How to run IPv6 from starlink on a mikrotik?

MikroUser · Sun Jan 29, 2023 10:15 am

Mikrotik team, i need your assistance.
Starlink is connected via adapter directly to mikrotik. Bypass mode enabled. IPv4 woks fine, but i have problems with ipv6.

Starlink give ipv6 from dhcp with 56 prefix.
prefix is 2a0d

1490

:/56
default gateway received via dhcp is 2a0d

1400:baee::1, but when i set address 2a0d

1490

:2/56 to starlink interface, gatevay is not reachable, no ping there, so i have no ipv6 connectivity.

But if i manually set address from the received gateway range, for example 2a0d

1400:baee::22, ipv6 works, ping is ok. But starlink change ipv addreses and prefixes every day, so this is wrong way to solve the problem.
When starlink connected with stock router - everything works fine, ipv6 too.

Anybody can help me to setup this? im runing ccr2004 with ros 7.7

tdw · Sun Jan 29, 2023 4:14 pm

In IPv6 the roles and capabilities of a router and host are separated much more strictly than in IPv4, and also DHCP works slightly differently.

You can only acquire an address with the DHCPv6 client if the provider supports it. DHCPv6 has no concept of a default gateway, the Add Default Route option is a bodge - it uses the address of the DHCPv6 server reply as the gateway which is often, but not always, correct depending on the providers network topology.

The most common mechanism is to use received router advertisments (RA), which unfortunately are not displayed by RouterOS (as discussed in other forum posts, and was completely broken in earler releases of RouterOS v7), to obtain the WAN prefix and gateway information, plus SLAAC for the address.

You can then use the DHCPv6 client to acquire a prefix, and assign IP addresses from that prefix to your LAN(s).

The default IPv6 settings include forward=yes and accept-router-advertisements=yes-if-forwarding-disabled, so as the router will be forwarding you need to set accept-router-advertisements=yes.

The pool prefix length should be the default of 64, not 48.

MikroUser · Sun Jan 29, 2023 5:20 pm

I tried different pool prefixes, but no result.
And logically, server address (gateway) cannot be accessible from provided prefix pool, because gateway must be somewhere in a provided prefix, usually this is 1st host.
Starlink dhcp doesnt send address for the interface, prefix only.

And this isue i see not only with starlink, our LTE providers also giving IPv6 for clients in this way, in the phones and tables its works fine, but with mikrotik - not working.

So, i dont understand, where is the problem?Mikrotik DHCP client dont receiving full info from starlink dhcp server? Or what?
Why mt dont fix this yet?

tdw · Sun Jan 29, 2023 5:45 pm

And logically, server address (gateway) cannot be accessible from provided prefix pool, because gateway must be somewhere in a provided prefix, usually this is 1st host.

No. The prefix is a completely separate block of addresses to the 'WAN' connection from the provider. Some providers do steal the first or last /64 of the prefix block for the WAN connection, but it is discouraged. See https://www.ripe.net/publications/docs/ripe-690 section 4.1.4

Starlink dhcp doesnt send address for the interface, prefix only.

As I said the most common method of assigning the WAN subnet and gateway address is with Router Advertisments and SLAAC, not DHCPv6 requesting an address.

And this isue i see not only with starlink, our LTE providers also giving IPv6 for clients in this way, in the phones and tables its works fine, but with mikrotik - not working.

A phone ot tablet will have a host role, the Mikrotik will typically have a router role. There are significant differences.

So, i dont understand, where is the problem?Mikrotik DHCP client dont receiving full info from starlink dhcp server? Or what?
Why mt dont fix this yet?

The Mikrotik implementation has lots of features so it can be used in many scenarios, not arbitrarily limited by the manufacturer. It is a configuration issue.

