6to4 Tunneling
6to4 Tunneling
Section titled “6to4 Tunneling”| Configuration Guide | md-9dn1h |
|---|---|
| Date | February 13, 2026 |
| RouterOS Version | 7.x |
| Sub-menu | /interface 6to4 |
Overview
Section titled “Overview”6to4 is a mechanism that allows IPv6 packets to be transmitted over IPv4 networks without the need for explicitly configured tunnel interfaces. It is especially useful for connecting IPv6 networks over IPv4-only infrastructure.
There are two modes of 6to4 operation:
-
Automatic mode (no
remote-addressconfigured): The router encapsulates IPv6 packets directly over IPv4 if the first 16 bits are2002::/16, using the next 32 bits as the destination (IPv4 address converted to hex) -
Manual mode (
remote-addressconfigured): IPv6 packets are sent directly to the specified IPv4 remote address
Important: All 6to4 nodes must have publicly reachable IPv4 addresses when operating over the Internet.
Property Description
Section titled “Property Description”| Property | Description |
|---|---|
clamp-tcp-mss | Controls MSS size adjustment for TCP SYN packets. When enabled, MSS is changed if it exceeds tunnel MTU. |
comment | Short description of the interface. |
disabled | Whether the interface is disabled. |
dont-fragment | Controls DF bit in packets: no (fragment if needed), inherit (use original packet’s DF flag). |
dscp | DSCP value for encapsulated packets. Default is inherited from the original packet. |
ipsec-secret | When specified, enables dynamic IPsec peer with pre-shared key. |
keepalive | Tunnel keepalive in format interval,retries. Default is 10,10 (10 seconds, 10 retries). |
local-address | Source IPv4 address for the tunnel. |
mtu | Layer3 Maximum Transmission Unit. Default is auto. |
name | Interface name. |
remote-address | IPv4 address of remote 6to4 endpoint. If unspecified, derived from 2002::/16 prefix. |
IPv6 Address Format
Section titled “IPv6 Address Format”6to4 uses the 2002::/16 prefix. The IPv6 address is constructed as:
2002:<IPv4-hex>:::<prefix-length>IPv4 to Hex Conversion Example:
| IPv4 Address | Hex Conversion | 6to4 Prefix |
|---|---|---|
| 10.0.1.1 | 0A00:0101 | 2002:0A00:0101::/48 |
| 192.168.1.1 | C0A8:0101 | 2002:C0A8:0101::/48 |
| 194.105.56.170 | C269:38AA | 2002:C269:38AA::/48 |
Configuration Examples
Section titled “Configuration Examples”Simple 6to4 Tunnel (Router-to-Router)
Section titled “Simple 6to4 Tunnel (Router-to-Router)”This example shows connecting two MikroTik routers over an IPv4 network using 6to4.
Requirements:
- Both routers must have publicly reachable IPv4 addresses
- IPv4 connectivity between both sites
R1 Configuration:
Create the 6to4 tunnel interface:
/interface 6to4add name=6to4-tunnel1Assign an IPv6 address using the 2002 prefix with IPv4 in hex (10.0.1.1 → 2002:A00:101::):
/ipv6 addressadd address=2002:a00:101::/128 advertise=no interface=6to4-tunnel1Add a route for the 6to4 prefix:
/ipv6 routeadd dst-address=2002::/16 gateway=6to4-tunnel1R2 Configuration:
Create the 6to4 tunnel interface:
/interface 6to4add name=6to4-tunnel1Assign IPv6 address (10.0.2.1 → 2002:A00:201::):
/ipv6 addressadd address=2002:a00:201::/128 advertise=no interface=6to4-tunnel1Add the 6to4 route:
/ipv6 routeadd dst-address=2002::/16 gateway=6to4-tunnel1Verification:
Test connectivity from R1:
/ping 2002:a00:201::Note: The simple 6to4 tunnel configuration may not work in all environments due to NAT and firewall restrictions on IPv4 networks.
Hurricane Electric Tunnel Broker
Section titled “Hurricane Electric Tunnel Broker”This example demonstrates getting IPv6 connectivity through an IPv4 network using Hurricane Electric’s Tunnel Broker service.
Prerequisites:
- Public IPv4 address
- Account at Hurricane Electric Tunnel Broker
Step 1: Create Tunnel
Log into Tunnel Broker and create a new tunnel. You’ll receive:
- Server IPv4 address (e.g., 216.66.80.90)
- Client IPv4 address (your public IP)
- Routed /64 IPv6 prefix
- DNS servers
Step 2: Configure RouterOS
Replace the following values with your Tunnel Broker details:
194.105.56.170= Your public IPv4 address216.66.80.90= Tunnel server IPv4 address2001:470:27:37e::= Your routed IPv6 prefix
# Create the 6to4 interface/interface 6to4add comment="Hurricane Electric IPv6 Tunnel Broker" \ disabled=no \ local-address=194.105.56.170 \ mtu=1280 \ name=sit1 \ remote-address=216.66.80.90
# Add default IPv6 route via tunnel/ipv6 routeadd comment="" disabled=no distance=1 \ dst-address=2000::/3 \ gateway=2001:470:27:37e::1 \ scope=30 \ target-scope=10
# Assign IPv6 address to tunnel interface/ipv6 addressadd address=2001:470:27:37e::2/64 \ advertise=no \ disabled=no \ eui-64=no \ interface=sit1Step 3: Enable IPv6 for LAN Clients
Add the routed prefix to your LAN bridge:
/ipv6 address add address=2001:470:28:37e::/64 interface=bridge-local advertise=yesEnable DNS advertisement:
/ipv6 nd set [ find interface=bridge-local ] advertise-dns=yesConfigure DNS servers (Google public DNS shown, or use Hurricane Electric’s 2001:470:20::2):
/ip dns set allow-remote-requests=yes servers=2001:4860:4860::8888,2001:4860:4860::8844Step 4: Verify IPv6 Connectivity
# Test IPv6 connectivity/ping 2001:4860:4860::8888
# Check IPv6 address/ipv6 address printVisit https://ipv6-test.com to verify IPv6 connectivity.
Troubleshooting
Section titled “Troubleshooting”Tunnel Not Establishing
Section titled “Tunnel Not Establishing”-
Verify IPv4 connectivity:
/ping 216.66.80.90 -
Check firewall rules: Ensure IPv4 protocol 41 (GRE) is allowed:
/ip firewall filter add chain=input protocol=41 action=accept -
Verify local-address is reachable:
/ip address print
No IPv6 Traffic
Section titled “No IPv6 Traffic”-
Check 6to4 interface status:
/interface 6to4 print -
Verify IPv6 routes:
/ipv6 route print -
Check MTU settings:
/interface 6to4 print detail# Try reducing MTU if experiencing fragmentation issues/interface 6to4 set sit1 mtu=1280
Keepalive Issues
Section titled “Keepalive Issues”If the tunnel goes down but doesn’t recover:
/interface 6to4 set sit1 keepalive=10,5