I want to configure my network so hosts can IPV6 auto-address Global Unicast Addresses ("GUA") using SLAAC. I have a ::/48 (assigned by Hurricane Electric) that I want to divide into subnets and distribute across multiple routers for that purpose. However, I followed MikroTik's documentation for Prefix Distribution, ("PD") but it didn't produce a working configuration.
MikroTik's DHCPv6 server implementation- which also delivers PD functionality- has been broken for years and remains busted as of RouterOS v6.46.6. How can I _MANUALLY_ subnet & address MikroTik routers using the ::/48 assigned to me?
MikroTik's DHCPv6 Server- which also delivers PD functionality- has been a work-in-progress for years and so I wanted to avoid any dependencies on it. This HowTo documents how I achieved this to save others solving the same problem anew.
So if you're configuring your network to enable hosts to auto-configure IPv6 GUA addresses across multiple routers, but also want an alternative to MikroTik's DHCPv6 Server implementation, continue reading...
This HowTo will instruct on manually subnetting a ::/48 Prefix & configuring (2) routers with Neighbor Discovery, RIPng enabled and a few static routes. Hosts will configure a GUA address on the subnet of the interface that they connect to.
Prefix Distribution, DHCPv6 Server and DHCPv6 Client are NOT covered as they are not used in the configuration.
I also don't detail how the ::/48 routes out of Router #1 to the Internet as that can be network-specific. ie, the ::/48 Hurricane Electric assigned to me (FREE!) routes out of a 6to4 tunnel whereas you might have a ::/48 assigned directly by your ISP and have none of that.
IPv6 security is a subject better dealt with separately and outside the scope of this HowTo. If you don't have an IPv6 FW configured, after getting everything working you can just disable the IPv6 interfaces until you configure a set of sensible rules.
Since this configuration only uses Neighbor Discovery, manually addressed interfaces, RIPng & some Static Routing, it should be immune to breakage in future RouterOS upgrades.
Clients tested to successfully auto-addressed using this solution:
A few IPv6-compatible tools to help you test & troubleshoot your config:
ping&tracerouteIPv6 addresses from iPhones & iPadsifconfig -anetstat -r -f inet6ping6traceroute6ip -6 addr showip -6 route showroute -6 -nping6traceroute6 -r2001:4860:4860:8888 is a good address to use to test external connectivity; Google's DNS.
Using a ::/48 Prefix of:
I'll illustrate how I subnetted a ::/48 Hurricane Electric assigned me and manually addressed the interfaces on (2) routers. Process however would be the same for a non-Hurricane assigned ::/48
3.1: POINT-TO-POINT LINKS:
In this example, our (2) routers are connected between each other on ether2 using Local-Link fe80::/10 addresses which auto configure themselves. Router Announcements used for auto-address configuration are made using these Local-Link fe80::/10 addresses, NOT a Global Unicast Addresses ("GUA").
Note on P-2-P links in RoS v6: Although a ::/126 or a ::/127 would seem the obvious choice, support for ::/127's will only come in RoS v7.
3.2 Router #1: (RB4011)
Directly connected to Internet, exposing multiple SSIDs for wireless clients. Although there are many interfaces configured for IPv6 on my RB4011, to simplify the example we'll only use:
ether2: Uplink to Router #2. No GUA address required.
wlan1: 2001:db8:1d4f:10::1/64
wlan2: 2001:db8:1d4f:11::1/64
wlan3: 2001:db8:1d4f:12::1/64
etc....
/ipv6 address add address=2001:db8:1d4f:10::1 interface=wlan1 add address=2001:db8:1d4f:11::1 interface=wlan2 add address=2001:db8:1d4f:12::1 interface=wlan3
3.3 Router #2: (RB951-2n)
Connected to Router #1, exposing single SSID for wireless clients.
ether2: 2001:db8:1d4f:20::1/64 Uplink to Router #1. NOTE: GUA address added for WebFig access
ether3: 2001:db8:1d4f:21::1/64
ether4: 2001:db8:1d4f:22::1/64
ether5: 2001:db8:1d4f:23::1/64
wlan1: 2001:db8:1d4f:24::1/64
/ipv6 address add address=2001:db8:1d4f:20::1 interface=ether2-master add address=2001:db8:1d4f:21::1 interface=ether3 add address=2001:db8:1d4f:22::1 interface=ether4 add address=2001:db8:1d4f:23::1 interface=ether5 add address=2001:db8:1d4f:24::1 interface=wlan1
3.4 Additional Routers:
Were there a third router, we'd use 2001:db8:1d4f:30::X/64, incrementing subnet by 10 and use a host address of "1". If exposing lots of SSIDs, it's suggested that you increment the subnets in even numbered multiples greater than 10 to keep things tidy.
3.5 Host Addressing:
Once routers GUA addresses are configured on the routers and other steps which follow are completed, network hosts will auto-configure a GUA address via SLAAC from same subnet as the router interface they're connecting to. ie, using the above addressing plan for Router #2, a host connecting to Router #2's AP wlan1 will auto-configure a GUA address of:
4.1 RIPng: ALL Routers
Routing > RIPng: Enable RIPng on all router interfaces on all routers
/routing ripng interface add
Routing > RIPng > RIPng Settings: Enable "Redistribute Static Routes"
/routing ripng set redistribute-static=yes
4.2 Static Routes: Router #1 ONLY
Neighbor Discovery (ND) is used for link-layer address resolution (similar to ARP) & Address Auto-Config. ND is an integral part of ALL IPv6 address auto-configuration- SLAAC, DHCPv6 Server & Prefix Delegation (PD).
IPv6 > ND > Add New: On each router, add only the interfaces clients will connect to and use for SLAAC auto-address configuration. Please note the MTU's are set for 1280 as that is the size used by Hurricane Electric who routes the ::/48 they assigned to me.
For Router #1 this would be:
wlan1
wlan2
wlan3
For Router #2 this would be:
ether3
ether4
ether5
wlan1
SECURITY NOTE: There's a security issue using ND RA's (Router Announcements) for auto-address configuration. An attacker with access to connected network could inject a RA into the network, triggering a device to add an IPv6 address or default route.
DNS:
IP > DNS: Add an IPv6 DNS source, such as
2001:4860:4860::8888(Google) to the IPv4 one:NTP:
System > NTP Client: Add an IPv6 NTP source, such as
2610:20:6f15:15::27to the IPv4 one:If you want to use an IPv6 address for Webfig or SSH access, don't forget to update:
IP > Services and add a subnet(s) to allow for administrative access to the MikroTik.
Conclusion:
By this point you should have clients auto-address configuring IPv6 GUA addresses. If you spot any errors/ommissions, please let me know so I can update the documentation.
Don't forget to spend some time configuring the IPv6 > Firewall and tightening-up security, or at least disable the IPv6 interfaces until you have the time to. Hope you found this useful and it helped you get up to speed quickly.