Hello,
I would like to ask you for a help. I'm really noob in case of IPv6 and now I have to configure one router with IPv6. I get these addresses from ISP:

xxxx:yyyy:zzzz:ssss:4e5e:cff:feab:67af/64 - your link address
xxxx:yyyy:zzzz:ssss::1/64 - your gateway
xxxx:yyyy:vvvv:e6c6::/64 - your scope, routed to you, which you terminate in your router and use it for a services

What is the proper way how to configure this on the router? I have an idea, but I'm not really sure and I have to be sure in this case...

Any help would be greatly appreciated..
Thank you!

Hi

does the link address start with fe80? then it's a link-local address, not routable / reachable from internet.
If not, then it's a routable ipv6 which you should set your wan to under "/ipv6 addresses"

IPv6 settings
xxxx:yyyy:zzzz:ssss::1/64 your default gateway
Configure pool
Configure ipv6 neighbour discovery

It's pretty cool that you get a static IPv6 setup like that. I have to rely on router advertisements from my ISP and they change my address and prefix every few days, which seems stupid to me but it's my reality.

I agree with the above post. That should do it.

Don't forget to look at your firewall! IPv4 rules have absolutely no affect on IPv6. Mikrotik recently set up a nice default set of rules but not so long ago there was no default firewall rules for IPv6 which would leave you wide open. Check it and make sure it looks good. Or post it here and ask about it:

One more point:
Make sure that you're not blocking ICMPv6 in your IPv6 firewall filter rules. "ARP" functionality was moved into ICMP for IPv6 (now known as ND - Neighbor Discovery)

I have to agree that it's awesome to see an ISP give static assignments like this. The only thing possibly wrong with this is that if you have separate networks on your side (e.g. you have a separate guest network/ssid) then you'll need additional IPv6 space to do that. (each network needs its own /64 block)

Hallo,

i also got a static /56 prefix form my ISP last December but I hadn't really time to set it up yet and I am also really new to IPv6.

In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. In IPv6 there is no NAT. So theoretically everyone can access everything. Of course to prevent this you setup the firewall but i don't found a good concept as of now.

For example my home network. I have a lots of different devices (Smartphones, Smart Tv's, Linux Server, Windows Clients, Routers/Access Points) in my network connected with cable or wireless. Also i have multiple network. For example a guest network.

So my question are:

1.) Can you depend on the firewall of the deivces? I think the awnser is no right?

2.) In case of ICMPv6, should you forward all types of it? Or should you only forward type 1,2,3,4? Or is it enough to allow related packets to be forwarded?

3.) Now i have a very special question and i really don't know how to describe i better. I often use a program named Tunngle. It's a program to play old computer games over a emulated LAN with your friends over the internet. To successfully connect to your friends, you had to forward a port to your computer. But how can you do samething like that in IPv6. On my Windows computer i have 3 ipv6 addresses. A local-link address and two global scope addresses. Both of the global addresses are randomly generated. So how can i allow that port only to be forwarded my computer?

1. With MikroTik with recent firmware, I would say generally yes. The default firewall seems reasonable. But it's your network so it's up to you. I had an Asus router that had a checkbox for "ipv6" and that's it. I did some testing and found that it blocked all inbound connections to the prefix on the internal network, but that's all I knew because there was no way to look at the firewall rules. So I didn't trust that one.

2. The default MikroTik rule doesn't specify which ICMP types, it looks like it allows them all. I haven't really thought about this so I don't have a better answer.

3. The real question is if the other people you are playing with also have IPv6 and does that program support IPv6?

To answer the other stuff, I'm not a Windows guy but there is probably a way to get it to configure via SLAAC, and once you know that you can create a firewall rule to allow connections on whatever port to that IP.

IPv6 works now like IPv4 worked before there was NAT (and how it was designed to work back then). You have a network on the WAN side, and a network on the LAN side, and it was up to the network administrator to block or allow connections inbound or outbound. NAT was designed to preserve public IP addresses, and it does, but along the way it became a "security by obfuscation" method which it wasn't really designed to be.

You have to undo your NAT mindset with IPv6 and everything starts to make sense.

