本文介绍RouterOS如何开启IPV6
以NAT6模式为例,ipv6内网网段默认为dc00::/64,Routeros bridge1的IPv6内网地址为dc00::1111/64。桥接接口bridge1、拨号接口pppoe-out1名称若不同则自行替换
1
| /ipv6 settings set disable-ipv6=no
|
1
| /ipv6 dhcp-client add interface=pppoe-out1 pool-name=dhcpv6-gua-pool1 pool-prefix-length=60 request=prefix
|
1
| /ipv6 pool add name=dhcpv6-ula-pool1 prefix=dc00::/64 prefix-length=64
|
- 使用wan网卡的MAC地址计算标准EUI-64地址(非必须,简单操作则在下一步中输入::1即可)
https://eui64-calc.princelle.org/
- 使用上面计算得到的后缀(例如::BF24:12FF:FEE1:E81B)配置pppoe-out1的GUA地址
1
| /ipv6 address add address=::BF24:12FF:FEE1:E81B/64 from-pool=dhcpv6-gua-pool1 interface=pppoe-out1
|
- 配置bridge1的ula地址,默认dc00::1111(可自行修改)
1
| /ipv6 address add address=dc00::1111/64 from-pool=dhcpv6-ula-pool1 interface=bridge1
|
1
| /ipv6 firewall nat add action=masquerade chain=srcnat src-address=dc00::/64
|
- 禁用默认ND配置,新建配置。默认不广播IPV6 DNS。
1
2
| /ipv6 nd set [ find default=yes ] advertise-dns=no disabled=yes
/ipv6 nd add advertise-dns=no advertise-mac-address=no interface=bridge1 managed-address-configuration=yes other-configuration=yes ra-interval=5m-15m
|
- 配置防火墙,因使用NAT6,防火墙与V4相似,没有PSD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| /ipv6 firewall filter
add action=accept chain=forward in-interface=bridge1
add action=accept chain=input in-interface=bridge1
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid in-interface=pppoe-out1
add action=accept chain=input icmp-options=128:0-255 in-interface=pppoe-out1 protocol=icmpv6
add action=accept chain=input comment="Allow Echo request (ping)" icmp-options=128:0-255 protocol=icmpv6
add action=accept chain=input comment="Allow Echo reply" icmp-options=129:0-255 protocol=icmpv6
add action=accept chain=input comment="Allow Router Solicitation" icmp-options=133:0-255 protocol=icmpv6
add action=accept chain=input comment="Allow Router Advertisement" icmp-options=134:0-255 protocol=icmpv6
add action=accept chain=input comment="Allow Neighbor Solicitation" icmp-options=135:0-255 protocol=icmpv6
add action=accept chain=input comment="Allow Neighbor Advertisement" icmp-options=136:0-255 protocol=icmpv6
add action=drop chain=input comment="Drop other ICMPv6 from WAN" in-interface=pppoe-out1 protocol=icmpv6
add action=drop chain=input dst-port=53,8291 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input dst-port=53,8291 in-interface=pppoe-out1 protocol=udp
|
1
2
| /ipv6 firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ipv6 firewall mangle add action=change-mss chain=output new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
|
至此,IPv6已开启,访问以下网址能打开(页面仅显示你的IPv6地址)则表示IPv6已通网
http://[2402:4e00:1013:e500:0:9671:f018:4947]
