IPv6 Prefix Delegation and DHCPv6

IPv6 Prefix Delegation and DHCPv6

Overview

DHCPv6 Prefix Delegation (DHCPv6-PD, defined in RFC 3633) is the standard mechanism by which an ISP assigns a block of IPv6 addresses — typically a /56 or /48 — to a customer router. The router then subdivides this block into /64 subnets and distributes them to internal networks via Router Advertisements (RA).

RouterOS supports three DHCPv6 roles:

Role	Menu	Description
PD Client	/ipv6 dhcp-client	Requests a delegated prefix from the ISP (upstream)
PD Server	/ipv6 dhcp-server	Delegates sub-prefixes to downstream routers (enterprise/ISP role)
Stateful Address Server	/ipv6 dhcp-server	Assigns individual /128 addresses to hosts (alternative to SLAAC)

This guide covers all three roles in depth, including pool management, multi-VLAN deployment, PPPoE scenarios, and binding management.

For basic IPv6 concepts (SLAAC, ND, address types), see IPv6 Configuration.

---

DHCPv6 Client (Requesting a Prefix from ISP)

How DHCPv6-PD Works

ISP DHCPv6 Server
       │
       │  Delegates 2001:db8:abcd::/56
       ▼
  RouterOS (ether1/WAN)
       │
       │  Carves /64s from pool:
       │    bridge-lan  → 2001:db8:abcd:0::/64
       │    vlan10      → 2001:db8:abcd:1::/64
       │    vlan20      → 2001:db8:abcd:2::/64
       ▼
  LAN Clients (SLAAC via RA)

Basic Configuration

Request a delegated prefix on the WAN interface and store it in a named pool:

/ipv6 dhcp-client add \
    interface=ether1 \
    request=prefix \
    pool-name=isp-pool \
    pool-prefix-length=64 \
    add-default-route=yes \
    use-peer-dns=yes \
    disabled=no

Property	Description
interface	WAN interface toward the ISP (physical, VLAN, or PPPoE)
request	What to request: prefix (IA_PD), address (IA_NA), or prefix,address for both
pool-name	Name of the /ipv6 pool RouterOS creates with the delegated prefix
pool-prefix-length	Prefix length for sub-allocations from the pool (almost always 64)
add-default-route	Install ::/0 default route via DHCPv6 server link-local address
use-peer-dns	Populate /ipv6 settings dns-server from DHCPv6 option 23
prefix-hint	Hint to the ISP for a preferred prefix size, e.g., ::/56 or ::/48
rapid-commit	Use 2-message exchange (Solicit/Reply) instead of 4-message if server supports it

Requesting Both an Address and a Prefix

Some ISPs assign a WAN address (IA_NA) in addition to the delegated prefix (IA_PD). Request both:

/ipv6 dhcp-client add \
    interface=ether1 \
    request=prefix,address \
    pool-name=isp-pool \
    pool-prefix-length=64 \
    add-default-route=yes

This covers ISPs that do not assign an address via RA on the WAN interface.

Requesting a Specific Prefix Size

Use prefix-hint to suggest the desired prefix length. The ISP may honor it or return a different size:

/ipv6 dhcp-client set [find interface=ether1] prefix-hint=::/56

The ::/56 means “I want a /56, address doesn’t matter.” The ISP controls the final assignment.

DUID Types and ISP Compatibility

RouterOS uses a DUID (DHCP Unique Identifier) to identify itself to the DHCPv6 server. Some ISPs bind delegated prefixes to a specific DUID, so the DUID must match across reboots and hardware changes.

RouterOS supports four DUID types:

DUID Type	Identifier	Description
llt	DUID-LLT	Link-layer address + timestamp (default on most hardware)
en	DUID-EN	Enterprise number + vendor-assigned ID
ll	DUID-LL	Link-layer address only (no timestamp, more stable)
uuid	DUID-UUID	UUID from system hardware (RouterOS 7.x, if supported)

Check the DUID RouterOS is presenting:

/ipv6 dhcp-client print detail

The duid field shows the binary value being sent. To change the DUID type:

/ipv6 dhcp-client set [find interface=ether1] duid=ll

ISP compatibility note: If your ISP requires a specific DUID (common with Comcast, AT&T, and Verizon FIOS), the prefix will not be delegated until the DUID matches. If you are replacing a modem or router, the ISP DHCPv6 server may retain the old DUID binding. Contact your ISP to release the old binding, or set the DUID to match the previous device’s MAC-based DUID-LL.

