IPv6 over PPPoE – RouterOS v5.10

IPv6 prefix delegation support comes to PPPoE in RouterOS version v5.10* so for those of you ready to jump onboard this release, here’s my attempt at a best-practice way to set it all up.


IPv6 has been around in RouterOS for a while now, but the specific feature that was introduced is called “DHCPv6 Prefix Delegation” which allows RouterOS to receive a prefix (or a bunch of framed routes if you’re more familiar with that terminology) that it can then distribute out itself.

This means for someone like myself, using IPv6 with my local Internet Service Provider becomes relatively straightforward, with no more need for tunneled IPv6 connections.

How to get it running:

Firstly, ensure your router is running v5.10 or higher* and that the IPv6 package is enabled (under system > packages).

Next, ensure the profile your pppoe connection uses has IPv6 enabled (default or yes).

Once this is done, head to IPv6 > DHCP Client and add a new entry with the following details:

Interface – <your pppoe-client interface>
Pool name – ipv6-pool
Pool prefix length – 64

This will go off and request an IPv6 Prefix Delegation (PD) and should show up like this when done.

This is pretty much all that is required to receive your prefix however if we want to actually use it somewhere, we’ll need to setup a couple more things.

Adding a publically reachable router address:

Simply copy the prefix from your DHCPv6 client, and change the last section to 1/64, allocating your first /64 subnet to a physical port in your network.

An example prefix of: 2001:1111:1111::/48
Now becomes: 2001:1111:1111::1/64

Add this address to your  interface of choice (I used my LAN network because it makes it easy to remember my LAN segment too)

Adding a basic firewall to your new public ranges:

Make sure to update the “your-lan-interface” (2 listings) and “your-pppoe-client-interface” (1 listing) to match your local router.

/ipv6 firewall filter
add action=accept chain=input comment="Router - Allow IPv6 ICMP" disabled=no protocol=icmpv6
add action=accept chain=input comment="Router - Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Router - Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Router- UDP" disabled=no protocol=udp
add action=accept chain=input comment="Router - From our LAN" disabled=no in-interface=your-lan-interface
add action=drop chain=input comment="Router - Drop other traffic" disabled=no
add action=drop chain=forward comment="LAN - Drop invalid Connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="LAN - Accept UDP" disabled=no protocol=udp
add action=accept chain=forward comment="LAN - Accept ICMPv6 " disabled=no protocol=icmpv6
add action=accept chain=forward comment="LAN - Accept established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="LAN - Accept related connections" connection-state=related disabled=no
add action=accept chain=forward comment="LAN - Internal traffic" disabled=no in-interface=your-lan-interface
add action=log chain=forward comment="LAN - Log everything else" disabled=no log-prefix="Log IPv6"
add action=reject chain=forward comment="LAN - Drop everything else" connection-state=new disabled=no in-interface=your-pppoe-client-interface reject-with=icmp-no-route

And there you have it!

*As of writing this v5.11 is out which fixes a bug with the hotspot that was created in v5.9 I would recommend jumping straight to v5.11.

Update: One user has reported an issue where when configuring some of these details via webfig, the RA lifetime value would be reset to 0s – Link to thread

These are the neighbour discovery settings I use at present, please change <your lan interface> to match your internal interface and duplicate the rule as needed for separate internal interfaces.

/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=yes hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified \
other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified
add advertise-dns=yes advertise-mac-address=yes disabled=yes hop-limit=64 interface=&lt;your lan interface&gt; managed-address-configuration=yes mtu=unspecified other-configuration=no ra-delay=3s \
ra-interval=3m20s-10m ra-lifetime=30m reachable-time=30s retransmit-interval=1s
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=2m valid-lifetime=5m
Advertisement

15 thoughts on “IPv6 over PPPoE – RouterOS v5.10

  1. Nice clear article Andrew! Almost identical to my setup which has been working flawlessly.

    Nice pic of Extreme Networks BD switches 😉

  2. Nicely done. I’d suggest a little bit of work on the firewall section, but what you have is minimally useful and good. For a good ICMP filter, look at RFC 4890, Appendix B. There is a full firewall for IPv6 ICMP filtering implemented in iptables, which can easily be translated for MT ROS. Also, you can now add IPv6 addresses “automatically” via the DHCPv6 client pool.

  3. I need to configure the pppoe server with ipv6 in Mikrotik ..so that the users can dial in and get an ipv6 address after authentication..I have tried every possible configuration but the user does not get and ipv6 address thru pppoe dialing..however with DHCPV6 server configured in Mikrotik the user is able to get an ipv6 address from the pool without dialling in.I need the users to get an ipvy address from mikrotik using pppoe..Can someone share the configuration please..

  4. I need to configure the pppoe server with ipv6 in Mikrotik ..so that the users can dial in and get an ipv6 address after authentication..I have tried every possible configuration but the user does not get and ipv6 address thru pppoe dialing..however with DHCPV6 server configured in Mikrotik the user is able to get an ipv6 address from the pool without dialling in.I need the users to get an ipvy address from mikrotik using pppoe..Can someone share the configuration please..

  5. I need to configure the pppoe server with ipv6 in Mikrotik ..so that the users can dial in and get an ipv6 address after authentication..I have tried every possible configuration but the user does not get and ipv6 address thru pppoe dialing..however with DHCPV6 server configured in Mikrotik the user is able to get an ipv6 address from the pool without dialling in.I need the users to get an ipvy address from mikrotik using pppoe..Can someone share the configuration please..

  6. Hi, i’m ISP and I will deal with DHCP and pppoe , i have configured vlans for my local area wise and configured IPv4 PPPoE it was working fine.
    Now I have taken IPv6 pool need to release this in same vlans on pppoe network.

    I have added ipv6 pool and added in ppp profile.
    My customer are getting ipv6 address but not able to get the DNS of IPv6.
    If I put static IPv6 DNS working fine.

    I need to know how DNS will release in PPPoE for my customers.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.