StubArea51 · Sun Jan 29, 2023 7:36 pm

Change your pool prefix length to /64 on the DHCPv6-PD client

Then add an address on the LAN bridge or interface like this:

ipv6/address/add from-pool=StarLink-V6 advertise=yes interface=LAN

MikroUser · Sun Jan 29, 2023 7:54 pm

Change your pool prefix length to /64 on the DHCPv6-PD client
Then add an address on the LAN bridge or interface like this:
Code: Select all
ipv6/address/add from-pool=StarLink-V6 advertise=yes interface=LAN

Not working. Till gateway is unknown or not reachable - any configuration will fail.

The Mikrotik implementation has lots of features so it can be used in many scenarios, not arbitrarily limited by the manufacturer. It is a configuration issue.

If i give you access to the mt, can u pelp me with configuration?
Also if configuration will be successful, this will be a good example for other users.

StubArea51 · Sun Jan 29, 2023 8:07 pm

Also if configuration will be successful, this will be a good example for other users.

Reddit already has a validated base config:

https://www.reddit.com/r/Starlink/comme ... k_routers/

It seems that IPv6 connectivity is still very much a regional thing as some have it working and some don't. So depending on where you are, the prefix may be available for DHCPv6-PD client but not actually work.

Try the config referenced above and if that doesn't work, you prob don't have a complete IPv6 implementation yet from Starlink. Which means you'll have to wait until they fix it.

MikroUser · Sun Jan 29, 2023 9:08 pm

Also if configuration will be successful, this will be a good example for other users.
Reddit already has a validated base config:

https://www.reddit.com/r/Starlink/comme ... k_routers/

It seems that IPv6 connectivity is still very much a regional thing as some have it working and some don't. So depending on where you are, the prefix may be available for DHCPv6-PD client but not actually work.

I dont know why reddit validated that topic or config, but i dont found there any userful info. Tried copy config - nothig good happened.

Configs posted there dont have dhcp client and gateway settings. No info what ip6 address was set for starlink interface.
Without gateway i have no route to host error.

Try the config referenced above and if that doesn't work, you prob don't have a complete IPv6 implementation yet from Starlink. Which means you'll have to wait until they fix it.

IPv6 works fine with stock starlink router, so i dont se a reasons why it will not work with others.
But i cant find the way, how to make it worked with mikrotik.

StubArea51 · Sun Jan 29, 2023 9:41 pm

What are the outputs of?

 ipv6/address/print
 
 ipv6/route/print
 
 ipv6/neighbor/print

tdw · Sun Jan 29, 2023 9:45 pm

Configs posted there dont have dhcp client and gateway settings. No info what ip6 address was set for starlink interface.

As said before the WAN address and default gateway are obtained from Router Advertisments and the Mikrotik does not display these. Post your IPv6 configuration.

MikroUser · Sun Jan 29, 2023 10:04 pm

/ipv6 dhcp-server
add address-pool=StarLink-IPv6 disabled=yes interface=StarLink name=server1
/ipv6 address
add address=::7 from-pool=StarLink-IPv6 interface=LAN
add address=2a0d:3344:1e00:2749::fff1 advertise=no interface=StarLink
/ipv6 dhcp-client
add add-default-route=yes interface=StarLink pool-name=StarLink-IPv6 rapid-commit=no request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 list=prefix_delegation
add address=2a0d:3344:1e00:2749::1/128 list=prefix_delegation
/ipv6 firewall filter
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface=!LAN
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no dns=2606:4700:4700::1111 hop-limit=64 interface=LAN mtu=1280 other-configuration=yes ra-interval=3m20s-8m20s
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192

This config if working for me now, but there is need manually set ip address for starlink interface, from dhcp client info.
If dhcp server addr is 2a0d:3344:1e00:2749::1, we need set to starlink interface address from this same network, for example 2a0d:3344:1e00:2749::fff2. Only after that everything works as needed.
But if starlink will change server address or prefix, this config will stop working, and we will need setup this manually again.

I see there 2 ways to solve that problem.
1. Write own script and insert it to the DHCP client > advanced. Theoretically this scipt will take dhcp server ip from dhcp client info, and set ip from same range for starlink interface. Then, even if Starlink will change server or prefix - we will got worked ipv6 automatically.
2. Mikrotik team realise that same way, but without script, via RouterOS functionality.