Checking DHCPv6 Client Status

/ipv6 dhcp-client print

Output:

Flags: D - dynamic, X - disabled, I - invalid
 #  INTERFACE  STATUS  PREFIX               EXPIRES-AFTER  ADDRESS
 0  ether1     bound   2001:db8:abcd::/56   23h57m

Status values:

Status	Meaning
searching	Sent Solicit, waiting for Advertise
requesting	Sent Request, waiting for Reply
bound	Prefix/address received and active
renewing	Renewing lease before it expires
rebinding	Server not responding; broadcasting to any server
error	Configuration or protocol error

Detailed output:

/ipv6 dhcp-client print detail

---

IPv6 Pools

Automatic Pool Creation

When a DHCPv6 client receives a prefix, RouterOS automatically creates an entry in /ipv6 pool:

/ipv6 pool print

Output:

 #  NAME      PREFIX               PREFIX-LENGTH  EXPIRES-AFTER
 0  isp-pool  2001:db8:abcd::/56   64             23h57m

The prefix-length=64 controls how large each allocation from the pool is. With a /56 parent and prefix-length=64, the pool can yield 256 individual /64 subnets.

Assigning a /64 from the Pool to an Interface

/ipv6 address add interface=bridge-lan from-pool=isp-pool advertise=yes

RouterOS picks the next available /64 from the pool and assigns it to bridge-lan. This address is dynamic — it disappears if the DHCPv6 lease is lost and reappears when the lease is renewed.

/ipv6 address print

Output:

Flags: D - dynamic, G - global, L - link-local
 #    ADDRESS                       INTERFACE   ADVERTISE
 0 DL fe80::218:e7ff:fe32:ab01/64  ether1      no
 1 DG 2001:db8:abcd::/64           bridge-lan  yes
 2 DL fe80::218:e7ff:fe32:ab01/64  bridge-lan  no

Distributing the Prefix Across Multiple VLANs

Add one from-pool address entry per LAN interface. RouterOS assigns sequential /64s:

/ipv6 address
add interface=bridge-lan  from-pool=isp-pool advertise=yes comment="main LAN"
add interface=vlan10       from-pool=isp-pool advertise=yes comment="guest"
add interface=vlan20       from-pool=isp-pool advertise=yes comment="IoT"
add interface=vlan30       from-pool=isp-pool advertise=yes comment="servers"

Each interface receives a different /64 from the delegated /56. Clients on each VLAN get globally routable IPv6 addresses via SLAAC.

Configure ND on each VLAN interface to send RAs:

/ipv6 nd
add interface=bridge-lan  ra-interval=30s-60s managed-address-configuration=no
add interface=vlan10       ra-interval=30s-60s managed-address-configuration=no
add interface=vlan20       ra-interval=30s-60s managed-address-configuration=no
add interface=vlan30       ra-interval=30s-60s managed-address-configuration=no

Pool Properties

/ipv6 pool print detail

Property	Description
name	Pool identifier referenced by from-pool
prefix	The delegated prefix (e.g., 2001:db8:abcd::/56)
prefix-length	Size of each sub-allocation (almost always 64)
expires-after	Time until the delegated lease expires

Stability note: Pool entries derived from a DHCPv6 lease are dynamic. If the ISP changes the delegated prefix on renewal, all from-pool addresses on LAN interfaces are replaced automatically. Hosts receive new RA prefixes and re-autoconfigure via SLAAC.

