This article is based on how to implement IPv6 rapid deployment otherwise abbreviated as 6rd connectivity through Altibox.no using a Mikrotik and other routers.
The following information is provided under advanced on how to configure 6rd https://www.altibox.no/privat/bredband/ipv6/
Update: December 2024: The Altibox URL https://www.altibox.no/privat/bredband/ipv6/ is now returning “not found / 404 error”. However this guide is working still working which indicates that the info harvested from that page is still current.
The info below is the relevant info from Altibox so that we can complete finding our 6rd Prefix.
IPv4 Bridge Address: "213.167.115.92"
IPv4 Prefix: 0
IPv6 Prefix: "2a01:79c::"
IPv6 Prefix Length: 30
IPv6 DNS: "2a01:798:0:8012::4"
IPv6 DNS: "2a01:798:0:9002::70"
We can use the ipv6calc tool to calculate the 6rd prefix as shown below.
The
ipv6calcis an open-source software that you can install on your *nix machine with the corresponding package manager. I did this on a Mac OSX machine and did install it via homebrewbrew install ipv6calc
And in order to get your external ip address you can use curl wtfismyip.com/text in command-line and https://myip.is in a web-browser as an example of two options out there.
Now for the sake of the tutorial let’s assume that our ipv4 number is: 81.167.232.69
# Example on how to use the ipv6calc
# ipv6calc --action 6rd_local_prefix --in=ipv4 --out=ipv6addr --6rd_prefix <IPv6 Prefix> \
# --6rd_relay_prefix <6RD border relay server IP>/<IPv4 mask length> <IPv4 address>
ipv6calc --action 6rd_local_prefix --in=ipv4 --out=ipv6addr --6rd_prefix 2a01:79c::/30 --6rd_relay_prefix 213.167.115.92/0 81.167.232.69
2a01:79d:469f:a114::/62 # Here we can see our prefix allocation
Here we can see the breakdown of the prefix allocation with subnetcalc which is yet another command-line tool that you can install with your package manager.
$ subnetcalc 2a01:79d:469f:a114::62
Address = 2a01:79d:469f:a114::
2a01 = 00101010 00000001
079d = 00000111 10011101
469f = 01000110 10011111
a114 = 10100001 00010100
0000 = 00000000 00000000
0000 = 00000000 00000000
0000 = 00000000 00000000
0000 = 00000000 00000000
Network = 2a01:79d:469f:a114:: / 62
Netmask = ffff:ffff:ffff:fffc::
Wildcard Mask = ::3:ffff:ffff:ffff:ffff
Hosts Bits = 66
Max. Hosts = 73786976294838206463 (2^66 - 1)
Host Range = { 2a01:79d:469f:a114::1 - 2a01:79d:469f:a117:ffff:ffff:ffff:ffff }
Properties =
- 2a01:79d:469f:a114:: is a NETWORK address
- Global Unicast Properties:
+ Interface ID = 0000:0000:0000:0000
+ Solicited Node Multicast Address = ff02::1:ff00:0000
DNS Hostname = (nodename nor servname provided, or not known)
Here we can see that the allocation consists of:
2a01:79d:469f:a114::1 - 2a01:79d:469f:a117:ffff:ffff:ffff:ffff
This means that we have four /64 bit nets ranging from a114-a117.
- 2a01:79d:469f:a114::/64
- 2a01:79d:469f:a115::/64
- 2a01:79d:469f:a116::/64
- 2a01:79d:469f:a117::/64
At this point you should have all information needed to configure a Mikrotik router or other routers that are not on the list of Altibox supplied routers. You now also have the 4 /64 subnets provided by the 6rd allocation if you want to segment different parts of your network infrastructure.
Configuring the router
Let’s start by creating a 6to4 tunnel but before that you must put your Altibox central in Bridge Mode. More info from Altibox here
/interface 6to4
add !keepalive name=6rd remote-address=213.167.115.92 comment="Altibox IPv6 6rd"
We create four ipv6 pools where we define each /64 net that we have. I called mine pool-ipv6- followed by its purpose.
/ipv6 pool
add name=pool-ipv6-stadarnet prefix=2a01:79d:469f:a114::/64 prefix-length=64
add name=pool-ipv6-homelab-10 prefix=2a01:79d:469f:a115::/64 prefix-length=64
add name=pool-ipv6-homelab-20 prefix=2a01:79d:469f:a116::/64 prefix-length=64
add name=pool-ipv6-homelab-30 prefix=2a01:79d:469f:a117::/64 prefix-length=64
Next we set up the ipv6 addresses on 6rd and bridge,vlan-homelab-10,vlan-homelab-20 and vlan-homelab-30 interfaces that I have configured.
/ipv6 address
add address=2a01:79d:469f:a114:: advertise=no interface=6rd
add address=::2 from-pool=pool-ipv6-stadarnet interface=bridge
add address=::2 from-pool=pool-ipv6-homelab-10 interface=vlan-homelab-10
add address=::2 from-pool=pool-ipv6-homelab-20 interface=vlan-homelab-20
add address=::2 from-pool=pool-ipv6-homelab-30 interface=vlan-homelab-30
Then we activate neighbour discovery and configure the defaults for the prefixes.
