Press "Enter" to skip to content

Mikrotik IPv6 NAT/Port Forward with ULA and ND

Published 7th May 2022 by anime4000

Every device has own unique Public IPv6 Address that anyone on the internet can access, achieving pure Peer 2 Peer communication, many application leverage IPv6 such as BitTorrent Client

However, IPv6 still can do NAT, some folks think NAT is good Firewall layer that protect outside attack

My IPv6 come via pppoe and ISP support SLAAC and DHCPv6

IPv6 Address handout via ND (Neighbor Discovery), I personally like ND rather than DHCPv6 because ND can use Address Token (::1) or Device MAC Address (::dead:ffff:feed:b00b) as IPv6 Address, useful for static addressing, tracking and manage

Example of using ND instead of DHCPv6

Interface IPv6

I notice that my PPPoE IPv6 has static public IP Address, no matter what reboot, shutdown, reconnect. PPPoE Interface IPv6 will get same IP, I not entirely sure this static come from by account or MAC Address.

So, I could leverage this for hosting that support IPv6

Before NAT an IPv6, we need create an IPv6 ULA

ULA (Unique Local Address)

To make IPv6 NAT work, we need create an ULA, we cannot use Link-Local Address (fe80::/10) because LLA runs on multiple interface and require bind a interface to work (fe80::1%bridge)

Link-Local Address on Multiple Interface

Create ULA Pool

Go to IPv6 ▶ Pool and Add new Pool like this:

ULA range is fc00::/7 (fc00::fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) you can choose any address any range you like such as fded::/48 or fd0d::/52 or fd80::/60 or even like this fd00:cafe:babe:b00b::/64

If you have multiple LAN/subnet in same router, you need enter:

Name: ula-pool6
Prefix: fd00:cafe:babe::/48
Prefix Length: 48

Create ULA ND

Then go to IPv6 ▶ Addresses then add new address

If you have multiple LAN/Subnet in same router, you need enter:

# LAN 1
Address: fd00:cafe:babe:0:1::/64
From Pool: ula-pool6
Interface: ether1

# LAN 2
Address: fd00:cafe:babe:0:2::/64
From Pool: ula-pool6
Interface: ether2

# LAN 3
Address: fd00:cafe:babe:0:3::/64
From Pool: ula-pool6
Interface: ether3

Leading Zero can be omitted…

/60 start from fd00:cafe:babe:0000:: until fd00:cafe:babe:000f::

Check IPv6 Routes

as you can see, ULA doesn’t use Interface Bind like LLA

Check ULA Clients

Go to server or PC and check device get an ULA address

Windows PC
LXC Container

Try ping using ULA address

Ping LXC and Router

Adjust Firewall

In-order IPv6 NAT/Port Forward to work, go to IPv6 ▶ Firewall, in Filter Rules, disable rule number 9 like this:

This will allow NAT and Port Forward to work

IPv6 NAT

It’s possible to share single IPv6 just like in IPv4 NAT, just add src-nat and masquerade just like IPv4 NAT:

This step can be skip! Useful to user who have limited IPv6 subnet (/64)

Then move it to the top like this:

Before

After

However, you can delete src-nat masquerade to use unique Public IPv6

IPv6 Port Forward

Adding IPv6 Port Forward is just like in IPv4

Go to IPv6 ▶ Firewall, click NAT tab, then click ➕

Try open in different device or remote device

Published in Networking

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.