---

DHCPv6-PD over PPPoE

When the WAN connection is PPPoE, run the DHCPv6 client on the PPPoE logical interface, not the underlying Ethernet port:

# First, PPPoE client must be configured and connected
/interface pppoe-client print

# Then attach DHCPv6-PD to the PPPoE interface
/ipv6 dhcp-client add \
    interface=pppoe-out1 \
    request=prefix \
    pool-name=isp-pool \
    pool-prefix-length=64 \
    add-default-route=yes \
    use-peer-dns=yes

The PPPoE interface must be up (status connected) before the DHCPv6 client can exchange packets.

Verify:

/interface pppoe-client print status
/ipv6 dhcp-client print

---

Multi-WAN Prefix Delegation

With two WAN connections, run separate DHCPv6 clients and pools:

/ipv6 dhcp-client
add interface=pppoe-out1 request=prefix pool-name=wan1-pool add-default-route=yes default-route-distance=1
add interface=pppoe-out2 request=prefix pool-name=wan2-pool add-default-route=yes default-route-distance=2

Assign LAN interfaces from the primary pool:

/ipv6 address
add interface=bridge-lan from-pool=wan1-pool advertise=yes
add interface=vlan10      from-pool=wan1-pool advertise=yes

Important: IPv6 does not have NAT. Traffic sourced from a wan1-pool prefix must exit through WAN1 for replies to reach the client. If failover to WAN2 occurs, clients must re-SLAAC with the wan2-pool prefix. Use policy routing or prefix-based routing tables for consistent egress per source prefix.

---

DHCPv6 Server (Delegating Prefixes to Downstream Routers)

RouterOS can act as a DHCPv6-PD server — for example, an ISP CPE distributing prefixes to customer routers, or an aggregation router delegating to branch CEs.

Step 1: Create an IPv6 Pool

/ipv6 pool add name=ce-pool prefix=2001:db8::/48 prefix-length=56

This creates a pool of /56 prefixes carved from the /48 parent. Each downstream CE router receives its own /56.

Step 2: Configure the DHCPv6 Server

/ipv6 dhcp-server add \
    name=pd-server \
    interface=ether2 \
    prefix-pool=ce-pool \
    lease-time=1d \
    disabled=no

Property	Description
name	Server instance name
interface	Interface toward downstream clients
prefix-pool	Pool used to allocate delegated prefixes (IA_PD)
address-pool	Pool used to assign individual addresses (IA_NA stateful mode)
lease-time	Prefix lease duration
preference	Server selection priority (0–255, higher = preferred)
rapid-commit	Enable 2-message exchange
route-distance	Administrative distance of installed routes to delegated prefixes
use-radius	Authenticate clients via RADIUS
ignore-ia-na-bindings	Accept only IA_PD requests, ignore IA_NA

Verifying Delegated Bindings

When a CE router requests a prefix, RouterOS creates a binding:

/ipv6 dhcp-server binding print

Output:

Flags: D - dynamic, S - static, B - blocked
 #   SERVER     DUID                         PREFIX              EXPIRES-AFTER  STATUS
 0 D pd-server  0003000100163e...            2001:db8:a::/56     23h58m         bound
 1 D pd-server  0003000100163e...            2001:db8:b::/56     23h56m         bound

Converting a Dynamic Binding to Static

Reserve a specific prefix for a downstream router by DUID:

/ipv6 dhcp-server binding make-static 0

Then set the prefix explicitly:

/ipv6 dhcp-server binding set [find duid="0003000100163e..."] prefix=2001:db8:ff00::/56

Routes to Delegated Prefixes

RouterOS automatically installs a dynamic route for each delegated prefix, pointing toward the downstream router:

/ipv6 route print where comment~"dhcp"

Output:

 #   DST-ADDRESS           GATEWAY      DISTANCE  COMMENT
 0 D 2001:db8:a::/56      ether2       1         DHCPv6 bound
 1 D 2001:db8:b::/56      ether2       1         DHCPv6 bound

These routes enable upstream traffic to reach the downstream CE’s clients. Without them, IPv6 packets destined for delegated prefixes would be dropped.

---

Stateful DHCPv6 (Address Assignment to Hosts)

In stateful DHCPv6, the server assigns individual addresses (/128) to hosts instead of relying on SLAAC. This provides address tracking and control at the cost of server-side state.