I have to agree that it's awesome to see an ISP give static assignments like this. The only thing possibly wrong with this is that if you have separate networks on your side (e.g. you have a separate guest network/ssid) then you'll need additional IPv6 space to do that. (each network needs its own /64 block)

That's exactly how I would do it if I was running an ISP. If you want IPv6, here you go, a /64 and have a good time. That's going to cover the majority of people that want IPv6 I think.

If someone comes and asks for something bigger than a /64, hand them a /60. The prefixes won't be in the same range as the original /64 but such is life.

If you need something larger than a /60, you either have to justify it or pay for it. I haven't thought that far ahead yet...

My ISP is giving me a /56 but there's no point in using it because the damn thing keeps changing.*

* This could be a lie, I got tired of checking it months ago. Maybe I will check it again.

Awesome! Thank you so much!

And no, it does not start with "fe80"...

In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. In IPv6 there is no NAT. So theoretically everyone can access everything. Of course to prevent this you setup the firewall but i don't found a good concept as of now.

I'd like to address this post with a few observations and responses of my own.

First, it is a common misconception that NAT is a security mechanism. While it does limit direct inbound connections from reaching devices from across the Internet, it's not quite the same thing. It's better NOT to think of NAT as a security mechanism. That's the job of packet filtering and of deep packet inspection if you have equipment that performs such tasks (not Mikrotik, unfortunately). The real thing that protects your devices is connection tracking, and the IPv6 firewall in RouterOS performs this function just fine. If your forwarding filters only allow new connections in the outbound direction, then you're in the same situation as you would be with IPv4 NAT.

Now to the questions-
1) see above, but yes, you can trust the IPv6 firewall (as much as you can trust any other packet filtering, more or less)

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. The idea that making your router "unpingable" increases your security is horribly outdated. Today's malware does not rely on ping scans to determine which IP addresses are alive in order to port scan them. They just port scan every IP address, and with modern botnets, I'm quite certain that many of them do snowshoe scanning (each host:protocol:port is scanned from a different node of the botnet so you never see any sequential hits on a set of ports from the same source). ICMPv6 is more crucial to IPv6 than ICMP was to IPv4 - it broke subtle things whenever you would drop ICMP and breaks even more in IPv6 - notably Path MTU Discovery. IPv6 does not support fragmentation by routers so path mtu discovery is vitally important in IPv6 - I've seen a post or two about which types can be filtered, but I don't really see much real benefit in blocking it anyway.

3) I would say that the Tunngle application would need to be IPv6 aware, but not the old games, which almost certainly use IPX. Tunngle (I'm assuming is pretty much the same as the old Kali client from back in the day) is essentially just EoIP, and the outer packets are the only things that would need to be able to use IPv6 to reach other IPv6 hosts. As for the "port forwarding" aspect, you obviously won't need to set up NAT pinholes, but you will need to allow the port in your firewall's forwarding chain - either to your PC's address, or to the LAN in general if you don't care.

As for the three IPv6 addresses on your computer, here's how those work:
FE80:: is link-local, meaning that it cannot be forarded through routers. Every network segment with IPv6 on it will have a link-local address. IPv6-aware hosts can talk to each other over the LAN using each-other's link-local address, even if you never assign any routable (global scope) IPv6 addresses. These are the same as 169.254.x.x IPv4 addresses.

The two global-scope addresses are going to be the EUI-64 address and the privacy address.If you look at the two addresses, I'm sure that you'll find that one of them has the last 4 groups in a pattern of xxxx:xxFF:FExx:xxxx - this is the EUI-64 address, and it's not randomly generated. The xxxx:xx xx:xxxx portion will be your MAC address (well, the second nibble will be slightly different, but that's getting off into the technical weeds). The other IPv6 address is your computer's privacy address.

When you surf the IPv6 internet, your computer will use the privacy address as its source IPv6 address. If you want to receive inbound connections from the Internet at your computer, you should give out the EUI-64 address, as that will not change - well, the second half of it won't. The first half changes if your ISP assigns dynamic prefixes.

Now, as this pertains to Tunngle, I took a peek at the Tunngle forums and it appears that not only does it not support IPv6 but that the developer doesn't consider it a priority, and many users report that Tunngle actually breaks their IPv6 connectivity when active - so be advised of that.

