Skip to content
MikroTik RouterOS Docs

IPv6 Transition Tunnels: 6in4, 6rd, and 6to4 Relay

IPv6 Transition Tunnels: 6in4, 6rd, and 6to4 Relay

Section titled “IPv6 Transition Tunnels: 6in4, 6rd, and 6to4 Relay”

RouterOS supports three IPv6 transition tunneling mechanisms that carry IPv6 traffic across IPv4-only infrastructure. All three use IPv4 protocol 41 (IPv6-in-IPv4 encapsulation) and share the /interface 6to4 sub-menu, but they differ in how IPv6 addresses are derived and who controls the endpoints.

MechanismPrefix sourceRemote endpointUse case
6in4Tunnel broker assigns native /64Static, broker-controlledEnd-user connectivity via HE.net
6rdISP derives from IPv4 + ISP prefixISP border relay (dynamic-ish)ISP-managed IPv6 rollout
6to4 relayDerived from IPv4 (2002::/16)Anycast relay (192.88.99.1)Deprecated; opportunistic connectivity

Recommendation: For new deployments, prefer 6in4 via a tunnel broker (if native IPv6 is unavailable) or request native IPv6 from your ISP. 6to4 relay is deprecated (RFC 7526) and unreliable.

Concepts

Section titled “Concepts”

SIT: The Common Transport

Section titled “SIT: The Common Transport”

All three mechanisms use the SIT (Simple Internet Transition) encapsulation: an IPv6 packet is placed directly inside an IPv4 packet with protocol number 41. RouterOS implements this under /interface 6to4, which handles both static (6in4) and automatic (6to4/6rd) modes.

 IPv4 header (proto=41)
 ┌─────────────────────────────┐
 │  src: your IPv4             │
 │  dst: tunnel endpoint IPv4  │
 ├─────────────────────────────┤
 │  IPv6 header + payload      │
 └─────────────────────────────┘

How the three mechanisms differ

Section titled “How the three mechanisms differ”

6in4 uses a native IPv6 prefix assigned by the tunnel broker. The prefix is unrelated to your IPv4 address. The tunnel has a fixed remote endpoint (the broker’s PoP server). Your router gets a routed /64 or /48 for use on the LAN.

6rd (IPv6 Rapid Deployment, RFC 5969) is an ISP-managed mechanism. The ISP provides a 6rd prefix (e.g., 2001:db8::/32) and embeds bits from your public IPv4 address to derive your unique IPv6 prefix. No broker account needed — the ISP’s DHCP/TR-069 provisioning delivers the parameters.

6to4 relay is automatic: any router with a public IPv4 address can use the fixed 2002::/16 prefix and route through an anycast relay at 192.88.99.1. It requires no configuration agreement with any party, but the anycast relay infrastructure is being decommissioned and latency is unpredictable.

6in4 — Static Tunnel Broker (Hurricane Electric)

Section titled “6in4 — Static Tunnel Broker (Hurricane Electric)”

Hurricane Electric’s free tunnel broker service (tunnelbroker.net) provides static 6in4 tunnels with a native /64 for the tunnel link and an additional /64 (or /48) for your LAN.

What you receive from HE.net

Section titled “What you receive from HE.net”

After registering and creating a tunnel, the tunnel details page shows:

ParameterExample value
Server IPv4 address216.66.80.90
Client IPv4 addressyour public IP
Server IPv6 address2001:470:27:37e::1/64
Client IPv6 address2001:470:27:37e::2/64
Routed /64 prefix2001:470:28:37e::/64

Create the tunnel interface

Section titled “Create the tunnel interface”
/interface 6to4
add name=he-tunnel \
    local-address=198.51.100.1 \
    remote-address=216.66.80.90 \
    mtu=1480 \
    clamp-tcp-mss=yes \
    comment="Hurricane Electric 6in4 tunnel"

Interface properties:

PropertyDefaultDescription
local-addressYour public IPv4 address. Must match what HE.net has on record.
remote-addressTunnel server IPv4 from HE.net dashboard.
mtuautoSet to 1480 (IPv4 MTU 1500 − 20-byte IPv4 header). Use 1280 if path MTU is unknown or fragmentation occurs.
clamp-tcp-mssyesClamps TCP MSS to avoid fragmentation on the tunnel.

