MikroTik RouterOS 7.23.1, CAPsMAN, and IPv6: Fixing a Broken IPv6 Connection
June 12, 2026
After upgrading my MikroTik home CAPsMAN system to RouterOS 7.23.1, I noticed that IPv6 connectivity was still not working correctly. The main internet connection was provided by Xfinity, and the router was able to receive an IPv6 prefix from the provider, but IPv6 traffic from local devices was unstable or not working as expected.
After some troubleshooting, I was able to restore IPv6 connectivity. The problem was not with Xfinity and not really with the main router. The issue was caused by one of my MikroTik cAP access points.
In my case, the access point was not acting only as a Wi-Fi bridge. It also had IPv6 forwarding enabled and was participating in IPv6 routing behavior. As a result, the cAP started advertising itself inside the local network as an IPv6 router.
That is not what an access point should do.
What was happening
In a normal home MikroTik setup, the main router should do the IPv6 routing.
The correct structure should look like this:
Xfinity Internet
|
Main MikroTik Router
|
LAN bridge / CAPsMAN
|
cAP access point
|
Wi-Fi clients
The main router receives IPv6 from the ISP, receives or creates the default IPv6 route, and advertises the IPv6 prefix to local devices using Router Advertisement / SLAAC.
The cAP access point should only bridge Wi-Fi clients to the LAN. It should not become an IPv6 router, and it should not advertise itself as a default gateway.
However, after the upgrade, I found that the cAP had IPv6 forwarding enabled:
/ipv6 settings set forward=yes
With IPv6 forwarding enabled, the access point can behave more like an IPv6 router. If Neighbor Discovery is also enabled on the cAP, it may start sending Router Advertisements into the LAN.
This can create a very confusing situation: local devices may see more than one IPv6 router on the same network. Some devices may choose the wrong default gateway, and IPv6 connectivity may break.
The fix on the cAP access point
The most important fix was to disable IPv6 forwarding on the cAP:
/ipv6 settings set forward=no
This makes the cAP behave like an IPv6 host, not like an IPv6 router.
This does not break Wi-Fi. The cAP still bridges Wi-Fi clients normally at Layer 2. It simply stops trying to route IPv6 traffic.
As a preventive step, I also disabled IPv6 Neighbor Discovery on the cAP:
/ipv6 nd disable
The cAP does not need to send Router Advertisements. Only the main router should do that.
I also disabled the DHCPv6 client on the cAP:
/ipv6 dhcp-client disable
In my network, the main router uses SLAAC / Router Advertisement for LAN devices. There is no DHCPv6 server handing out individual IPv6 addresses on the LAN, so a DHCPv6 client on the cAP was not needed.
Allowing the cAP to receive its own IPv6 address
Even though the cAP should not act as a router, it can still have its own IPv6 address for management and software updates.
To allow the cAP to receive IPv6 information from the main router, I enabled Router Advertisement acceptance:
/ipv6 settings set accept-router-advertisements=yes
With this setting, the cAP can receive an IPv6 address through SLAAC, just like a Mac, iPhone, or other normal network client.
Final command set for the cAP
On the MikroTik cAP access point, I used the following commands:
/ipv6 settings set forward=no accept-router-advertisements=yes
/ipv6 nd disable
/ipv6 dhcp-client disable
/system reboot
After the reboot, the cAP should receive its own IPv6 address from the main router through SLAAC, but it should no longer advertise itself as a router.
Main router check
On the main MikroTik router, Neighbor Discovery should be enabled only on the LAN bridge, not on all interfaces.
For example:
/ipv6 nd set [find default=yes] interface=bridge advertise-dns=yes ra-lifetime=30m
Avoid using:
interface=all
for IPv6 Neighbor Discovery unless you have a very specific reason. In most home and small business networks, Router Advertisements should be sent only to the LAN side, not everywhere.
How to verify the fix
After rebooting the cAP, I checked IPv6 addressing and routing
/ipv6 address print detail
/ipv6 route print where dst-address=::/0
/tool ping ipv6.google.com
On the cAP, I expected to see:
A global IPv6 address from the main router prefix
A default IPv6 route through the main router
Successful ping to ipv6.google.com
On the main router, I checked the IPv6 default routes:
/ipv6 route print where dst-address=::/0
The important part was to make sure there was no active default route through the LAN bridge or through the cAP. The active IPv6 default route should point toward the ISP-facing interface.
