IPv6 prefix delegation support comes to PPPoE in RouterOS version v5.10* so for those of you ready to jump onboard this release, here’s my attempt at a best-practice way to set it all up.
IPv6 has been around in RouterOS for a while now, but the specific feature that was introduced is called “DHCPv6 Prefix Delegation” which allows RouterOS to receive a prefix (or a bunch of framed routes if you’re more familiar with that terminology) that it can then distribute out itself.
This means for someone like myself, using IPv6 with my local Internet Service Provider becomes relatively straightforward, with no more need for tunneled IPv6 connections.
How to get it running:
Firstly, ensure your router is running v5.10 or higher* and that the IPv6 package is enabled (under system > packages).
Next, ensure the profile your pppoe connection uses has IPv6 enabled (default or yes).
Interface – <your pppoe-client interface>
Pool name – ipv6-pool
Pool prefix length – 64
This will go off and request an IPv6 Prefix Delegation (PD) and should show up like this when done.
Adding a publically reachable router address:
Simply copy the prefix from your DHCPv6 client, and change the last section to 1/64, allocating your first /64 subnet to a physical port in your network.
An example prefix of: 2001:1111:1111::/48
Now becomes: 2001:1111:1111::1/64
Add this address to your interface of choice (I used my LAN network because it makes it easy to remember my LAN segment too)
Adding a basic firewall to your new public ranges:
Make sure to update the “your-lan-interface” (2 listings) and “your-pppoe-client-interface” (1 listing) to match your local router.
/ipv6 firewall filter add action=accept chain=input comment="Router - Allow IPv6 ICMP" disabled=no protocol=icmpv6 add action=accept chain=input comment="Router - Accept established connections" connection-state=established disabled=no add action=accept chain=input comment="Router - Accept related connections" connection-state=related disabled=no add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid disabled=no add action=accept chain=input comment="Router- UDP" disabled=no protocol=udp add action=accept chain=input comment="Router - From our LAN" disabled=no in-interface=your-lan-interface add action=drop chain=input comment="Router - Drop other traffic" disabled=no add action=drop chain=forward comment="LAN - Drop invalid Connections" connection-state=invalid disabled=no add action=accept chain=forward comment="LAN - Accept UDP" disabled=no protocol=udp add action=accept chain=forward comment="LAN - Accept ICMPv6 " disabled=no protocol=icmpv6 add action=accept chain=forward comment="LAN - Accept established Connections" connection-state=established disabled=no add action=accept chain=forward comment="LAN - Accept related connections" connection-state=related disabled=no add action=accept chain=forward comment="LAN - Internal traffic" disabled=no in-interface=your-lan-interface add action=log chain=forward comment="LAN - Log everything else" disabled=no log-prefix="Log IPv6" add action=reject chain=forward comment="LAN - Drop everything else" connection-state=new disabled=no in-interface=your-pppoe-client-interface reject-with=icmp-no-route
And there you have it!
*As of writing this v5.11 is out which fixes a bug with the hotspot that was created in v5.9 I would recommend jumping straight to v5.11.
Update: One user has reported an issue where when configuring some of these details via webfig, the RA lifetime value would be reset to 0s – Link to thread
These are the neighbour discovery settings I use at present, please change <your lan interface> to match your internal interface and duplicate the rule as needed for separate internal interfaces.
/ipv6 nd set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=yes hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified \ other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified add advertise-dns=yes advertise-mac-address=yes disabled=yes hop-limit=64 interface=<your lan interface> managed-address-configuration=yes mtu=unspecified other-configuration=no ra-delay=3s \ ra-interval=3m20s-10m ra-lifetime=30m reachable-time=30s retransmit-interval=1s /ipv6 nd prefix default set autonomous=yes preferred-lifetime=2m valid-lifetime=5m