Step 1: Create an Address Pool

The pool must use prefix-length=128 to assign single addresses:

/ipv6 pool add name=stateful-pool prefix=2001:db8:cafe:1::/64 prefix-length=128

Step 2: Configure the DHCPv6 Server

/ipv6 dhcp-server add \
    name=stateful-server \
    interface=bridge-lan \
    address-pool=stateful-pool \
    lease-time=12h \
    disabled=no

Step 3: Set the M Flag on ND

Instruct hosts to use DHCPv6 for address assignment (M flag) and other configuration (O flag):

/ipv6 nd set [find interface=bridge-lan] \
    managed-address-configuration=yes \
    other-configuration=yes

/ipv6 nd prefix add prefix=2001:db8:cafe:1::/64 interface=bridge-lan autonomous=no

Setting autonomous=no prevents SLAAC from also running — hosts use DHCPv6 exclusively for their address.

Viewing Stateful Bindings

/ipv6 dhcp-server binding print

Output:

Flags: D - dynamic
 #   SERVER           ADDRESS                        EXPIRES-AFTER  STATUS
 0 D stateful-server  2001:db8:cafe:1::1/128          11h59m         bound
 1 D stateful-server  2001:db8:cafe:1::2/128          11h55m         bound

SLAAC vs Stateful DHCPv6 Decision Guide

Consideration	SLAAC	Stateful DHCPv6
Address tracking	No	Yes (bindings by DUID)
Configuration complexity	Low	Medium
DNS delivery	RA RDNSS option	DHCPv6 option 23
Client compatibility	Universal	Most modern clients
Fixed address per device	No (EUI-64 is predictable but not enforced)	Yes (static binding by DUID)
Scales without server	Yes	No (server required)
Typical use	Home, SMB	Enterprise, ISP managed CPE

---

Complete End-to-End Example: ISP to Multi-VLAN Router

# --- Step 1: Enable IPv6 forwarding ---
/ipv6 settings set forward=yes

# --- Step 2: Request prefix from ISP ---
/ipv6 dhcp-client
add interface=ether1 request=prefix pool-name=isp-pool pool-prefix-length=64 \
    add-default-route=yes use-peer-dns=yes comment="ISP DHCPv6-PD"

# --- Step 3: Assign /64 from pool to each LAN segment ---
/ipv6 address
add interface=bridge-lan  from-pool=isp-pool advertise=yes comment="main LAN"
add interface=vlan10       from-pool=isp-pool advertise=yes comment="guest"
add interface=vlan20       from-pool=isp-pool advertise=yes comment="IoT"

# --- Step 4: Enable RA on each LAN segment ---
/ipv6 nd
add interface=bridge-lan  ra-interval=30s-60s managed-address-configuration=no other-configuration=no
add interface=vlan10       ra-interval=30s-60s managed-address-configuration=no other-configuration=no
add interface=vlan20       ra-interval=30s-60s managed-address-configuration=no other-configuration=no

# --- Step 5: IPv6 firewall ---
/ipv6 firewall filter
add chain=input  action=accept connection-state=established,related,untracked comment="accept established/related"
add chain=input  action=accept protocol=icmpv6                                 comment="accept ICMPv6"
add chain=input  action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="accept DHCPv6-PD response"
add chain=input  action=drop   connection-state=invalid                         comment="drop invalid"
add chain=input  action=drop                                                    comment="drop all other input"

add chain=forward action=accept connection-state=established,related,untracked comment="accept established/related fwd"
add chain=forward action=accept protocol=icmpv6                                 comment="accept ICMPv6 fwd"
add chain=forward action=drop   connection-state=invalid                        comment="drop invalid fwd"
add chain=forward action=drop   in-interface=ether1 connection-state=new        comment="drop unsolicited inbound"

---

Firewall Requirements for DHCPv6

DHCPv6 operates over UDP. The client listens on port 546, the server on port 547. Both directions must be permitted for the client to receive its delegated prefix.