MikroUser · Sun Jan 29, 2023 11:06 pm

update.
everything works now as needed.
i have just reboot Mikrotik, after that for Starlink interface was assigned dynamic addres via RA.

This is 100% tested and working config for IPv6 & Starlink! Tested on CCR2004, ROS 7.7

/ipv6 address
add address=::5 from-pool=StarLink-IPv6 interface=LAN
/ipv6 dhcp-client
add add-default-route=yes interface=StarLink pool-name=StarLink-IPv6 rapid-commit=no request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface=!LAN
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no dns=2606:4700:4700::1111 hop-limit=64 interface=LAN mtu=1280 other-configuration=yes ra-interval=3m20s-8m20s
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192

anav · Mon Jan 30, 2023 5:24 pm

Awesome, me thinks this will be a useful thread when many ISPs finally change to IPV6.......
However, you never really stated, what you were doing wrong and what you changed to fix it, or what advice given was the key ????????????

By the way I thought the title when I first read it said. HOW TO RUN FROM STARLINK................. answer: as fast as you can!

t4thfavor · Sun Feb 05, 2023 7:55 pm

I just setup my starlink yesterday. My IPV4 speeds are atrocious. Actually worse than my LTE connection prior, so much so that I am contemplating just putting the starlink stuff back in the box and cancelling the service.

That said, I'm trying to get my ipv6 stuff working so I can forward some external ports for vpn and stuff. After reading the whole thread, I now have an IPV6 address, and a somewhat populated firewall, but I still have no idea how to actually put it to any use

Bcmalloy · Fri Aug 11, 2023 6:41 pm

Have a script I'm trying to get working with the star link config above so the ipv6 firewall will only allow the ipv6 dhcp client server to send through prefix delegation data
by switching on a firewall rule that allows any address until the dhcpv6 client is bound then it puts that address in a list, disables that rule and turning on a rule that only allows the listed addresses.
but just can't work out the syntax for the DHCPv6 client script box, any help would be appreciated to complete the star link config (measured 320 Megabit throughput a few days ago) getting crazy download speeds. (Thanks Elon)

# updatefirewall
:log info "script ok";
:if ($leaseBound = 0) do={
:log info "no lease";
:/ipv6/firewall/filter/ enable [ find where comment="defconf: accept DHCPv6-Client prefix delegation open."];
:/ipv6/firewall/filter/ disable [ find where comment="defconf: accept DHCPv6-Client prefix delegation srcaddress."];
}
:else={
:log info "we have lease";
:/ipv6/firewall/address-list/ add address=[/ipv6/dhcp-client get value-name=dhcp-server-v6 number=0] disabled=no dynamic=no list=prefix_delegation comment="dhcp6 client server value";
:/ipv6/firewall/filter/ disable [ find where comment="defconf: accept DHCPv6-Client prefix delegation open."];
:/ipv6/firewall/filter/ enable [ find where comment="defconf: accept DHCPv6-Client prefix delegation srcaddress."];
}

Kentzo · Fri Aug 11, 2023 8:57 pm

At the very least you need to change `$leaseBound` -> `$"pd-valid"`. Also you can change `[/ipv6/dhcp-client get value-name=dhcp-server-v6 number=0]` -> `$"pd-prefix"`

See the DHCPv6 Script section.

