I recently upgraded my home network to have a separate router from the WiFi access point. For the router, I took a tip from a friend at work and got a Mikrotik Hex. This device packs an amazing amount of features for under $60. If you are a networking person, this just might be the device for you.

I’ve been curious about setting up IPv6 at home as a dual stack configuration, and the purchase of the Microtik was my start to enable that. Time Warner is my home ISP, and they offer IPv6 service, so it’s time to start playing.

Poking through the menus as an IPv4 person, it wasn’t really obvious what I need to do. Let me share with you the lessons I’ve learned, so hopefully you go faster than I did.

Before starting, understand a bit about IPv6 addresses, how huge they are, and the syntax for them. An address that starts with fe80 is a link-local address, think of this like a 192.168.x.x non-routable address. Next, you need to mentally let go of NAT for home networks. Because the IPv6 address space is so huge, NAT is no longer needed. And when you think critically about it, you didn’t use NAT for firewall and security, you were really using stateful packet inspection. You can continue to use stateful packet inspection, and can configure your IPv6 firewall to do that. Without firewall rules, your IPv6 devices will be reachable from the outside, but you can configure your IPv6 firewall to behave like your IPv4 firewall, except that the home network addresses are global. And you generally won’t be using a DHCPv6 server for your internal network, IPv6 brings a new tool called Neighbor Discovery that will handle the dynamic allocation of IPv6 addresses, routing, and DNS config. It is common for a single interface to have multiple IPv6 addresses, similar to “ip alias” in IPv4. There will be link-local fe80 addresses, and after you are done with the router config there may be one or more global addresses also on the same interface. And there are new commands, like “ping6”.

For more background, the Linux IPv6 HowTo is a great resource.

First, you’ll need to download the IPv6 package. From the webfig web GUI, go to System -> Packages and download the ipv6 package. This will enable the IPv6 menu in webfig and the other management consoles.

Next, configure your DHCPv6 client to request an IPv6 address for itself. Additionally, DHCPv6 will request a separate /64 prefix from your ISP. From webfig, go to IPv6 -> DHCP client. The list is probably empty, click Add New. Set Interface = ether1, which is your external-facing connection. Check the Enabled checkbox. For Request, check both Address and Prefix. Address will get a single IPv6 address for this interface, and Prefix will get a /64 prefix for the internal members of your home network. For Pool Name enter a new name like “pool1”, this will create the IPv6 address pool using the prefix that it downloads here. Leave the Pool Prefix Length at 64 and the Pool Hint at default value. Click OK to create this new entry and return to the list of DHCP clients. After a few seconds, you should see an IPv6 address appear in the Address field, and an IPv6 prefix appear in the Prefix field. Note that the prefix has a different network portion than the Address, you’ve just been leased an externally-routable /64 address range for your home network. Mind blown!

Next, you need to configure the internal interface of the router with an address from your new pool. From IPv6 -> Addresses, ether2 will have a fe80 link-local address, we need to add a global one: click Add New. select the eth2-master interface. Check the box so it is enabled. Leave the Address field with its default value. Expand the Pool section so you can put in a pool name, use the same value as you did above, i.e. “pool1”. For Interface, select eth2-master. Enable the “Advertise” checkbox. Click OK and in a few seconds there should be a specific IPv6 address assigned to this interface from the pool.

Next, you need to enable Neighbor Discovery. Go to IPv6 -> ND, there may be an existing item for all interfaces, we want to edit that one, so click on it. Check the box so it is enabled. For Interface, select eth2-master. Check the box for “Advertise MAC Address”, “Advertise DNS”, and “Managed Address Configuration”. Click OK to save it. I’m not using a DHCPv6 server.

You now have a functioning bi-directional IPv6 network. If you go to IPv6 -> Neighbors you should start to see some entries, with the ISP-provided prefix (not fe80) on the eth2-master interface. If you go to IPv6 -> Firewall -> Connections, there should be entries present there also. You may want to reboot your client (i.e., laptop) or bounce your wifi connection to trigger a refresh of the network config on your device. If you have a phone, in Android look in Settings -> About Phone -> Status and you should see one or more IPv6 addresses. Hit one of the IPv6 checkers on your device and it should pass.

For security, you probably want to configure some firewall rules. Go to IPv6 -> Firewall. For example, select Add New for each of the following (in order) (eth1 is the public internet interface):

  1. input chain, connection state = established or related, action = accept
  2. input chain, protocol = ICMPv6, ICMP Type = ! echo request, action = accept
  3. input chain, protocol = UDP, port=546, action = accept (this is the DHCPv6 response, kind of important when the lease expires)
  4. input chain, input interface = eth1, action = drop
  5. forward chain, connection state = established or related, action = accept
  6. forward chain, input interface = eth1, action = drop

Then you’ll probably want to run an IPv6 port scanner, like this one. Because you used something like GRC’s Shields Up test for IPv4.

For bonus points, you can add IPv6 DNS servers. In webfig go to IP -> DNS and create 4 of the Servers fields (ignore the Dynamic Servers for now), and put in the addresses for the Google DNS servers, the two IPv4 and two IPv6.

You can also do an IPv6-specific speed test. The Xfinity speed test tool breaks out results specific to IPv6 and IPv4. If you have IPv6 connectivity, it should default to IPv6, and will show the IP version in the results. In the Advanced Test Settings you can pick your IP version to test.