream LAN 'nodes' but ipv6-test.com etc do not report connectivity, check that there is a default route present in IPv6>Routes. This should have a Destination Address of ::/0 and a Gateway which represents the 'next hop' for packets; i.e. the address of the downstream-facing interface of the upstream router. This address can be supplied as that interface's LLA (obtained for example from the table at IPv6>Addresses on the upstream router), but this sequence must be extended with a percent sign followed by the name of the upstream interface of the downstream router. For example this entry in IPv6>Routes; Dst. Address ::/0 and Gateway fe80::e68d:8cfe:fe81:6f3e%ether1. The entry 'Gateway' will display 'reachable'.





Refs
i A general overview of IPv6 addressing from Mikrotik: wiki.mikrotik.com/wiki/Manual:IPv6/Address
In the new manual: help.mikrotik.com/docs/display/ROS/IPv4+and+IPv6+Fundamentals
ii Mikrotik IPv6 firewall prescription: help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall#BuildingYourFirstFirewall-IPv6firewall
iii Mikrotik on Neighbour Detection: help.mikrotik.com/docs/display/ROS/IPv6+Neighbor+Detection
iv Chaining two routers: https://forum.mikrotik.com/viewtopic.php?t=123053
v An embarrassment of riches?: https://guzzijason.github.io/dhcp6-delegation/prefix64.html
vi RIPE Best Current Operational Practice: ripe.net/publications/docs/ripe-690#5-2--why-non-persistent-assignments-are-considered-harmful
vii About 'Add default route': https://forum.mikrotik.com/viewtopic.php?t=185518#p929567
viii. Link-local address calculator, https://nettools.club/mac2ipv6. Accessed April 2023.
ix. SLAAC basically works like this! (by ZeroByte): https://forum.mikrotik.com/viewtopic.php?p=593111#p590447
x. Webfig bug? IPv6 dhcp-server can't set pool https://forum.mikrotik.com/viewtopic.php?t=174758
I used the following in Terminal for the fix: /ipv6 dhcp-server set address-pool=poolName [find name=DHCPServerName])


Done on ROS versions 6.49.6-8 (stable). Comments and corrections please to BMCP@pm.me.



- - 


Not used. Mikrotik. Setting up DHCPv6: https://wiki.mikrotik.com/wiki/Setting_up_DHCPv6