Bcmalloy · Sat Aug 12, 2023 9:13 am

Thanks for the info, found the built in variable problematic so here is my working script just just manually fetches valuesif anyone needs it.
Note:if the ipv6 address already exists in firewall address list "prefix_delegation" the script will bomb out that's why this command must be last

# updatefirewall;
:local fred [/ipv6/dhcp-client get value-name=status number=0];
:log info "script ok fred value is $fred";
:log info "script ok";
:if ($fred != "bound") do={
:log info "no ipv6 client lease";
:execute [/ipv6/firewall/filter/ enable [find where comment="defconf: accept DHCPv6-Client prefix delegation open."]];
:execute [/ipv6/firewall/filter/ disable [find where comment="defconf: accept DHCPv6-Client prefix delegation srcaddress."]];
}
:if ($fred = "bound") do={
:log info "we have ipv6 client lease";
:execute [/ipv6/firewall/filter/ enable [find where comment="defconf: accept DHCPv6-Client prefix delegation srcaddress."]];
:execute [/ipv6/firewall/filter/ disable [find where comment="defconf: accept DHCPv6-Client prefix delegation open."]];
:execute [/ipv6/firewall/address-list/ add address=[/ipv6/dhcp-client get value-name=dhcp-server-v6 number=0] disabled=no dynamic=no list=prefix_delegation comment="dhcp6 client server value"];
}

pfturner · Mon Jul 22, 2024 11:05 pm

I had the situation recently where Starlink changed the IPv6 address, but the prefix delegation stayed the same.

Does anyone have a script to share that (I assume) sits in the /ipv6/dhcp-client section and monitors and changes the configuration appropriately automatically? This would include the firewall address list for prefix delegation.

Thanks in advance.

kinx · Fri Nov 15, 2024 5:10 pm

Hi everyone,

I run into some trouble with IPv6 on Starlink in Madagascar.
Router 1 = RB2011iL
Router 2 = D53G-5HacD2HnD (Chateau LTE)

Working in bypass mode and a MikroTik router connected directly onto a Starlink ethernet adapter.
I get an IPv4 CGNAT address fine, but nothing out of IPv6 with DHCPv6-PD.
I have everything setup fairly standard (slightly modified default config) as in the configs seen here and don't get any IPv6 prefix via DHCPv6-PD, at all, on two Starlinks recently installed.

What I do get to see in the is a public IPv6 in the IPv6 address list
2cxx

x

x:x/64 as seen below, which I can ping & traceroute from Belgium (to Madagascar) and back, perfectly.

Starlink support says it's working fine and obviously can't help with other equipment than theirs.

Is there anything else I should do?

Flags: I - INVALID, D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
#    ADDRESS                                     FROM-POOL  INTERFACE                ADVERTISE
0 D  ::1/128                                                lo                       no       
1 DL fe80::x:x:fe16:913b/64                           bridge                   no       
2 DL fe80::x:x:fe16:913a/64                           ether1-wan               no       
3 DG 2cxx:x:x:x:x:x:x:x/64             ether1-wan               no


[code] /ipv6 settings
set accept-redirects=no accept-router-advertisements=yes \
    max-neighbor-entries=8192

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ipv6-pool rapid-commit=\
    no request=address,prefix use-interface-duid=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
	
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no dns=\
    2606:4700:4700::1113,2606:4700:4700::1003,2a0f:fc80::9,2a0f:fc81::9 \
    hop-limit=64 interface=bridge-main managed-address-configuration=yes mtu=\
    1280 other-configuration=yes ra-interval=3m20s-8m20s
	
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m

pts0 · Sat Feb 01, 2025 3:21 pm

Hi, thanks for the good advices here, i got the prefix from my starlink - issue is firewall rule by default limit the port udp/546 from fe80::/10, that block the incoming add.

Now i m struggling with dhcpdIPv6 setup. Where is RA in routerOS ?

sindy · Sun Feb 02, 2025 6:18 pm

Not sure what you mean. If you need to access just the router itself, RA doesn't bother you - give the DHCPv6 client a name of a pool to use, and attach an IPv6 address to any interface on the router, indicating the name of the pool to get the prefix from and specifying the lower 64 bits if you want them to be "nice". That way, the router itself gets an address from the /56, from a random /64 out of the /56. Next, set the gateway of the default IPv6 route to fe80::200:5eff:fe00:101%your-wan-interface-name. Done. There is no need to attach the IPv6 address to the WAN interface (and thus waste a whole /64 for it).