It's pretty cool that you get a static IPv6 setup like that. I have to rely on router advertisements from my ISP and they change my address and prefix every few days, which seems stupid to me but it's my reality.

you don't need to accept router advertisements. your ISP shall also be assigning a /56 or similar prefix with DHCPv6 PD. your WAN connection doesn't need to be addressed with GUA, link local is just fine.

whatever DHCPv6 prefix you get assigned to your device from your ISP, will create an ipv6 pool.
then you can use this pool to delegate /64s to your interfaces. addressing your LAN will be piece of cake:
whenever your delegated prefix changes, the router will automatically renumber your interfaces.
you can even leave the address field totally empty, or use a address of your choice, but make sure you have no more than the lower 64 bits specified: say ::1234
or as in my config, the "autoconf" address.

I don't get what you're saying. Are you saying that once I get my global IPv6 IP and delegated prefix, I should stop listening for router advertisements and define these things statically?

I'm already addressing my LAN dynamically from the /56 that is assigned to me. The problem is, the prefix keeps changing. My ISP changes it at their whim.

So the raspberry pi devices I have setup in various places to do IoT stuff using IPv6 and ipsec between them become broken every few days. This sucks. I'm not aware of a workaround for this if I'm using public, global IPv6 addresses assigned by this ISP.

I suppose I could use an IPv6 tunneling service but this breaks my streaming video because they can't geolocate me. i could use both my ISP and a tunnel for separate IPv6 networks but what a pain that would be. It's not supposed to be that way.

Maybe ask ISP if they could end this changing nonsense and give you permanent prefix? Perhaps they are just new to IPv6 and don't know better. Of course there's also a possibility that they are doing this on purpose, to make you pay more for some "enterprise" connection where prefix does not change.

Maybe ask ISP if they could end this changing nonsense and give you permanent prefix? Perhaps they are just new to IPv6 and don't know better. Of course there's also a possibility that they are doing this on purpose, to make you pay more for some "enterprise" connection where prefix does not change.

I'd do that too, but my ISP is Comcast, and I'd have more luck flying to the moon than getting through to anyone there who A: talks to us peon end users / B: knows what IPv6 is / C: would actually get it and agree that home users need static prefixes / D: actually have the connections to get this addressed.

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP.

Allowing all ICMP in isn't such a good idea as well.
An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged.
The potential is 2^64 hosts, and router running out of resources like RAM

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP.

Allowing all ICMP in isn't such a good idea as well.
An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged.
The potential is 2^64 hosts, and router running out of resources like RAM

1) You can rate limit it with the firewall
2) I was personally unable to replicate an IPv6 ND exhaustion attack on my MikroTik hardware on a gigabit LAN without a rate limit. The entries were tried and then purged accordingly all well below a threshold of cache exhaustion.
3) I'm with ZeroByte, don't muck with ICMP, especially ICMPv6 unless you like causing problems and blocking the tools you'd use to troubleshoot them with. I could live or at least understand an ICMPv6 ECHO block but don't completely block ICMPv6 it's incredibly important to the fragmentation story in IPv6.

It's pretty cool that you get a static IPv6 setup like that. I have to rely on router advertisements from my ISP and they change my address and prefix every few days, which seems stupid to me but it's my reality.

you don't need to accept router advertisements. your ISP shall also be assigning a /56 or similar prefix with DHCPv6 PD. your WAN connection doesn't need to be addressed with GUA, link local is just fine.

whatever DHCPv6 prefix you get assigned to your device from your ISP, will create an ipv6 pool.
then you can use this pool to delegate /64s to your interfaces. addressing your LAN will be piece of cake:

Code: Select all

/ipv6 dhcp-client
add add-default-route=yes interface=uplink pool-name=ipv6pool request=prefix
/ipv6 address
add address=::d6c1:6dff:fe3f:27bc eui-64=yes from-pool=ipv6pool interface=lan

whenever your delegated prefix changes, the router will automatically renumber your interfaces.
you can even leave the address field totally empty, or use a address of your choice, but make sure you have no more than the lower 64 bits specified: say ::1234
or as in my config, the "autoconf" address.

Thanks for posting this, I have been trying to get the IPV6 passthrough to work using WINBox and WEBFig. I could not get either to set it correctly and I also could not enable EUI64 with ether one as well. The only lines I had to change was the uplink to ether1 and the lan to bridge to make the scrip work.