News Ticker

IPv6 over PPPoE – RouterOS v5.10

IPv6 prefix delegation support comes to PPPoE in RouterOS version v5.10* so for those of you ready to jump onboard this release, here’s my attempt at a best-practice way to set it all up.

IPv6 has been around in RouterOS for a while now, but the specific feature that was introduced is called “DHCPv6 Prefix Delegation” which allows RouterOS to receive a prefix (or a bunch of framed routes if you’re more familiar with that terminology) that it can then distribute out itself.

This means for someone like myself, using IPv6 with my local Internet Service Provider becomes relatively straightforward, with no more need for tunneled IPv6 connections.

How to get it running:

Firstly, ensure your router is running v5.10 or higher* and that the IPv6 package is enabled (under system > packages).

Next, ensure the profile your pppoe connection uses has IPv6 enabled (default or yes).

Once this is done, head to IPv6 > DHCP Client and add a new entry with the following details:

Interface – <your pppoe-client interface> 
Pool name – ipv6-pool 
Pool prefix length – 64

This will go off and request an IPv6 Prefix Delegation (PD) and should show up like this when done.

This is pretty much all that is required to receive your prefix however if we want to actually use it somewhere, we’ll need to setup a couple more things.

Adding a publically reachable router address:

Simply copy the prefix from your DHCPv6 client, and change the last section to 1/64, allocating your first /64 subnet to a physical port in your network.

An example prefix of: 2001:1111:1111::/48
Now becomes: 2001:1111:1111::1/64

Add this address to your  interface of choice (I used my LAN network because it makes it easy to remember my LAN segment too)

Adding a basic firewall to your new public ranges:

Make sure to update the “your-lan-interface” (2 listings) and “your-pppoe-client-interface” (1 listing) to match your local router.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

/ipv6 firewall filter

add action=accept chain=input comment="Router - Allow IPv6 ICMP" disabled=no protocol=icmpv6

add action=accept chain=input comment="Router - Accept established connections" connection-state=established disabled=no

add action=accept chain=input comment="Router - Accept related connections" connection-state=related disabled=no

add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid disabled=no

add action=accept chain=input comment="Router- UDP" disabled=no protocol=udp

add action=accept chain=input comment="Router - From our LAN" disabled=no in-interface=your-lan-interface

add action=drop chain=input comment="Router - Drop other traffic" disabled=no

add action=drop chain=forward comment="LAN - Drop invalid Connections" connection-state=invalid disabled=no

add action=accept chain=forward comment="LAN - Accept UDP" disabled=no protocol=udp

add action=accept chain=forward comment="LAN - Accept ICMPv6 " disabled=no protocol=icmpv6

add action=accept chain=forward comment="LAN - Accept established Connections" connection-state=established disabled=no

add action=accept chain=forward comment="LAN - Accept related connections" connection-state=related disabled=no

add action=accept chain=forward comment="LAN - Internal traffic" disabled=no in-interface=your-lan-interface

add action=log chain=forward comment="LAN - Log everything else" disabled=no log-prefix="Log IPv6"

add action=reject chain=forward comment="LAN - Drop everything else" connection-state=new disabled=no in-interface=your-pppoe-client-interface reject-with=icmp-no-route

And there you have it!

*As of writing this v5.11 is out which fixes a bug with the hotspot that was created in v5.9 I would recommend jumping straight to v5.11.

Update: One user has reported an issue where when configuring some of these details via webfig, the RA lifetime value would be reset to 0s

These are the neighbour discovery settings I use at present, please change <your lan interface> to match your internal interface and duplicate the rule as needed for separate internal interfaces.

1

2

3

4

5

6

7

/ipv6 nd

set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=yes hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified \

other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified

add advertise-dns=yes advertise-mac-address=yes disabled=yes hop-limit=64 interface=&lt;your lan interface&gt; managed-address-configuration=yes mtu=unspecified other-configuration=no ra-delay=3s \

ra-interval=3m20s-10m ra-lifetime=30m reachable-time=30s retransmit-interval=1s

/ipv6 nd prefix default

set autonomous=yes preferred-lifetime=2m valid-lifetime=5m