IPIP and IP6IP6 Tunnels
IPIP and IP6IP6 Tunnels
Section titled “IPIP and IP6IP6 Tunnels”RouterOS supports three lightweight IP encapsulation tunnel types for carrying IP traffic across an existing network without adding complex protocol machinery:
- IPIP (IP protocol 4) — encapsulates IPv4 inside IPv4. The simplest possible IP tunnel.
- IP6IP6 (IP protocol 41) — encapsulates IPv6 inside IPv6. The IPv6 equivalent of IPIP.
- 6to4 (IP protocol 41) — encapsulates IPv6 inside IPv4. Used during IPv4-to-IPv6 transition.
None of these protocols provide encryption or authentication. For encrypted tunnels, pair them with IPsec or use WireGuard instead.
Concepts
Section titled “Concepts”How IP encapsulation tunnels work
Section titled “How IP encapsulation tunnels work”Each tunnel type creates a virtual point-to-point interface. RouterOS wraps the original IP packet in a new outer IP header addressed to the remote tunnel endpoint. The receiving router strips the outer header and delivers the inner packet normally.
Original packet: [ Inner IP header | Payload ]
After encapsulation: [ Outer IP header | Inner IP header | Payload ]The outer header addresses identify the tunnel endpoints (transport addresses). The inner header addresses belong to the traffic being carried. Once the virtual interface exists, treat it like any RouterOS interface: assign an address, add routes, apply firewall rules.
Transport vs tunnel addresses
Section titled “Transport vs tunnel addresses”| Term | What it is |
|---|---|
Transport address (local-address, remote-address) | Outer IP header. Must be routable between endpoints. |
| Tunnel address | IP address assigned to the tunnel interface. Used for routing over the tunnel. |
Overhead comparison
Section titled “Overhead comparison”| Protocol | Outer header | Carries | IP protocol |
|---|---|---|---|
| IPIP | 20 bytes (IPv4) | IPv4 | 4 |
| IP6IP6 | 40 bytes (IPv6) | IPv6 | 41 |
| 6to4 | 20 bytes (IPv4) | IPv6 | 41 |
| GRE | 24 bytes | Any network-layer protocol | 47 |
IPIP has the absolute minimum overhead for IPv4 tunneling — just one extra IPv4 header. GRE costs 4 extra bytes per packet compared to IPIP, in exchange for keepalive support, multicast capability, and broader protocol compatibility.
No keepalive in IPIP or IP6IP6
Section titled “No keepalive in IPIP or IP6IP6”Unlike GRE, IPIP and IP6IP6 have no built-in keepalive mechanism. RouterOS cannot automatically detect that the remote end is unreachable. To compensate:
- Run a dynamic routing protocol (OSPF, BGP) over the tunnel — the adjacency going down signals a failure.
- Use an external probe (Netwatch, scripted ping) to monitor the remote endpoint.
- Accept that the interface will show
runningeven when the path is broken.
IPIP Tunnel (IPv4-in-IPv4)
Section titled “IPIP Tunnel (IPv4-in-IPv4)”Create the interface
Section titled “Create the interface”/interface ipip add \ name=ipip-to-branch \ local-address=198.51.100.1 \ remote-address=203.0.113.2Interface properties:
| Property | Default | Description |
|---|---|---|
name | — | Interface name |
local-address | 0.0.0.0 | Source IPv4 for the outer header. 0.0.0.0 uses the outbound routing decision. Set explicitly when you have multiple public addresses. |
remote-address | — | Destination IPv4 for the outer header. Must be the peer’s routable address. |
mtu | 1480 | Tunnel interface MTU. 1480 = 1500 − 20 bytes IPIP overhead. |
clamp-tcp-mss | yes | Rewrite TCP SYN MSS to prevent fragmentation black holes. |
allow-fast-path | yes | Enable fast-path/hardware acceleration. |
dscp | inherit | DSCP value in the outer header. inherit copies from inner packet. |
disabled | no | Whether the interface is disabled. |
Assign a tunnel IP address
Section titled “Assign a tunnel IP address”Use a /30 for a point-to-point link:
/ip address add address=10.10.10.1/30 interface=ipip-to-branchAdd routes over the tunnel
Section titled “Add routes over the tunnel”/ip route add dst-address=192.168.20.0/24 gateway=10.10.10.2Firewall — allow IPIP traffic
Section titled “Firewall — allow IPIP traffic”Permit IP protocol 4 on the input chain from the peer’s transport address:
/ip firewall filter add \ chain=input \ protocol=ipencap \ src-address=203.0.113.2 \ action=accept \ comment="Allow IPIP from branch"Place this before any default drop rule.
