This afternoon our local cable company enabled dual-stack ipv6 for a group of “beta testers”. I have been using a tunnel via hurricane electric for a while so I already had ipv6 connectivity but alas that wasn’t a very stable connection to say the least so I was very eager to switch to dual-stack ipv6.
I own a MikroTik RB2011UiAS-2HnD-IN and I really love it, this device has one major problem though… me, simply because most of the time I have no clue what the hell I’m doing. 😛 The email from my cable company simply stated “enable dual-stack”, as you can imagine on most routers you can do this by opening the web administration panel and smashing your head on your keyboard, on the MikroTik… not so much. As I stated before I have used the hurricane electric tunnel for a while so there were some configs left over which I needed to remove, again.. because I didn’t exactly know what I was doing I was rather doubtful about what and better yet what not to remove, turns out I had to remove literally everything. Once I did that the MikroTik got it’s prefix from my cable company and ipv6 was instantly working;
[loek@MikroTik] > /ipv6 dhcp-client print Flags: D - dynamic, X - disabled, I - invalid # INTERFACE STATUS PREFIX EXPIRES-AFTER 0 ;;; default configuration ether1-gateway bound 2a02:xxxx:xxxx::/48 25w4d22h47
One major problem with ipv6 is that all your ipv6 enabled devices are directly accessible from the outside world, you can fix this in the MikroTik’s firewall by adding some rules to the forward chain, my full ipv6 firewall configs are shown below;
/ipv6 firewall filter export add chain=input protocol=icmpv6 add chain=input dst-port=546 in-interface=ether1-gateway protocol=udp src-port=547 add chain=input in-interface=ether1-gateway src-address-list=whitelist add chain=input connection-state=established in-interface=ether1-gateway add chain=input connection-state=related in-interface=ether1-gateway add action=drop chain=input in-interface=ether1-gateway add chain=forward protocol=icmpv6 add chain=forward in-interface=ether1-gateway src-address-list=whitelist add chain=forward connection-state=established in-interface=ether1-gateway add chain=forward connection-state=related in-interface=ether1-gateway add action=drop chain=forward in-interface=ether1-gateway
All my devices now have access to and are using ipv6 connectivity but nothing, except for my ssh whitelist, is accessible from the outside world.