This post is translated by ChatGPT from my original Chinese version. If you feel any confused content, please comment and I will rewrite it.

Background

The broadband in my apartment provides a static public IP, but I can only choose between IPv4 and IPv6. Although it’s a bit strange, I chose IPv4, but not having IPv6 has always been a concern. Finally, during the Christmas holidays, I had time to sort this out.

The simplest method is to use the free IPv6 tunnel service provided by the generous Hurricane Electric.

To be honest, the official documentation from Mikrotik on this configuration is quite poor. It took me some time to get everything working. Now let me summarize the configuration process. Unlike other guides, I will also try to explain what each step does, which also serves as a review of my undergraduate network knowledge.

Register on HE Tunnelbroker

Registration requires a public IPv4 address. Both dynamic and static are acceptable. For dynamic IPv4, a script will be added later to automatically update the registered IPv4 address on HE, so don’t worry.

First, visit: https://tunnelbroker.net/new_tunnel.php

Register an account and then create a new tunnel. Choose the nearest HE data exchange center when creating the tunnel. For China, select the Hong Kong node, and for Europe and America, select the nearest one. For example, the nearest one for me is the Stockholm data center.

When you successfully register, you should see the following interface.

The following configuration requires the 4 endpoint IPs and a routable /64 prefix from the IPv6 Tunnel Endpoints. Please note them down:

• Server IPv4 Address: referred to as s_ipv4
• Server IPv6 Address: referred to as s_ipv6
• Client IPv4 Address: referred to as c_ipv4
• Client IPv6 Address: referred to as c_ipv6
• Routed /64: referred to as r_ipv6_prefix

What is a Tunnel Broker:

Key technologies and protocols:

• 6in4 Protocol: Used for encapsulating and decapsulating IPv6 packets.
• IP-in-IP Encapsulation: Encapsulates one protocol (IPv6) within another protocol (IPv4).
• Protocol Field: Identifies the packet as 6in4 tunnel traffic with a value of 41.

In simple terms, (once configured) the router will use Protocol 41 to encapsulate all IPv6 requests from your LAN into IPv4 packets. These packets are then sent to the tunnel broker. The tunnel broker will decapsulate them into IPv6 packets and continue sending them to the internet. The reverse process is the same. Since the source and destination addresses are always encapsulated, the packet addresses remain unchanged, ensuring they reach the correct destination.

However, some ISPs may block or filter “IP Protocol 41” packets, making the tunnel unusable in certain networks.

flowchart LR
    A[Tunnel User]-- 6in4 package ---B[Tunnel Broker]
    B-- ipv6 package ---C[IPv6 Internet]

RouterOS Configuration

All the following configurations will be done using the Winbox GUI with screenshots.

Add a New 6to4 Interface

First, create a new “6to4 tunnel” interface in interface.

This is not a typo; there is no interface type named 6in4 in ROS. However, this type of interface will mark packets as Protocol 41, which is what we need to know.

The purpose of this step is to create a new network interface, allowing LAN packets to have a “gateway” to the internet, with our IPv6 network provided via a tunnel.

Configure the interface as follows:

• Enabled: ✅
• Comments: Any remark that helps you remember the purpose of this interface
• MTU: 1280
• Local Address: c_ipv4 address
• Remote Address: s_ipv4 address
• Others: Default

Add Routes

With the interface created, we need to let LAN packets know where this interface is, so all IPv6 packets can go through the gateway to HE. This is done by adding a new route in IPv6 > Routes:

• Enabled: ✅
• Comment: Any remark
• Gateway: s_ipv6 address
• Others: As shown in the screenshot

Add IPv6 Address for the Client (Router)

Now that the interface and route are added, the router needs to know its IPv6 address. Add it in IPv6 > Addresses:

• Enabled: ✅
• Comment: Any remark
• Address: c_ipv6 address
• Interface: Select the interface you just created
• Others: As shown in the screenshot

Add IPv6 Firewall Rules

The default ROS rules are fine, but if you upgraded from a lower version, the default rules might not update.

