Mikrotik 6to4 IPv6 Setup

Today we are looking at how to set up a 6to4 IPv6 tunnel. I will be using  a free service at http://www.tunnelbroker.net as the tunnel broker. Hurricane Electric provides this service along with some other very cool IPv6 tools. They also provide a mini IPv6 certification program to help get people started. There are a few things to point out before we start. First, I still have a hard time getting out of the IPv4 mindset in terms of scale. When given an IPv6 routed /64, I still think first in terms of subnetting it up to conserve IP addresses. What is wrong with that picture? Well, it is unlikely that I will exhaust 2^64 (18446744073709551616) IP addresses, especially in a test environment. Second, I still tend to think in terms of NAT for both clients behind the router and firewall rules. The fact that IPv6 clients are using publicly routable IP addresses needs to be considered not only in terms of the router’s firewall rules, but also the built-in operating system firewall. So, off to the races..

The standard out-of-the-box configuration is loaded on our Mikrotik, and we have assigned an IPv4 WAN IP address (I used, make sure to use your own here). I am using a Windows 7 machine on the LAN side. Please note that Windows versions prior to Vista do not have IPv6 support enabled by default.

First, we need to create a free account on tunnelbroker.net’s website and then have them create a tunnel for us. Once that is done, we have something like this on the tunnel details page:

Fairly straight forward stuff. We have both IPv4 and IPv6 addresses on each end of a tunnel that we will create. The “Server” IP’s are Hurricane’s, the “Client” IPs are ours. Next, we can use the “Example Configuration” tab to generate the first bit of our Mikrotik configuration:

This will create a 6to4 interface, an IPv6 route, and assign all of the appropriate IP addresses (both IPv4 and IPv6). We need to assign an IPv6 address for our LAN interface, as the example script does not generate that. Here is my interface configuration:

[sourcecode language=”plain”]
/ipv6 address
add address=2001:470:1f0e:1149::2/64 advertise=yes disabled=no eui-64=no \
add address=2001:470:1f0f:1149:1::1/64 advertise=yes disabled=no eui-64=no \

I chose to use 0001 in the 4th hextet as the interface ID. You can use something different and in a different hextet within the network ID (the first 4 hextets) for that matter as long as it doesn’t duplicate what has already been assigned to the WAN interface or the remote interface (1st hextet, ::1 and ::2 respectively). You only have around 18446744073709551616 choices. Choose wisely. 🙂

Here is a pic of the Mikrotik GUI:

At this point, we should be able to perform an IPv6 ping from the router. Open up a terminal window and try:

[sourcecode language=”plain”]
/ping [:resolve ipv6.google.com]

Notice the difference in command formatting for IPv6 pings. I had to dig around on the forums to find this. Now, lets prep our Windows 7 machine. I ended up assigning an IPv6 DNS resolver manually. I used the one provided by the tunnelbroker.net account: 2001:470:20::2. Here is my Win 7 screenshot editing the IPv6 properties:

As IPv6 gives us Stateless Auto Configuration, there isn’t much to do in order to get Windows 7 up and running on an IPv6 network. Let’s pull up an ipconfig:

We see both an IPv6 IP address as well as a temporary address, plus the IPv4 address info. We can disable the IPv4 address on the LAN interface of the Mikrotik ( once everything tests OK. So, let’s head over to http://www.test-ipv6.com/ and see how things are working:

Notice that the test returns my temporary IPv6 IP address. Now, we get some IPv6 firewall rules going:

[sourcecode language=”plain”]
/ipv6 firewall filter
add action=accept chain=input comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
add action=accept chain=input comment="Router Allow IPv6 ICMP" disabled=no protocol=icmpv6
add action=accept chain=forward comment="Router Allow IPv6 ICMP" disabled=no protocol=icmpv6
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp
add action=accept chain=forward comment="Allow HTTP" disabled=no dst-address=2001:470:1f0f:1149:7930:ae74:126a:e39f/128 dst-port=80 protocol=tcp
add action=drop chain=input disabled=no
add action=accept chain=forward comment="Allow any to internet" disabled=no out-interface=sit1
add action=accept chain=forward comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections" connection-state=related disabled=no
add action=drop chain=forward disabled=no

For testing purposes, I set up IIS on the Win7 machine and bound the service to IPv6 only (taking care NOT to use the temporary IP address). The firewall rules reflect that with the forward chain rule pointing to http 80 on my Win7 box. These rules are not complete, but enough to get a test environment up and running. To test the client further, try using ‘nslookup’ to test for proper resolver operation and ping -6 to a known IPv6 host (ipv6.google.com for instance).