The minimal input chain rules for a DHCPv6 client on the WAN interface:

/ipv6 firewall filter
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 \
    comment="DHCPv6 reply from ISP server"
add chain=input action=accept protocol=icmpv6 \
    comment="ICMPv6 required for ND and PMTU"

Important: Blocking ICMPv6 breaks IPv6 even if the prefix is received. Neighbor Discovery (NDP) and PMTU rely on ICMPv6. Always permit ICMPv6 on all interfaces.

If running a DHCPv6 server, the server interface must also accept client requests on port 547:

/ipv6 firewall filter
add chain=input action=accept protocol=udp dst-port=547 \
    in-interface=ether2 comment="DHCPv6 client requests to server"

The complete firewall for a DHCPv6-PD client router is shown in the end-to-end example above.

---

Troubleshooting

DHCPv6 Client Stays in searching

1. Verify the WAN interface has a link-local address (required to send DHCPv6):

   /ipv6 address print where interface=ether1

2. Check the firewall input chain permits UDP port 546 from fe80::/10:

   /ipv6 firewall filter print

3. Verify IPv6 is supported and enabled by the ISP — not all ISPs offer DHCPv6-PD. Some use SLAAC on the WAN, some use static assignment, some require a specific DUID.

4. Check the DUID RouterOS presents:

   /ipv6 dhcp-client print detail

   The DUID must match what the ISP expects if the ISP assigns prefixes per DUID. See DUID Types and ISP Compatibility for how to change the DUID type.

5. If replacing a previous router, the ISP may still have the old DUID bound. The new router’s DUID will not match, and the server will not respond. Contact the ISP to release the old binding, or configure RouterOS to use a DUID-LL based on the old device’s MAC address.

Prefix Received But LAN Clients Get No IPv6

1. Check pool was created:

   /ipv6 pool print

2. Verify from-pool addresses were assigned to LAN interfaces:

   /ipv6 address print

3. Confirm ND is configured on the LAN interface and advertise is enabled:

   /ipv6 nd print
   /ipv6 nd prefix print

4. Check that ICMPv6 is not blocked on the forward or input chains.

LAN Clients Lose IPv6 After ISP Renews

This is expected behavior when the ISP changes the delegated prefix. RouterOS:

1. Removes the old pool entry
2. Creates a new pool entry with the new prefix
3. Replaces from-pool addresses on all LAN interfaces
4. Sends updated RAs with the new prefix

Clients enter address deprecation for the old prefix and acquire new addresses via SLAAC. Most modern OS implementations handle this transparently.

If stability is required, consider using a ULA (fd00::/8) prefix for internal use alongside the ISP-delegated global prefix.

DHCPv6 Server Not Delegating Prefixes

1. Verify the server is not disabled:

   /ipv6 dhcp-server print

2. Check the prefix pool has available space:

   /ipv6 pool print

3. Review bindings to see if requests are arriving:

   /ipv6 dhcp-server binding print

4. Check the firewall on the server side is not blocking UDP 546/547.

---

Related Features

• IPv6 Configuration — General IPv6 setup, SLAAC, ND, firewall: ipv6-configuration.md
• DHCP — DHCPv4 server/client and DHCPv6 reference: /ip dhcp-server, /ipv6 dhcp-server
• PPPoE — PPPoE client configuration for WAN: /interface pppoe-client
• IPv6 Firewall — Packet filter for IPv6 traffic: /ipv6 firewall filter
• IPv6 Neighbor Discovery — RA, NDP, RDNSS: /ipv6 nd

References

• RFC 3315 — Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
• RFC 3633 — IPv6 Prefix Options for DHCPv6 (Prefix Delegation)
• RFC 3646 — DNS Configuration Options for DHCPv6
• RFC 4861 — Neighbor Discovery for IP version 6
• RFC 4862 — IPv6 Stateless Address Autoconfiguration
• RFC 6355 — Definition of the UUID-Based DHCPv6 Unique Identifier (DUID-UUID)
• RFC 7550 — Issues and Recommendations with Multiple Stateful DHCPv6 Options