Assign the tunnel address

Section titled “Assign the tunnel address”
/ipv6 address
add interface=he-tunnel \
    address=2001:470:27:37e::2/64 \
    advertise=no

Add the default IPv6 route

Section titled “Add the default IPv6 route”
/ipv6 route
add dst-address=::/0 \
    gateway=2001:470:27:37e::1 \
    comment="IPv6 default via HE.net"

Assign a prefix to the LAN

Section titled “Assign a prefix to the LAN”
/ipv6 address
add interface=bridge \
    address=2001:470:28:37e::1/64 \
    advertise=yes

Enable router advertisements so LAN clients auto-configure via SLAAC:

/ipv6 nd
set [find interface=bridge] advertise-dns=yes ra-interval=30s-1m

Allow tunnel traffic through the firewall

Section titled “Allow tunnel traffic through the firewall”

6in4 uses IPv4 protocol 41. Permit it inbound:

/ip firewall filter
add chain=input \
    protocol=41 \
    src-address=216.66.80.90 \
    action=accept \
    comment="Allow 6in4 from HE.net"
    place-before=0

Also allow ICMPv6 for path MTU discovery and neighbor discovery to function:

/ipv6 firewall filter
add chain=input action=accept protocol=icmpv6 comment="Allow ICMPv6"
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept in-interface=bridge out-interface=he-tunnel
add chain=forward action=accept in-interface=he-tunnel out-interface=bridge

Verify

Section titled “Verify”
/interface 6to4 print
/ipv6 address print
/ping 2001:4860:4860::8888

The tunnel interface should show the R (running) flag. If it shows only D (dynamic/disabled), the firewall is blocking protocol 41 or the local-address does not match.

Dynamic IP users: HE.net provides a tunnel update API. If your IPv4 address changes, update the tunnel: curl -s "https://ipv4.tunnelbroker.net/nic/update?username=USER&password=PASS&hostname=TUNNEL_ID". You can automate this with a RouterOS script on the /ip dhcp-client default route change event.

6rd — ISP Rapid Deployment

Section titled “6rd — ISP Rapid Deployment”

6rd (RFC 5969) lets an ISP offer IPv6 to subscribers using its existing IPv4 infrastructure. The ISP assigns a 6rd prefix and embeds a portion of the subscriber’s IPv4 address to create a unique /64 prefix per subscriber. No public IPv4 is required — 6rd works behind ISP-level NAT if the ISP embeds the pre-NAT IPv4.

How the address is derived

Section titled “How the address is derived”

The ISP provides three parameters:

ParameterExampleMeaning
6rd-prefix2001:db8::/32ISP’s allocated IPv6 block for 6rd
6rd-ipv4-prefix-len8Leading IPv4 bits shared by all subscribers (omitted from embedding)
Border relay IPv4203.0.113.1ISP’s 6rd border relay

Your unique prefix is constructed by:

  1. Taking the 6rd prefix bits
  2. Appending (32 − 6rd-ipv4-prefix-len) bits from your IPv4 address, skipping the leading 6rd-ipv4-prefix-len bits

Example: 6rd-prefix 2001:db8::/32, IPv4-prefix-len 8, subscriber IPv4 198.51.100.50

  • Strip the first 8 bits of IPv4 (198 = 0xC6, shared among all ISP subscribers)
  • Remaining 24 bits: 51.100.50 = 0x336432
  • Embed into bits 32–55 of the 6rd prefix → 2001:0db8:3364:3200::/56
  • Allocate a /64 for the LAN: 2001:0db8:3364:3200::/64

Configure 6rd in RouterOS

Section titled “Configure 6rd in RouterOS”

RouterOS does not expose native 6rd parameters — the address derivation is done manually. The tunnel itself is a standard 6to4 interface pointing at the border relay.

Step 1: Create the tunnel interface

/interface 6to4
add name=6rd \
    local-address=198.51.100.50 \
    remote-address=203.0.113.1 \
    mtu=1480 \
    clamp-tcp-mss=yes \
    comment="ISP 6rd tunnel"

Step 2: Assign the derived tunnel address

Use the address computed from the ISP parameters. The ::1 host address is conventional for the CPE end:

/ipv6 address
add interface=6rd \
    address=2001:db8:3364:3200::1/128 \
    advertise=no

Step 3: Add a default IPv6 route via the border relay

The border relay’s 6rd IPv6 address is formed the same way using the relay’s IPv4 address (203.0.113.1 = 0xcb007101):

Border relay IPv6 = 2001:db8:cb00:7101::1 (relay IPv4 embedded in 6rd prefix)
/ipv6 route
add dst-address=::/0 \
    gateway=2001:db8:cb00:7101::1 \
    comment="IPv6 default via 6rd border relay"

Step 4: Assign the /64 to the LAN

/ipv6 address
add interface=bridge \
    address=2001:db8:3364:3200::1/64 \
    advertise=yes

Step 5: Allow protocol 41 from the ISP border relay

/ip firewall filter
add chain=input \
    protocol=41 \
    src-address=203.0.113.1 \
    action=accept \
    comment="Allow 6rd from ISP border relay" \
    place-before=0

6rd address calculation helper

Section titled “6rd address calculation helper”

RouterOS scripting can automate the prefix derivation when the ISP delivers 6rd parameters via DHCP option 212:

# Example: derive 6rd prefix from ISP parameters
:local ipv4 "198.51.100.50"
:local rdpfx "2001:db8"
:local pfxlen 32
:local ipv4pfxlen 8


# Split IPv4 octets
:local o1 [:tonum [:pick $ipv4 0 [:find $ipv4 "."]]]
# (full implementation requires parsing all 4 octets and bitwise ops)
:log info "6rd prefix derivation: use ISP-provided values directly"

In practice, most ISPs that deploy 6rd provide the full derived prefix via DHCP option 212 (6rd), and RouterOS will receive this via the DHCP client. Check /ip dhcp-client print detail for option 212 in the received options list.