If you want to let LAN hosts use IPv6, you have to add the router's own IPv6 address using the way above to its LAN interface (or interfaces), and only then it is important whether you set the advertise parameter of the address to yes (the default setting, RA enabled) or no (RA disabled so the connected hosts cannot use SLAAC to generate their own IPv6 addresses).

pts0 · Mon Feb 03, 2025 7:08 pm

hmm, i didn't get it.

Let's try to explain my plan with a pic (attached).

I have my prefix

2a0d:3344:1234:ab00::/56

. on the wan of the router. Now I would like to redistribute with a dhcpserver on my router in the LAN a subnet

2a0d:3344:1234:ab01::/64

.

I have now two issue. Would be nice to ping the router (have an IP). If I set one, i can't route ... i did't get how to set the default route. I would prefer to get it dinamically from startlink dhcpserver ...
Second when I try to setup the dhcpserver ipv6 pool, i get the error

[admin@switc-rb5009] > /ipv6/pool/add prefix=2a0d:3344:1234:ab01::/64 name=mypool prefix-length=64
failure: prefix of two pools cannot overlap!

I m sure are quite "stupid" questions, but really did't get how it works with mikrotik. I got it working on opnsense, and i m sure it will on mikrotik too, question is only how. Thanks.

sindy · Mon Feb 03, 2025 8:32 pm

The only stupid questions are those not asked.

you have only got a single /56 pool, the one you have requested and received from the Starlink DHCPv6 server.
to let hosts connected to bridge have their IPv6 addresses, you do not need to use DHCPv6, nor you actually could use it until ROS 7.17+ (the first one where DHCPv6 server supports leasing addresses to clients, not just prefixes). SLAAC is normally sufficient for hosts that are not routers or really specific endpoints.
if you do insist on using DHCPv6 to lease addresses to hosts connected to bridge, you must use the same pool that you've asked the DHCPv6 client on WAN to fill.
the DHCPv6 server does not indicate a route; Mikrotik's "add default route" setting of the DHCPv6 client works with the assumption that the DHCPv6 server is colocated withe the router, which is not the case for Starlink. But the link-local address I gave above works for all terminals.
to be able to ping the router, it is enough that you assign the IPv6 address to the bridge, there is no need to assign another one to the WAN interface.

pts0 · Tue Feb 04, 2025 1:34 pm

Kudos to @sindy, great support.

I got the pinging working, with adding default route to

fe80::200:5eff:fe00:101

link local, that is for me a little bit magic. Is this something specific to starlink router that always use this ip or is general in ipv6.
Now i m struggling with the setting of clients in internal lan, SLAAC don't seem to work yet, clients didn't get ip on this vlan. Maybe, probably i got something wrong ... The dhcpdserver v6 i m not sure is working for me ... is that really implemented ?
What i don't get totally is what are ipv6 settings

[admin@rb5009] > /ipv6/settings/print
                    disable-ipv6: no
                         forward: yes
           multipath-hash-policy: l3
                accept-redirects: yes-if-forwarding-disabled
    accept-router-advertisements: yes-if-forwarding-disabled
  stale-neighbor-detect-interval: 30
          stale-neighbor-timeout: 60
            min-neighbor-entries: 4096
       soft-max-neighbor-entries: 8192
            max-neighbor-entries: 16384
[admin@switch002-rb5009] > /ipv6/route/print

is forward yes the right choise or should be no ? Expecially accept-router-advertisements: yes-if-forwarding-disabled see for me strange setting ... maybe is why i can't get the ip on the "client" switches where i try it out.

sindy · Tue Feb 04, 2025 6:31 pm

Is this something specific to starlink router that always use this ip or is general in ipv6.

It's indeed from the category "$1 for turning the screw, $99 for knowing which one". It did take me some minutes to figure out. Maybe there are better ways I haven't found, though.