After some troubleshooting, I was able to restore IPv6 connectivity. The problem was not with Xfinity and not really with the main router. The issue was caused by one of my MikroTik cAP access points.
In my case, the access point was not acting only as a Wi-Fi bridge. It also had IPv6 forwarding enabled and was participating in IPv6 routing behavior. As a result, the cAP started advertising itself inside the local network as an IPv6 router.
That is not what an access point should do.
What was happening
In a normal home MikroTik setup, the main router should do the IPv6 routing.
The correct structure should look like this:
Xfinity Internet
|
Main MikroTik Router
|
LAN bridge / CAPsMAN
|
cAP access point
|
Wi-Fi clients
The main router receives IPv6 from the ISP, receives or creates the default IPv6 route, and advertises the IPv6 prefix to local devices using Router Advertisement / SLAAC.
The cAP access point should only bridge Wi-Fi clients to the LAN. It should not become an IPv6 router, and it should not advertise itself as a default gateway.
However, after the upgrade, I found that the cAP had IPv6 forwarding enabled:
/ipv6 settings set forward=yes
With IPv6 forwarding enabled, the access point can behave more like an IPv6 router. If Neighbor Discovery is also enabled on the cAP, it may start sending Router Advertisements into the LAN.
This can create a very confusing situation: local devices may see more than one IPv6 router on the same network. Some devices may choose the wrong default gateway, and IPv6 connectivity may break.
The fix on the cAP access point
The most important fix was to disable IPv6 forwarding on the cAP:
/ipv6 settings set forward=no
This makes the cAP behave like an IPv6 host, not like an IPv6 router.
This does not break Wi-Fi. The cAP still bridges Wi-Fi clients normally at Layer 2. It simply stops trying to route IPv6 traffic.
As a preventive step, I also disabled IPv6 Neighbor Discovery on the cAP:
/ipv6 nd disable
The cAP does not need to send Router Advertisements. Only the main router should do that.
I also disabled the DHCPv6 client on the cAP:
/ipv6 dhcp-client disable
In my network, the main router uses SLAAC / Router Advertisement for LAN devices. There is no DHCPv6 server handing out individual IPv6 addresses on the LAN, so a DHCPv6 client on the cAP was not needed.
Allowing the cAP to receive its own IPv6 address
Even though the cAP should not act as a router, it can still have its own IPv6 address for management and software updates.
To allow the cAP to receive IPv6 information from the main router, I enabled Router Advertisement acceptance:
/ipv6 settings set accept-router-advertisements=yes
With this setting, the cAP can receive an IPv6 address through SLAAC, just like a Mac, iPhone, or other normal network client.
Final command set for the cAP
On the MikroTik cAP access point, I used the following commands:
/ipv6 settings set forward=no accept-router-advertisements=yes
/ipv6 nd disable
/ipv6 dhcp-client disable
/system reboot
After the reboot, the cAP should receive its own IPv6 address from the main router through SLAAC, but it should no longer advertise itself as a router.
Main router check
On the main MikroTik router, Neighbor Discovery should be enabled only on the LAN bridge, not on all interfaces.
For example:
/ipv6 nd set [find default=yes] interface=bridge advertise-dns=yes ra-lifetime=30m
Avoid using:
interface=all
for IPv6 Neighbor Discovery unless you have a very specific reason. In most home and small business networks, Router Advertisements should be sent only to the LAN side, not everywhere.
How to verify the fix
After rebooting the cAP, I checked IPv6 addressing and routing
/ipv6 address print detail
/ipv6 route print where dst-address=::/0
/tool ping ipv6.google.com
On the cAP, I expected to see:
A global IPv6 address from the main router prefix
A default IPv6 route through the main router
Successful ping to ipv6.google.com
On the main router, I checked the IPv6 default routes:
/ipv6 route print where dst-address=::/0
The important part was to make sure there was no active default route through the LAN bridge or through the cAP. The active IPv6 default route should point toward the ISP-facing interface.
