How to get IPv6 with a Mikrotik router via an IPv6 tunnel broker

March 2, 2013

You want to try IPv6 but you’re provider doesn’t give you IPv6 addresses? If your router is a Mikrotik this howto will show you how to use an IPv6 tunnel brocker. This setup will also work for guys with a dynamic IP as most home users do.

Signup with an IPv6 tunnel broker

Go to this Wikipedia page for a list of IPv6 tunnel brokers. I’ve chosen the guys at Hurricane Electric as its free and works also with dynamic IP addresses. Other brokers which provide also 6in4 (in RouterOS called /interface 6to4) which provide a method to update of your IP address via a web URL will work too. If you’ve a static IPv4 address the choosing gets even easier.

Following shows whats needs to be done if you use Hurricane Electric as tunnel broker. The tunnel broker wants to be able to ping your router via IPv4 … lets enable that (only if you disabled ping in the first place)

/ip firewall filter add chain=input icmp-options=8:0 protocol=icmp src-address=66.220.2.74

Move this rule to a place before the blocking rule. This rule is made in a way that it opens the least possible hole which is needed for the tunnel broker to work. Now go to the broker website and do following:

  • Click on “Create Regular Tunnel”
  • Under “IPv4 Endpoint (Your side):” enter your current IPv4 address
  • Choose a server location, for better performance choose one thats not that far away from you. 😉
  • After Creating the Tunnel you’ll be shown a web page with following important information you’ll need later:
    • Tunnel ID
    • Server IPv4 Address
    • Server IPv6 Address
    • Client IPv4 Address
    • Client IPv6 Address
    • Routed /64

For the commands I’ll use “Tunnel ID” if you should use your Tunnel Id and so on.

Mikrotik Tunnel Setup

First make sure that you’ve the IPv6 package enabled -use following command:

[[email protected]] > /system package print
Flags: X - disabled
# NAME VERSION SCHEDULED
0 X ipv6 6.0rc11
.....

In this example it is not enabled, so we need to enable it and reboot.

[[email protected]] > /system package enable ipv6
[[email protected]] > /system reboot

Now it should look like this:

[[email protected]] > /system package print
Flags: X - disabled
# NAME VERSION SCHEDULED
0 ipv6 6.0rc11

.....

After this is done we can start configuring. First we need to create the tunnel endpoint on our side.

[[email protected]] /ip firewall filter> /interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address="Client IPv4 Address" mtu=1280 name=sit1 remote-address="Server IPv4 Address"

After that we need to tell the router this is his new default gateway.

[[email protected]] /ip firewall filter> /ipv6 route add dst-address=2000::/3 gateway="Server IPv6 Address"

And of course we need also an IPv6 address.

[[email protected]] /ip firewall filter> /ipv6 address add address="Client IPv6 Address"/64 advertise=yes eui-64=no interface=sit1

Now we can test our setup the first time. Lets check if the router is able to ping an IPv6 address in the Internet … we use for this the Google DNS servers.

[[email protected]] > ping 2001:4860:4860::8844
HOST SIZE TTL TIME STATUS
2001:4860:4860::8844 56 58 36ms echo reply
2001:4860:4860::8844 56 58 35ms echo reply
2001:4860:4860::8844 56 58 46ms echo reply
sent=3 received=3 packet-loss=0% min-rtt=35ms avg-rtt=39ms max-rtt=46ms

If this does not work .. try to ping “Server IPv6 Address”. If this does work you got something wrong which the default gateway. If this also does not work .. check your tunnel setup and your IPv6 address.

Mikrotik Setup for the Clients

Now we got it working for the Mikrotik but it would be even better to have IPv6 for the clients. To achieve this we need to configure an IPv6 address on the LAN interface and enable
the advertisement to the clients. Take the “Routed /64” address and add an 1 between the :: and the “/” – this give you the first IP address in the routed subnet.

e.g. 2001:xxx:xxx:xxx::/64 –> 2001:xxx:xxx:xxx::1/64

This leads to following command:

/ipv6 address add interface="your LAN interface" address="IP address in your routed IPv6 subnet" advertise=yes

Now wait a little bit (some minutes) and check if your client operation system got an IPv6 address from the routed subnet. I’ll show it here on an Ubuntu 12.04:

$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:xx:xx:xx:xx:xx
inet addr:10.xx.xx.xx Bcast:10.xx.xx.xx Mask:255.255.255.0
inet6 addr: 2001:470:xxx:xxx:xxx:xxx:xxx:xxx/64 Scope:Global
inet6 addr: 2001:470:xxx:xxx:xxx:xxx:xxx:xxx/64 Scope:Global
inet6 addr: fe80::xxx:xxx:xxx:xxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5733100 errors:0 dropped:0 overruns:0 frame:0
TX packets:4191113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4271914251 (4.2 GB) TX bytes:841997928 (841.9 MB)
Interrupt:22 Memory:f6ae0000-f6b00000