/ipv6 nd
set [ find default=yes ] mtu=1480
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
Now we can set the default route through the 6rd interface.
# Add a IPv6 route to the global IPv6 unicast space
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=6rd
Lastly it is time to configure the firewall if you need. See the section below in firewall configuration down below.
Summary of all commands combined
/interface 6to4
add !keepalive name=6rd remote-address=213.167.115.92 comment="Altibox IPv6 6rd"
/ipv6 pool
add name=pool-ipv6-stadarnet prefix=2a01:79d:469f:a114::/64 prefix-length=64
add name=pool-ipv6-homelab-10 prefix=2a01:79d:469f:a115::/64 prefix-length=64
add name=pool-ipv6-homelab-20 prefix=2a01:79d:469f:a116::/64 prefix-length=64
add name=pool-ipv6-homelab-30 prefix=2a01:79d:469f:a117::/64 prefix-length=64
/ipv6 address
add address=2a01:79d:469f:a114:: advertise=no interface=6rd
add address=::2 from-pool=pool-ipv6-stadarnet interface=bridge
add address=::2 from-pool=pool-ipv6-homelab-10 interface=vlan-homelab-10
add address=::2 from-pool=pool-ipv6-homelab-20 interface=vlan-homelab-20
add address=::2 from-pool=pool-ipv6-homelab-30 interface=vlan-homelab-30
/ipv6 nd
set [ find default=yes ] mtu=1480
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=6rd
You could wrap this into a nice script that you can run to activate ipv6 on your router. If you use the file ending .rsc and you are using VisualStudio Code then there is a nice syntax highlighter available.
Testing
On the Mikrotik router
You can then test the connectivity by using the ping command as follows. It is good to start testing there before testing clients in the case the Stateless Address Auto-Configuration (SLAAC) advertisement is not working on the interfaces that you want to allow ipv6 adddress being used.
/ping [:resolve ipv6.google.com]
SEQ HOST SIZE TTL TIME STATUS
0 2a00:1450:400f:80a::200e 56 59 9ms354us echo reply
1 2a00:1450:400f:80a::200e 56 59 9ms419us echo reply
2 2a00:1450:400f:80a::200e 56 59 9ms423us echo reply
3 2a00:1450:400f:80a::200e 56 59 9ms371us echo reply
4 2a00:1450:400f:80a::200e 56 59 9ms379us echo reply
5 2a00:1450:400f:80a::200e 56 59 9ms325us echo reply
sent=6 received=6 packet-loss=0% min-rtt=9ms325us avg-rtt=9ms378us max-rtt=9ms423us
Here I am using one of the ipv6 address for nrk.no (2a02:26f0:4300::1724:4cf1)
[samueljon@RB4011] /tool> traceroute 2a02:26f0:4300::1724:4cf1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 2a01:79f:569d:cd70::1 0% 10 2.8ms 2.9 2.8 3.6 0.2
2 2a01:798:0:416::a1b:0 0% 10 3.2ms 3.3 3.1 4.2 0.3
3 2001:2000:3080:cf5::1 77.8% 10 timeout 2.9 2.9 2.9 0
4 2001:2035:0:90::2 0% 9 9.7ms 14.8 3 38.5 15.2
5 2a02:26f0:4300::1724:4cf1 0% 9 2.6ms 2.5 2.5 2.6 0
On your computer
You can test through your browser and here are some examples:
Testing Ping with ping6 utility
$ ping6 google.com
PING6(56=40+8+8 bytes) 2a01:79d:469f:a114:25:d4ef:d463:d37c --> 2a00:1450:400f:805::200e
16 bytes from 2a00:1450:400f:805::200e, icmp_seq=0 hlim=55 time=9.343 ms
16 bytes from 2a00:1450:400f:805::200e, icmp_seq=1 hlim=55 time=9.513 ms
16 bytes from 2a00:1450:400f:805::200e, icmp_seq=2 hlim=55 time=9.532 ms
Testing traceroute with the traceroute6 utility
$ traceroute6 nrk.no
traceroute6: Warning: nrk.no has multiple addresses; using 2a02:26f0:4300::1724:4cf1
traceroute6 to nrk.no (2a02:26f0:4300::1724:4cf1) from 2a01:79d:432c:2a64:25:d4ef:d463:d37c, 64 hops max, 28 byte packets
1 2a01:79d:469f:a114::2 0.316 ms 0.269 ms 0.186 ms
2 2a01:79f:569d:cd70::1 2.893 ms 2.972 ms 2.909 ms
3 2a01:798:0:416::a1b:0 3.271 ms 3.240 ms 3.166 ms
4 oso-b1-link.ip.twelve99.net 3.171 ms * *
5 akamai-ic-357179.ip.twelve99-cust.net 5.473 ms 8.136 ms 7.609 ms
6 g2a02-26f0-4300-0000-0000-0000-1724-4cf1.deploy.static.akamaitechnologies.com 2.750 ms 2.747 ms 2.610 ms
Firewall configuration
It is possible that these rules are already in your router since these are the default ipv6 rules that come as default.
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface=!LAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=!LAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
Credits
Added 2024.12.01: Post from Nils Norman Haukås on the same topic but using different type of router.
Photo by Compare Fibre on Unsplash