IP6IP6 Tunnel (IPv6-in-IPv6)
Section titled “IP6IP6 Tunnel (IPv6-in-IPv6)”IP6IP6 tunnels carry IPv6 traffic between two endpoints that already have IPv6 connectivity. The outer header is IPv6; the inner payload is also IPv6.
Create the interface
Section titled “Create the interface”/interface ip6ip6 add \ name=ip6ip6-to-branch \ local-address=2001:db8:100::1 \ remote-address=2001:db8:200::2Interface properties:
| Property | Default | Description |
|---|---|---|
name | — | Interface name |
local-address | :: | Source IPv6 for the outer header |
remote-address | — | Destination IPv6 for the outer header |
mtu | auto | Tunnel interface MTU |
clamp-tcp-mss | yes | Rewrite TCP SYN MSS |
disabled | no | Whether the interface is disabled |
Assign a tunnel IPv6 address
Section titled “Assign a tunnel IPv6 address”/ipv6 address add address=2001:db8:ff::1/127 interface=ip6ip6-to-branch advertise=noA /127 is appropriate for point-to-point links (RFC 6164).
Add IPv6 routes over the tunnel
Section titled “Add IPv6 routes over the tunnel”/ipv6 route add dst-address=2001:db8:20::/48 gateway=2001:db8:ff::2Firewall — allow IP6IP6 traffic
Section titled “Firewall — allow IP6IP6 traffic”Permit IPv6 protocol 41 (ipv6-encap) on the input chain:
/ipv6 firewall filter add \ chain=input \ protocol=ipv6-encap \ src-address=2001:db8:200::2 \ action=accept \ comment="Allow IP6IP6 from branch"6to4 Tunnel (IPv6-in-IPv4)
Section titled “6to4 Tunnel (IPv6-in-IPv4)”6to4 carries IPv6 traffic over an IPv4-only network. It uses IP protocol 41 in an IPv4 outer header. See also the dedicated 6to4 Tunneling guide for tunnel broker setup (Hurricane Electric) and full property reference.
Two operating modes
Section titled “Two operating modes”| Mode | remote-address | How it works |
|---|---|---|
| Manual | Set to peer’s IPv4 | All IPv6 traffic sent directly to the peer. Equivalent to a static point-to-point tunnel. |
| Automatic | Not set | Destination IPv4 is derived from the 2002::/16 prefix embedded in the destination IPv6 address. |
Manual 6to4 tunnel (point-to-point)
Section titled “Manual 6to4 tunnel (point-to-point)”/interface 6to4 add \ name=6to4-to-branch \ local-address=198.51.100.1 \ remote-address=203.0.113.2Assign an IPv6 address and add routes:
/ipv6 address add address=2001:db8:feed::1/64 interface=6to4-to-branch advertise=no/ipv6 route add dst-address=2001:db8:20::/48 gateway=2001:db8:feed::2Automatic 6to4 (2002::/16 prefix)
Section titled “Automatic 6to4 (2002::/16 prefix)”The 6to4 address format encodes the local IPv4 address into the IPv6 prefix:
2002:<ipv4-hex>::/48For example, 198.51.100.1 in hex is C633:6401, giving the prefix 2002:C633:6401::/48.