Now i m struggling with the setting of clients in internal lan

The older I grow the more I prefer talking to writing when it comes to things that should have been simple but aren't. Any suggestions?

SLAAC don't seem to work yet, clients didn't get ip on this vlan.

I hazily remember I had to reboot the router after assigning the global address to the LAN interface in order that SLAAC would start working, but it was many ROS versions ago. There is normally nothing to configure - if the address on the router interface is configured with advertise=yes, the hosts should be able to learn the prefix, which is all they need to generate their own addresses. The default IPv6 firewall also doesn't restrict ICMPv6 which is enough for the RA to get solicited.

The dhcpdserver v6 i m not sure is working for me ... is that really implemented ?

It is implemented, but 1) until 7.17 it would not respond to requests to lease out an individual address and 2) normal LAN hosts have to be explicitly told to use DHCPv6 instead of SLAAC.

is forward yes the right choise or should be no ?

forward=yes is an equivalent of Linux ipv6_forwarding=1, i.e. if you want the Mikrotik to route IPv6 packets, yes is the necessary choice.

accept-router-advertisements: yes-if-forwarding-disabled see for me strange setting ... maybe is why i can't get the ip on the "client" switches where i try it out.

Nope. As @mkx has remarked somewhere above, the distinction between a router and endpoint is much more strict in IPv6 than in IPv4. In particular - unlike endpoints, routers are normally not supposed to autoconfigure, hence by default, the accept-router-advertisements is set to automatically adjust the actual behavior to the forward setting. I.e. when acting as a router (forward=yes), the Mikrotik itself doesn't use SLAAC to determine its address and default gateway unless forced to do so using accept-router-advertisements=yes. But this has nothing to do with the behavior of the LAN hosts.

pts0 · Tue Feb 04, 2025 8:31 pm

I hazily remember I had to reboot the router after assigning the global address to the LAN interface in order that SLAAC would start working

hmm, ok - i will then try all the stuff on another lab router, before i broke something. Reboot after each change is not really nice

2) normal LAN hosts have to be explicitly told to use DHCPv6 instead of SLAAC.

yes, this is done by RA flag, I find personally the implementation of Router Advertisement (RA) in RouterOS a little bit unclear.
I suppose is under ND, but i m not 100% sure

[admin@rb5009] > /ipv6/nd/print
Flags: X - disabled, I - invalid; * - default
 0  * interface=net28 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified
      advertise-mac-address=yes advertise-dns=no managed-address-configuration=no other-configuration=no

hmm, maybe I see now what the issue with my dhcp server, the interface where it run habe no v6 IP ... it can't work

back to test

sindy · Tue Feb 04, 2025 9:02 pm

Ah, yes, I totally forgot about the existence of the M flag - so under /ipv6/nd, set managed-address-configuration to yes for the interface (unless it gets set automatically if the DHCPv6 server is attached to that interface) to let the clients know a DHCPv6 server is available.

pts0 · Wed Feb 05, 2025 12:56 am

I probably give up with the ipv6 mikrotik dhcpserver. Local link IP are distributed / advertised but dhcp seem to not like my setup.
I got two VLAN1 one where an dhcpd server work from another server (opnsense) and the one (VLAN2) where I should get the mikrotik dhcp server run. It just don't ... maybe have something with VLAN (should not) or with the dhcpserevr v4, no idea. routing seem to be totally broken for Global addresses.

sindy · Wed Feb 05, 2025 10:09 am

Maybe it is time to post the export of the configuration?

mozerd · Wed Feb 05, 2025 4:01 pm

@pts0

Starlink will allocate:
One public IPv4 address for the customer’s wide area network (WAN), provisioned via Dynamic Host Configuration Protocol (DHCP) for routers/firewalls using IPv4.
One IPv6 /64 prefix for the customer’s wide area network (WAN), provisioned via Stateless Address Auto Configuration (SLAAC) for routers/firewalls using IPv6.
One IPv6 /56 prefix for the customer’s local area network (LAN), provisioned to routers capable of issuing a DHCPv6-PD request.

