MikroTik RouterOS IPv6 connection to BT Infinity

For the most part, everything you should need is in the video that I made, which can be found below. Everything other than that is mostly just notes/ramblings.

Install/check the IPv6 Package

First off, you will need to ensure that the IPv6 package is present on your router. The easiest way to do this is to check if there is an 'IPv6' option present in WinBox or WebFig. Otherwise you can navigate to System>Packages and check if the 'ipv6' package is present and enabled. From the terminal you can see if the package is there by issuing the command /system package print. If you see 'ipv6' listed and there is not an uppercase X next to it then you are good to go.

Setup the DHCPv6 Client for DHCPv6-PD

To get connected to the ISP (BT for the purposes of this guide) you need to be able to receive address information. With IPv4 you receive a single public IP address from the ISP which they then use to route back to you. You get a single address due to the exhaustion of address space available. When you move over to IPv6 the ISP instead sends you an entire network prefix. There are some arguments about BT and their handing out dynamic prefixes, lots of people are upset that they are not handing out static prefixes as there are more than enough to go around. In the video I made you will see that the "Prefix Expires After" for this dynamically assigned prefix is 10 years (3650 days), which should cover most residential needs, if it is true. If you need any more permanence than that you should be using a business broadband account, or switch to another provider. In addition to this, once we have received our prefix from the ISP we can go back into the DHCPv6 Client settings and put in a "Prefix Hint". Adding the dynamic prefix that you received as a "Prefix Hint" should make the router re-request the ISP for that prefix after a loss of connectivity. I don't know this for sure at the moment, the MikroTik documentation says the hint requests a prefix length but if you put that into the router it errors, while it does accept me putting in a network prefix.

Add an IPv6 Address to the Bridge Interface

If you are on a more modern version of RouterOS then you will be likely to be using a Bridge to connect your interfaces together, if you aren't then you know what you are doing a lot better than I do and you can carry on however you want. I have done this the simplest way, by implementing EUI-64. If you want to setup a DHCPv6 Server and run it that way then there is nothing stopping you.

IPv6 DNS Servers

I have used the Cloudflare DNS Servers here. I use them for both IPv4 and IPv6 because they are faster, more secure, and more private than anything else.

Firewall Rules

As we are using IPv6 and a Global Prefix, the necessity for NAT (masquerade on the MikroTik RouterOS) has disappeared. We still need some firewall rules to protect us from all the threats that exist on the internet. Having said that, the rules that I have put together so far are not by any means complete/exhaustive. Nobody should use them without knowing that they are, no doubt, leaving themselves open to some form of attack. If you use these rules and are compromised, consider this fair warning to do your due diligence and spend more time to implement a comprehensive and secure firewall.

ipv6 firewall filter add chain=input action=reject reject-with=icmp-no-route connection-state=invalid in-interface=PPPoE log=no log-prefix="" comment="Reject invalid traffic to the Router"

ipv6 firewall filter add chain=forward action=reject reject-with=icmp-no-route connection-state=!established,related,untracked in-interface=PPPoE log=no log-prefix="" comment="Reject unsolicited traffic to the LAN"

ipv6 firewall filter add chain=forward action=reject reject-with=icmp-no-route connection-state=invalid in-interface=PPPoE log=no log-prefix="" comment="Reject invalid traffic to the LAN"

ipv6 firewall filter add chain=input action=accept in-interface=HomeLAN log=no log-prefix="" comment="Accept LAN traffic to the router"

ipv6 firewall filter add chain=forward action=accept in-interface=HomeLAN log=no log-prefix="" comment="Accept LAN traffic"

ipv6 firewall filter add chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" comment="Accept LAN traffic"

ipv6 firewall filter add chain=forward action=drop log=yes log-prefix="" comment="Drop everything else"

You should be done

Test out your connectivity at these sites:

If you need a new website or your website needs updating go to https://10kinds.tech.

10 Kinds Technology
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram