Press "Enter" to skip to content

Mikrotik IPv6 PPPoE TM-Unifi Correctly!

Published 2nd January 2025 by anime4000

Another update on IPv6, especially for Telekom Malaysia Unifi has different IPv6 deployment. When you doing SD-WAN IPv6 Tunnel like EoIPv6, IPIPv6, it appear Unifi can’t able to connect to each-other.

This because TM-Unifi using RA (Router Advertisement) for Gateway IP Address and DHCPv6 Client for LAN assignment.

I not sure why TM didn’t use DHCPv6 for both, Maxis and TIME able to do it.

In this guide, I assume you have correctly setup Mikrotik at least working basic internet with default configuration and name!

Enable IPv6

Before we start, double check if your Mikrotik has IPv6 enable and accept RA via IPv6 ➡️ Settings:

Click 🆗 then reboot Mikrotik to take effect!

Check RA

Once Mikrotik fully booted, navigate to IPv6 ➡️ Addresses then verify Interface pppoe-out1 has IP:

If you see like this, this mean your Mikrotik has received IPv6 from PPPoE via RA!

DHCPv6 Client

Now, let your LAN to have and enjoy IPv6 Address!

  • Navigate and Click IPv6 ➡️ DHCP Client
  • Click ➕
  • Follow this:
  • Navigate and Click IPv6 ➡️ Addresses
  • Click ➕
  • Follow this:

Now, your LAN device has IPv6!

Not yet!

If you planning to use SD-WAN via IPv6, you need fix route problem, because Mikrotik has two IPv6 address can use, which is pppoe-out1 and bridge, by default due to default Distance, Scope & Target Scope make use if bridge IPv6 Address, which is invalid for Mikrotik use and SD-WAN traffic will be forwarded to LAN instead of router it self!

To fix this, navigate to IPv6 ➡️ Routes and Click ➕ then follow this:

Then click 🆗 to apply!

Verify

To verify that your Mikrotik use pppoe-out1 IPv6 Address, run this on the Terminal see output result

/tool fetch url="http://api6.ipify.org/" output=user

Output should be like this, a pppoe-out1 RA address:

      status: finished                
  downloaded: 0KiB                    
       total: 0KiB                    
    duration: 0s                      
        data: 2001:e68:508f:a4c0::bab1

Check data and compare from IPv6 Addresses:

It should be use pppoe-out1 Interface IPv6 Address instead of bridge

If didn’t work, try adjusting the pppoe-out1 Default Route Distance:

For Fun Hex

Since Mikrotik ROS 7.17rc3, you can add Link Local Address to have custom IPv6 Address, to achieve this, simply go to IPv6 ➡️ Addresses and click ➕

You can use any valid Link-Local Address, format should be:

fe80::aaaa:bbbb:cccc:dddd

any hex number between a b c d, here some fun hex word:

  • cafe
  • dead
  • beef
  • c0de (code)
  • f1ee (flee)
  • feed
  • b00b (boob)
  • c001 (cool)
  • fefe
  • fafa
  • face
  • b00c (book)
  • da7a (data)
  • ca75 (cats)

Make some sentence:

fe80::dead:ca75:cafe:b00b

daad cats, cafe boob

Firewall

To make EoIPv6, IPIPv6 and GREv6 (also Wireguard), you need to set IPv6 Firewall these protocol:

Chain: input, Action: accept

ProtocolDestination PortComment
41 (ipv6-tunn)IPIPv6
47 (gre)GREv6
50 (ipsec-esp)EoIPv6
51 (ipsec-ah)EoIPv6
94 (ipip)IPIPv6
17 (udp)500,1701,4500IKE for EoIP
17 (udp)13230-13299Wireguard

Make sure move these rules before (above) of defconf: drop everything else not coming from LAN and defconf: accept all that matches ipsec policy

Have Fun!

Published in Networking

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.