Tweak IPv6 mikrotik RouterOS (6RD)

tweak_6rd.rsc

# Dutch ISP Tweak offers IPv6 via 6rd. The commands below configure a mikrotik
# RouterOS with 6rd. This was tested with RouterOS 6.46.1.
# 
# First, you'll have to request IPv6 information from Tweak. You'll receive
# a fixed IPv4 address and some other information. For the rest of this guide,
# I assume the following information is received from Tweak:
#
# ===
# IPv4 address: 185.227.123.123
# IPv4 mask length: 22
# 6RD border relay server IP: 217.19.16.12
# IPv6 prefix: 2a02:58:54::/46
# ===
#
# Before you can continue, you need to calculate the 6rd local prefix. You can
# do this manually, or use a tool like ipv6calc.
#
# ipv6calc --action 6rd_local_prefix --6rd_prefix <IPv6 prefix> \
#   --6rd_relay_prefix <6RD border relay server IP>/<IPv4 mask length> <IPv4 address>
# 
# So, with the example above, this results in
# ipv6calc --action 6rd_local_prefix --6rd_prefix 2a02:58:54::/46 --6rd_relay_prefix 217.19.16.12/22 185.227.123.123
# ==> 2a02:58:57:7b00::/56

# Let's go!

# Add the 6rd interface
/interface 6to4
add clamp-tcp-mss=yes disabled=no dscp=inherit !keepalive local-address=185.227.123.123 \
    name=6rd remote-address=217.19.16.12

# Create an ipv6 pool. IPv6 pools group IPv6 addresses for further usage.
/ipv6 pool
add name=ipv6 prefix=2a02:58:57:7b00::/56 prefix-length=64

# Add the IPv6 addresses
/ipv6 address
add address=::/64 advertise=yes disabled=no eui-64=no from-pool=ipv6 interface=bridge-lan no-dad=no
add address=2a02:58:57:7b00::/56 advertise=no disabled=no eui-64=no from-pool="" interface=6rd no-dad=no

# Configure the RouterOS IPv6 Neighbor Detection (nd) and stateless address autoconfiguration
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=1480 other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
    reachable-time=unspecified retransmit-interval=unspecified

# Configure the prefix information sent in Router Advertisement messages
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d

# Add a IPv6 route to the global IPv6 unicast space 
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=6rd

# This is it.
# This should give you IPv6 connectivity via the 6rd infrastructure of Tweak

#
# Make sure to add an IPv6 firewall! The default firewall of a new mikrotik
# router for IPv6 is
#
# /ipv6 firewall
# address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
# address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
# address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
# address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
# address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
# address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
# address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
# address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
# address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
# address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
# address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
# address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
# address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
# filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
# filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
# filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
# filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
# filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
# filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
# filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
# filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
# filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
# filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
# filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
# filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
# filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
# filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
# filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
# filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
# filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
# filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
# filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
# filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
# filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
# filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"