This afternoon our local cable company enabled dual-stack ipv6 for a group of “beta testers”. I have been using a tunnel via hurricane electric for a while so I already had ipv6 connectivity but alas that wasn’t a very stable connection to say the least so I was very eager to switch to dual-stack ipv6.

I own a MikroTik RB2011UiAS-2HnD-IN and I really love it, this device has one major problem though… me, simply because most of the time I have no clue what the hell I’m doing. 😛 The email from my cable company simply stated “enable dual-stack”, as you can imagine on most routers you can do this by opening the web administration panel and smashing your head on your keyboard, on the MikroTik… not so much. As I stated before I have used the hurricane electric tunnel for a while so there were some configs left over which I needed to remove, again.. because I didn’t exactly know what I was doing I was rather doubtful about what and better yet what not to remove, turns out I had to remove literally everything. Once I did that the MikroTik got it’s prefix from my cable company and ipv6 was instantly working;

[loek@MikroTik] > /ipv6 dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS PREFIX EXPIRES-AFTER
0 ;;; default configuration
ether1-gateway bound 2a02:xxxx:xxxx::/48 25w4d22h47

One major problem with ipv6 is that all your ipv6 enabled devices are directly accessible from the outside world, you can fix this in the MikroTik’s firewall by adding some rules to the forward chain, my full ipv6 firewall configs are shown below;

/ipv6 firewall filter export
add chain=input protocol=icmpv6
add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp src-port=547
add chain=input in-interface=ether1-gateway src-address-list=whitelist
add chain=input connection-state=established in-interface=ether1-gateway
add chain=input connection-state=related in-interface=ether1-gateway
add action=drop chain=input in-interface=ether1-gateway
add chain=forward protocol=icmpv6
add chain=forward in-interface=ether1-gateway src-address-list=whitelist
add chain=forward connection-state=established in-interface=ether1-gateway
add chain=forward connection-state=related in-interface=ether1-gateway
add action=drop chain=forward in-interface=ether1-gateway

All my devices now have access to and are using ipv6 connectivity but nothing, except for my ssh whitelist, is accessible from the outside world.

ZeelandNet dual-stack ipv6!