# Create interface without remote-address (automatic mode)/interface 6to4 add name=6to4-auto local-address=198.51.100.1
# Assign the 6to4 address/ipv6 address add address=2002:c633:6401::1/128 interface=6to4-auto advertise=no
# Route all 2002::/16 traffic via the tunnel/ipv6 route add dst-address=2002::/16 gateway=6to4-autoFirewall for 6to4
Section titled “Firewall for 6to4”6to4 uses IPv4 protocol 41. Permit it on the IPv4 input chain:
/ip firewall filter add \ chain=input \ protocol=41 \ src-address=203.0.113.2 \ action=accept \ comment="Allow 6to4 from branch"Site-to-Site Example: IPIP
Section titled “Site-to-Site Example: IPIP”Connect Site A (192.168.10.0/24, public IP 198.51.100.1) to Site B (192.168.20.0/24, public IP 203.0.113.2). Tunnel subnet: 10.10.10.0/30.
Site A
Section titled “Site A”# Tunnel interface/interface ipip add name=ipip-to-b local-address=198.51.100.1 remote-address=203.0.113.2
# Tunnel IP address/ip address add address=10.10.10.1/30 interface=ipip-to-b
# Route to Site B LAN/ip route add dst-address=192.168.20.0/24 gateway=10.10.10.2
# Firewall/ip firewall filter add chain=input protocol=ipencap src-address=203.0.113.2 action=accept comment="IPIP from Site B"/ip firewall filter add chain=forward in-interface=ipip-to-b action=accept comment="IPIP forward"Site B
Section titled “Site B”# Tunnel interface/interface ipip add name=ipip-to-a local-address=203.0.113.2 remote-address=198.51.100.1
# Tunnel IP address/ip address add address=10.10.10.2/30 interface=ipip-to-a
# Route to Site A LAN/ip route add dst-address=192.168.10.0/24 gateway=10.10.10.1
# Firewall/ip firewall filter add chain=input protocol=ipencap src-address=198.51.100.1 action=accept comment="IPIP from Site A"/ip firewall filter add chain=forward in-interface=ipip-to-a action=accept comment="IPIP forward"Verify
Section titled “Verify”# Check interface state (look for R flag = running)/interface ipip print detail
# Ping remote tunnel IP/ping 10.10.10.2
# Ping a host in the remote LAN/ping 192.168.20.1
# Confirm route is active/ip route print where dst-address=192.168.20.0/24MTU and Fragmentation
Section titled “MTU and Fragmentation”On a standard 1500-byte Ethernet path:
| Protocol | Outer header | Recommended tunnel MTU | TCP MSS clamp |
|---|---|---|---|
| IPIP | 20 bytes | 1480 | 1440 |
| IP6IP6 | 40 bytes | 1460 | 1420 |
| 6to4 (over IPv4) | 20 bytes | 1480 | 1440 |
RouterOS sets the IPIP default MTU to 1480 automatically. If the path MTU between endpoints is smaller (for example, over a DSL link with PPPoE overhead), reduce mtu to match:
/interface ipip set ipip-to-branch mtu=1452Keep clamp-tcp-mss=yes (the default) to avoid TCP black-hole issues on paths with constrained MTU.
IPIP vs GRE: Choosing Between Them
Section titled “IPIP vs GRE: Choosing Between Them”| IPIP | GRE | |
|---|---|---|
| IP protocol | 4 | 47 |
| Header overhead | 20 bytes | 24 bytes |
| Carries | IPv4 only | Any network-layer protocol |
| Keepalive | No | Yes |
| Multicast | No | Yes |
| Dynamic routing (OSPF/BGP) | Requires workaround | Native (multicast) |
| Non-MikroTik compatible | Yes (RFC 2003) | Yes (RFC 2784) |
| IPsec encryption | Via manual IPsec policy | Via ipsec-secret or manual policy |
Choose IPIP when:
- You only need to carry IPv4 unicast between two endpoints.