This is very staright forward ... so from a mikrotik perspective you would use dhcpv6 client --- do not use dhcpv6-server
first directive

/ipv6 dhcp-client
add add-default-route=yes comment="delgate ISP-assigned prefix" interface=\
starlinkInterface pool-name=starlink-ipv6 prefix-hint=::/56 request=address,prefix \
use-peer-dns=no

second directive

/ipv6 nd
set [ find default=yes ] dns=2606:4700:4700::1111,2606:4700:4700::1001 \
interface=starlinkInterface mtu=1500 ra-lifetime=none reachable-time=5m

third directive

/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h

forth directive

/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192

If you have VLANs ad as needed
vlan directive

/ipv6 address
add from-pool=starlink-ipv6 interface=vlan10
add from-pool=starlink-ipv6 interface=vlan20
add from-pool=starlink-ipv6 interface=vlan30
add from-pool=starlink-ipv6 interface=vlan40
add from-pool=starlink-ipv6 interface=wireguard1

The above is all you need .... you may have to adjust for starlinkInterface, pool name, MTU and possibly change DNS ... this has worked for 5 of my Starlink Clinets

anav · Wed Feb 05, 2025 9:48 pm

HI mozerd, any reason to implement the ipv6 if ipv4 works?

Larsa · Wed Feb 05, 2025 10:39 pm

With IPv6, you get a public IP; with IPv4, only CGNAT

sindy · Wed Feb 05, 2025 10:55 pm

with IPv4, only CGNAT

(unless you pay a beefy surcharge to get a public one).

pts0 · Wed Feb 05, 2025 11:05 pm

Maybe it is time to post the export of the configuration?

I m a couple of day away ... I will then do it. It is a little bit more that just ipv6 there. Dual WAN, VLAN segregated, one routing over rb5900 (starlink) and one over opnsense. Multiple other remote subnet over wireguard

.

pts0 · Wed Feb 05, 2025 11:10 pm

@mozerd amazing support here ! I will try as soon as I m on side. Look like easy, as usually when you know how

mozerd · Wed Feb 05, 2025 11:16 pm

HI mozerd, any reason to implement the ipv6 if ipv4 works?

I plus many others run a dual stack … ipv6 solves many problems plus is far more secure … in your situation Bell Canada does not support consumer ipv6 … only for business clients … although that might change this year … Rogers supports ipv6 and has for the last 10 years ..

Key points about IPv6:
Larger address space:
IPv6 uses 128-bit addresses, allowing for a vastly greater number of unique IP addresses compared to IPv4's 32-bit addresses.
No NAT required:
With ample addresses available, IPv6 can directly connect devices without the need for NAT, simplifying network management and potentially improving security.
Improved network efficiency:
The design of IPv6 can lead to faster routing and better performance, especially in large networks.
IoT readiness:
IPv6 is crucial for supporting the growing number of connected devices in the IoT, as each device can have its own unique address.

Key points about IPv6 security:
Integrated IPsec:
IPv6 has IPsec directly incorporated into its protocol, enabling easier implementation of encryption and authentication for network traffic.
Larger address space:
The vast number of available IPv6 addresses makes it harder for attackers to randomly guess or scan for potential targets.
Improved Neighbor Discovery:
IPv6 uses a more secure neighbor discovery process compared to IPv4's ARP, reducing the risk of address spoofing attacks.
Privacy extensions:
IPv6 allows for privacy extensions to further obscure user information.

However, it's important to note that:

Proper configuration is crucial:
Even with its inherent security features, IPv6 still requires proper configuration and security practices to be truly secure.
Not inherently more secure:
While IPv6 offers more security potential, it doesn't automatically make a network more secure if not implemented correctly.

anav · Thu Feb 06, 2025 9:24 pm

Much thanks, very well layed out.

How to run IPv6 from starlink on a mikrotik?

How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?

Re: How to run IPv6 from starlink on a mikrotik?