I recommend deleting all current default rules and then re-adding the official firewall rules.

Add Address Lists

Address lists are used to assist firewall rules, affecting specific rules for certain addresses.

Due to the large number, open a new terminal and enter the following commands (use the copy button to avoid copying line numbers):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

/ipv6/firewall/address-list/

add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6

add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6

add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6

add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8  comment="defconf: multicast" list=bad_src_ipv6

Add Firewall Rules

Next, add the firewall rules.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

/ipv6/firewall/raw/

add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" src-address=::/128 dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" src-address-list=not_global_ipv6 in-interface-list=WAN
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"

Congratulations

At this point, your router should be able to access the IPv6 network.

Assign Public IPv6 Addresses to Your LAN Devices

You might notice that even after creating the tunnel, your computer and phone still can’t access websites via IPv6.

This is because your devices haven’t been assigned routable public IPv6 addresses. You might see that your router has assigned IPv6 addresses, but any address starting with fe80 is a local address assigned by the router, used only for communication between hosts on the same network.

IPv4 link-local unicast addresses are allocated from the address block 169.254.0.0/16 (169.254.0.0 to 169.254.255.255). In IPv6, link-local unicast addresses are allocated from the block fe80::/10.

Next, we will configure the router to assign public IPv6 addresses to your devices.

Add a New Address

First, add the public address segment assigned by the tunnel broker, which is the r_ipv6_prefix mentioned earlier, to the router.

Only this segment can be added because it is the routable address segment allowed by the tunnel broker. Other addresses outside this segment will not be routed by the broker and cannot access the internet.

In IPv6 > Addresses, add the address:

• Enabled: ✅
• Comment: Any remark
• Address: r_ipv6_prefix
• Interface: ⚠️Note⚠️, depending on your configuration, this should be your LAN interface, which is usually bridge by default. If unsure, check IPv4 > Addresses for the interface linked to 192.168.xx.0 and use the same one.
• Advertise: ✅ This must be checked to assign addresses from the segment to devices.

Modify IPv6 ND Configuration

What is ND?

ND stands for Neighbor Discovery Protocol, a crucial protocol in IPv6 networks. ND is similar to ARP (Address Resolution Protocol) in IPv4 but more powerful. Here is a brief explanation of ND:

• Address Resolution: Converts an IPv6 address to a link-layer address (like a MAC address).
• Auto-configuration: Helps devices automatically obtain IPv6 addresses and network parameters (like router addresses).
• Router Discovery: Finds and learns about routers in the network.
• Neighbor Unreachability Detection: Checks if a neighbor device is still online.
• Duplicate Address Detection (DAD): Ensures no duplicate IPv6 addresses are used in the network.

You might notice that even without DHCPv6 enabled, devices initially get a local address. This is not assigned by DHCP but by ND.

Therefore, we need to enable the Advertise attribute for the new segment. ND will then assign a usable address based on the device’s MAC and record it in the table.

Advertise means “announce” or “broadcast”. Devices send specific ND messages (like Router Advertisement or Neighbor Advertisement) to inform other devices of their presence or provide network configuration information.

Open IPv6 > ND > Interfaces. There should already be a default setting with the interface as bridge. If not, or if the interface you set in the previous step is different, create a new one.

To ensure devices can access IPv6 websites, set the DNS as follows:

• DNS Servers: DNS servers, you can use Cloudflare or others.
• Advertise DNS: ✅
• Other settings: See the screenshot.

Test IPv6 Access

Reconnect to the router, disconnect and reconnect the network, or restart the network interface to get a new IPv6 address from ND.

Open https://ipv6-test.com/. If it shows your IPv6 address correctly, congratulations, you have succeeded.

Dynamically Update the Public IPv4 Address on HE (Optional)

I haven’t tried this myself because I don’t need it 😁. However, some have shared scripts that can do this. Please refer to the Tunnel update script section and subsequent content in this article.