- Minimizing per-packet overhead matters (high-traffic links, constrained WAN).
- No keepalive or multicast is needed.
- Both sides are static (no dynamic routing over the tunnel).
Choose GRE when:
- You need to run OSPF or BGP over the tunnel (multicast required).
- You want built-in keepalive to detect remote failures automatically.
- You need to carry non-IPv4 traffic.
- You want the simpler
ipsec-secretencryption shortcut.
Adding IPsec Encryption
Section titled “Adding IPsec Encryption”IPIP and IP6IP6 tunnels carry traffic in plaintext. To encrypt IPIP, create a manual IPsec transport-mode policy protecting IP protocol 4 between the two transport addresses.
# On both sides — create proposal and profile/ip ipsec proposal add name=ipip-prop auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048/ip ipsec profile add name=ipip-profile dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
# Site A: peer and transport policy/ip ipsec peer add name=site-b address=203.0.113.2 exchange-mode=ike2 profile=ipip-profile secret=StrongSharedSecret/ip ipsec policy add src-address=198.51.100.1/32 dst-address=203.0.113.2/32 protocol=ipencap tunnel=no action=encrypt proposal=ipip-prop peer=site-bMirror the configuration on Site B with addresses reversed. The IPIP interface configuration is unchanged — IPsec transparently encrypts the encapsulated packets before they leave the router.
Troubleshooting
Section titled “Troubleshooting”Check interface state
Section titled “Check interface state”/interface ipip print detail/interface ip6ip6 print detail/interface 6to4 print detailAn interface with R in the flags column is running. A missing R flag means the interface is not passing traffic.
Packet capture — verify encapsulation
Section titled “Packet capture — verify encapsulation”# Capture IPIP (IP protocol 4)/tool sniffer quick ip-proto=4
# Capture IP6IP6 / 6to4 (IP protocol 41)/tool sniffer quick ip-proto=41Enable debug logging
Section titled “Enable debug logging”/system logging add topics=interface,debug action=memory/log print where topics~"interface"Common problems
Section titled “Common problems”| Symptom | Likely cause | Fix |
|---|---|---|
Interface shows no R flag | Firewall dropping tunnel protocol | Add input accept rule for protocol 4 (IPIP) or 41 (IP6IP6/6to4) |
| Interface running, no traffic | Missing route | Add /ip route or /ipv6 route for remote prefix |
| Interface running, no traffic | Forward chain drop | Add forward accept rule for tunnel interface |
| High packet loss | MTU mismatch / fragmentation | Lower tunnel MTU; verify clamp-tcp-mss=yes |
| Tunnel up, asymmetric path | local-address=0.0.0.0 picks wrong source | Set local-address explicitly to match the expected return path |
| IP6IP6 traffic lost | IPv6 firewall blocking protocol 41 | Add /ipv6 firewall filter input accept for protocol=ipv6-encap |
Step-by-step ping trace
Section titled “Step-by-step ping trace”# 1. Is the tunnel interface running?/interface print where name=ipip-to-branch
# 2. Can you reach the remote tunnel IP?/ping 10.10.10.2
# 3. Can you reach a host in the remote LAN?/ping 192.168.20.1
# 4. Is there a route for the remote LAN?/ip route print where dst-address=192.168.20.0/24
# 5. Are firewall rules allowing the traffic?/ip firewall filter print where chain=input/ip firewall filter print where chain=forwardSee Also
Section titled “See Also”- GRE and IPIP Tunnels — combined GRE/IPIP guide with IPsec encryption options
- 6to4 Tunneling — full 6to4 property reference and tunnel broker setup
- EoIP Tunnels — Layer 2 Ethernet tunneling between MikroTik routers
- WireGuard VPN — encrypted tunnel with modern cryptography
- IPsec — encrypt IPIP/IP6IP6 tunnels with manual IPsec policies