Getting IPv6 Going on RouterOS 7.1

I already did a post about IPv6 on Mikrotik but with RouterOS 7 going out, some things have slightly changed. So, it's time for an updated guide. And, as one might expect, things are pretty much the same.

As before, prerequisite is that you get at least /64 prefix from your ISP (Comcast in my case) via DHCPv6. Also assumed is empty IPv6 configuration.

The first thing I like doing is disabling the default neighbor discovery interface. Blasting IPv6 router advertisements on all interfaces is not necessarily a good idea:

Terminal
/ipv6 nd
set [ find default=yes ] disabled=yes

The next step is to setup DHCP client. Within a few seconds, you should see the prefix being allocated:

Terminal
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 request=prefix use-peer-dns=no

:delay 5s
print
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS REQUEST PREFIX
0 ether1 bound prefix 2601:db8:9780:ee2c::/64, 3d14h41m41s

At this time I love to allocate address ending with ::1 to the router itself:

Terminal
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge1 advertise=yes

Now it should be possible to ping its address from external computer (in this example address would be 2601:db8:9780:ee2c::1). If this doesn't work, do check if you have link-local addresses. If none are present, reboot the router and they will be regenerated.

With router reachable, it is time to delegate IPv6 prefix to internal machines too. For this purpose, setup RA (router announcement) over the bridge. While default interval settings are just fine, I like to make them a bit shorter (20-60 seconds):

Terminal
/ipv6 nd
add interface=bridge1 ra-interval=20s-60s

And that's all. Now your computers behind the router will have direct IPv6 route to the Internet. Do not forget to setup both router firewall and firewall of individual devices. There is no NAT to save your butt here.

PS: Here is the basic IPv6 firewall allowing all connections out while allowing only established back in:

Terminal
/ipv6 firewall filter

add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept connection-state=established,related comment="Accept established"
add chain=input action=accept in-interface=ether1 protocol=udp src-port=547 limit=10,20:packet
add chain=input action=drop in-interface=ether1 protocol=udp src-port=547 comment="Drop ext DHCP >10/sec"
add chain=input action=accept in-interface=ether1 protocol=icmpv6 limit=10,20:packet
add chain=input action=drop in-interface=ether1 protocol=icmpv6 comment="Drop ext ICMP >10/sec"
add chain=input action=accept in-interface=!ether1 protocol=icmpv6 comment="Accept internal ICMP"
add chain=input action=drop in-interface=ether1 comment="Drop external"
add chain=input action=reject comment="Reject everything else"

add chain=output action=accept comment="Accept all"

add chain=forward action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=accept connection-state=established,related comment="Accept established"
add chain=forward action=accept in-interface=ether1 protocol=icmpv6 limit=20,50:packet"
add chain=forward action=drop in-interface=ether1 protocol=icmpv6 comment="Drop ext ICMP >20/sec"
add chain=forward action=accept in-interface=!ether1 comment="Accept internal"
add chain=forward action=accept out-interface=ether1 comment="Accept outgoing"
add chain=forward action=drop in-interface=ether1 comment="Drop external"
add chain=forward action=reject comment="Reject everything else"

9 thoughts to “Getting IPv6 Going on RouterOS 7.1”

  1. I dont have a bridge setup, can I just replace bridge1 with ether1? or should it be lte1 (I’m on a LTE connection)

    I know people talk alot about bridges but I’ve never fully understood why they are needed and they are in the stock configuration.

    1. Lte1 would be external connection in your case. ND needs to be set on internal bridge in order to be available to multiple internal interfaces. Only if you want IPv6 on a SINGLE physical interface, you can select ether2 or wherever you have your machine connected.

  2. Thanks for this guide — I found it really helpful. I’ve now got my travel router configured with an L2TP tunnel for IPv4 (a single address with single, not double, NAT) _and_ proper IPv6. Yay!

  3. Nicely done but the invalid traffic should be right after the established connections as the established one will be used way more than invalid so the sooner you get to it the better and faster.

  4. Excellent, worked first time. Too many stale guides from v6, thanks for taking the time to do one that works in 2023!

  5. THANK YOU SO MUCH !!!!!

    I’ve been struggling with old guides for hours, and I wasn’t even doing it wrong.
    Rebooting allowed me to get my link-local working.
    Wish I’d seen that advice somewhere earlier!

Leave a Reply

Your email address will not be published. Required fields are marked *