Verify 6rd

Section titled “Verify 6rd”
/interface 6to4 print
/ipv6 address print
/ping 2001:4860:4860::8888 src-address=2001:db8:3364:3200::1

6to4 Relay — Automatic Mode

Section titled “6to4 Relay — Automatic Mode”

Deprecated: The 6to4 anycast relay infrastructure (RFC 3068) has been decommissioned by most operators. RFC 7526 (2015) formally deprecated automatic 6to4. Use 6in4 with a tunnel broker instead.

6to4 automatic mode requires no configuration with a remote party. Any router with a public IPv4 address can derive a 2002::/48 prefix and route IPv6 through an anycast relay at 192.88.99.1.

Configuration

Section titled “Configuration”
# Create 6to4 interface (no remote-address = automatic relay mode)
/interface 6to4
add name=6to4-relay \
    local-address=198.51.100.1 \
    mtu=1480 \
    comment="6to4 automatic relay (deprecated)"


# Derive the 2002::/48 address from IPv4
# 198.51.100.1 in hex = C633:6401
/ipv6 address
add interface=6to4-relay \
    address=2002:c633:6401::1/48 \
    advertise=no


# Route 2002::/16 traffic through the tunnel (automatic encapsulation)
/ipv6 route
add dst-address=2002::/16 \
    gateway=6to4-relay


# Default IPv6 route via anycast relay
/ipv6 route
add dst-address=::/0 \
    gateway=2002:c0a8:6301::1 \
    comment="IPv6 default via 6to4 anycast relay 192.88.99.1"

The anycast relay gateway address 2002:c0a8:6301::1 is the 6to4 encoding of 192.88.99.1 (the anycast relay address, RFC 3068).

When to use relay mode

Section titled “When to use relay mode”

Only use 6to4 relay when:

  • You need temporary connectivity during troubleshooting
  • Your ISP blocks 6in4 (protocol 41 from external hosts) but allows outbound protocol 41
  • No tunnel broker account is available and native IPv6 is unavailable

For any permanent deployment, use 6in4 with a tunnel broker. See 6to4 Tunneling for the full 6to4 reference including the 2002::/16 address format.

MTU and Fragmentation

Section titled “MTU and Fragmentation”

All three mechanisms add a 20-byte IPv4 header. On a standard Ethernet path with MTU 1500:

Path MTUTunnel MTURecommendation
1500 (Ethernet)1480Default — works for most paths
1492 (PPPoE)1472Required for PPPoE WAN
Unknown / problems1280Safe minimum (IPv6 minimum MTU)

Set clamp-tcp-mss=yes on the tunnel interface to avoid TCP black holes. For non-TCP traffic (UDP, ICMP), ensure your firewall passes ICMPv6 type 2 (Packet Too Big) messages end-to-end.

/ipv6 firewall filter
add chain=input action=accept protocol=icmpv6 icmp-options=2:0 \
    comment="Allow IPv6 Packet Too Big (PMTUD)"

Troubleshooting

Section titled “Troubleshooting”

Tunnel interface not running (no R flag)

Section titled “Tunnel interface not running (no R flag)”
/interface 6to4 print
StateLikely cause
D onlydisabled=yes or IPv4 firewall blocking protocol 41
RS but no trafficMissing IPv6 route or firewall forward rule
Interface absentNot created, or wrong sub-menu

Check that protocol 41 is allowed inbound:

/ip firewall filter print where protocol=41
/ip firewall raw print where protocol=41

IPv6 connectivity fails but tunnel is up

Section titled “IPv6 connectivity fails but tunnel is up”
# Verify IPv6 address is assigned
/ipv6 address print where interface=he-tunnel


# Check route exists
/ipv6 route print where dst-address=::/0


# Trace the path
/tool traceroute 2001:4860:4860::8888


# Capture traffic on the tunnel
/tool sniffer quick interface=he-tunnel ip-protocol=ipv6

HE.net rejects the tunnel (authentication error)

Section titled “HE.net rejects the tunnel (authentication error)”

The local-address in RouterOS must exactly match the Client IPv4 address registered in the HE.net tunnel details. If your public IP has changed, update it in the HE.net portal and reconfigure local-address.

6rd prefix calculation is wrong

Section titled “6rd prefix calculation is wrong”

Double-check the ISP-provided parameters. Common mistakes:

  • Using the full IPv4 address when 6rd-ipv4-prefix-len > 0 (you must strip the leading bits)
  • Confusing the border relay IPv6 address with the gateway (the relay uses the embedded-IPv4 formula, not ::1 of the 6rd prefix)

See Also

Section titled “See Also”