You’ll see 3 IPv6 addresses, which are used for following:

  • Scope: Link: Only used for communication within the local VLAN … is always there if IPv6 is enabled on the client
  • Scope:Global:  The second one has the MAC address of this interface in it. This is already a worldwide IP address, but it will tell everyone your MAC address .. which is not that good. So there is the first global one which uses a random part. This feature is called “privacy extension” and the IP is changed by the system after some time. If the privacy extension is activated this IP will be used for communicating.

If you’ve 2 or better 3 IPv6 addresses you can try to ping the Google DNS server:

$ ping6 2001:4860:4860::8844
PING 2001:4860:4860::8844(2001:4860:4860::8844) 56 data bytes
64 bytes from 2001:4860:4860::8844: icmp_seq=1 ttl=57 time=36.7 ms
64 bytes from 2001:4860:4860::8844: icmp_seq=2 ttl=57 time=39.6 ms
64 bytes from 2001:4860:4860::8844: icmp_seq=3 ttl=57 time=48.6 ms
64 bytes from 2001:4860:4860::8844: icmp_seq=4 ttl=57 time=55.3 ms

So this seems to work .. now we need to check if your DNS server reports IPv4 and IPv6 addresses back .. if this is not the case your need to configure your DNS correctly or change to an other server … e.g. the Google DNS Servers.

We’ll verify the correct working with following command:

$ host robert.penz.name
robert.penz.name has address 108.162.198.82
robert.penz.name has address 108.162.199.82
robert.penz.name has IPv6 address 2400:cb00:2048:1::6ca2:c652
robert.penz.name has IPv6 address 2400:cb00:2048:1::6ca2:c752
robert.penz.name mail is handled by 10 mail.penz.name.

This looks good … now you’ll only need to configure a firewall on your Mikrotik as you’re clients now have IPv6 address which can be reached worldwide. Your IPv4 firewall is not enough – you need to filter in /ipv6 firewall.

Mikrotik Setup for users with a dynamic IPv4 address

Now we need to make sure the tunnel broker knows our new IPv4 address after each change. For this Hurricane Electric’s provides a web URL which is described here. Thats nice as there are already some DynDNS update scripts available in the Mikrotik Wiki.

I’ve changed the 5.x one in following parts:

  • “username”: Your Hurricane Electric’s username
  • “password”: Your Hurricane Electric’s password
  • “hostname”: Your “Tunnel ID”
  • I’ve changed the /tool fetch line by replacing members.dyndns.org with ipv4.tunnelbroker.net
  • And at last I added  /interface 6to4 set 0 local-address=$currentIP after :log info ("UpdateDynDNS: Dyndns Update Result: ".$result) line as we need also to change our local tunnel IP address.

Thats it .. call this script every few minutes and you’ll have IPv6 connectivity even after your IP address changes. I’ll hope this article gets others also in the IPv6 world.

5 Comments »

RSS feed for comments on this post. TrackBack URI

  1. This is so much better, than the configs from Tunnelbroker or the official manual from Mikrotik.

    They both skip the configuration of the local interface, as a result advertisements do not work :-/

    Thanks!

    Comment by Synth — October 31, 2014 #

  2. This is an excellent guide and was exactly what I was looking for. Well worth a try if you want to play with IPv6.

    Thanks.

    Comment by Matt — April 29, 2015 #

  3. Hi Thanks for the beautiful tutorial. Can I create a 6in4 Tunnel in Mikrotik and at the same time I can have both ipv4 and ipv6 address assigned to a output port from the mikrotik device. I will use hat output port as input for a second firewall which will have both ipv6 and ipv4 address in the same interface.

    it may look like below

    ipv4 ISP—->Mikrotik With 6in4 Tunnel->Firewall/Router with both ipv4 and ipv6 address obtained from Mikrotik in same interface->IPV4 and IPV6 Clients

    Comment by Neelim — September 16, 2015 #

  4. No problem. You need just to change the /64 network from HE to an /48 and point a static route to the Firewall. Only one /64 out of the /48 is used as transit subnet.

    Comment by robert — September 16, 2015 #

  5. sorry , but I don’t understand the ipv6 address that I have to put on my local-bridge lan …..

    my tunnel give me this address :

    2001:470:25:64c::2/64

    thanks for the tutorial.

    Comment by luccosen — January 6, 2016 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 74 queries. 0.235 seconds.