IPv6

IPv6 in ProxPanel is delivered per subscriber as prefix delegation: each subscriber who has IPv6 enabled is allocated a unique /56 carved out of a parent /48, and that prefix is handed to their CPE over PPPoE via RADIUS. The CPE then sub-delegates /64s to the LAN. This is an opt-in, per-subscriber toggle — IPv6 is off until you turn it on for a given account.

If you haven’t read it yet, IP Allocation covers the IPv4 side (static vs. pool). This page is the IPv6 counterpart and assumes you already understand how RADIUS radreply attributes drive MikroTik.

How it works

When you enable IPv6 for a subscriber, ProxPanel does the following in one database transaction:

1. Allocates the next free /56. The pool is a parent /48 (2a01:e780:c0::/48) split into 255 /56 slots aligned on valid /56 boundaries — index N maps to 2a01:e780:c0:N00::/56 (so N=1 → …:c0:100::/56, N=255 → …:c0:ff00::/56). Used prefixes are read from subscribers.ipv6_prefix; the first unused index is taken. When all 255 are used the allocator returns a “pool exhausted” error and the /48 must be widened.
2. Writes the RADIUS reply rows (see below).
3. Sets subscribers.ipv6_enabled = true and stores the /56 in subscribers.ipv6_prefix. That stored prefix is what reserves the slot, so a subscriber gets the same /56 every time.
4. Provisions a per-customer MikroTik pool. ProxPanel connects to the subscriber’s NAS and creates a named pool customer-<subscriber_id> containing exactly that one /56, so RouterOS hands out the identical prefix on every reconnect. This step is best-effort — if the NAS is unreachable the DB changes still commit and the pool can be re-provisioned later by re-toggling.

Disabling IPv6 reverses all of this: the RADIUS rows are deleted, ipv6_enabled is cleared, ipv6_prefix is emptied (freeing the /56 back into the pool), and the customer-<id> MikroTik pool is removed. Both enable and disable are idempotent.

RADIUS attributes delivered

Enabling IPv6 writes four radreply rows for the subscriber:

Attribute	Value	Purpose
Framed-IPv6-Prefix	the /56 rewritten as a /64	The on-link prefix for the PPPoE interface.
Delegated-IPv6-Prefix	the full /56	The prefix delegated (DHCPv6-PD) to the customer’s CPE for its LAN.
Framed-IPv6-Pool	customer-<subscriber_id>	Tells RouterOS which named pool to allocate the delegated prefix from — the per-customer pool that contains exactly this /56.
Mikrotik-Group	ipv6-test	Puts the session in the PPP profile that has IPv6 enabled. This profile must exist on the MikroTik.

These rows live in radreply alongside the IPv4 attributes (Framed-IP-Address / Framed-Pool) from IP Pools and the rate limit. They’re cleared and rewritten defensively on every enable, so re-toggling never leaves stale IPv6 rows behind.

Note

The /56 and the /64 both come from the same prefix string — ProxPanel just rewrites the /56 suffix to /64 for Framed-IPv6-Prefix. MikroTik treats Framed-IPv6-Prefix as the link address and Delegated-IPv6-Prefix as the PD prefix, so this is correct.

Enabling / disabling IPv6 for a subscriber

IPv6 is toggled per subscriber via POST /subscribers/:id/ipv6 with a body of:

{ "enabled": true, "kick": false }

• enabled — true to allocate and assign a /56, false to remove it.
• kick — optional. If true and the subscriber is currently online, ProxPanel also disconnects their PPPoE session (via the MikroTik API) so the new attributes apply on the immediate reconnect. Without kick, the new prefix simply takes effect on the subscriber’s next natural reconnect.

The response echoes ipv6_enabled, ipv6_prefix, and whether the session was kicked.

Seeing connected IPv6 devices

GET /subscribers/:id/ipv6-devices lists the unique IPv6 source addresses currently active inside the subscriber’s /56. ProxPanel queries the subscriber’s NAS (/ipv6/firewall/connection tracking) and matches source addresses against the bare prefix (e.g. 2a01:e780:c0:100). Each distinct source address is one device on the customer’s LAN — or one privacy-extension rotation of a device. The response includes the prefix, the devices array, and a count.

Caution

This shows only what is currently active in connection tracking. A device that’s idle (no recent traffic) won’t appear, and for non-MikroTik CPEs you can’t see behind the customer router at all. Treat the count as “active right now”, not “total devices on the LAN”.

If the subscriber doesn’t have IPv6 enabled, the endpoint returns ipv6_enabled: false and an empty list rather than an error. If they have no NAS configured, it returns a 400.

Reseller scoping

Both the toggle and the device-list endpoint enforce reseller ownership: a reseller may only enable/disable IPv6 or view connected devices for their own subscribers. Attempting to act on another reseller’s subscriber returns “Subscriber not found” (device list) or “Permission denied” (toggle), so reseller A can’t enumerate :id values to spy on reseller B’s customers.

Permissions

Permission	Effect
subscribers.edit	Required to toggle IPv6 on/off (POST /subscribers/:id/ipv6).
subscribers.view	Required to list connected IPv6 devices (GET /subscribers/:id/ipv6-devices).

Admins bypass these checks; resellers are additionally restricted to their own subscribers as described above.

Prerequisites on the NAS

For IPv6 to actually flow:

• The PPP profile named in Mikrotik-Group (ipv6-test) must exist on the MikroTik with IPv6 enabled.
• The parent /48 must be routed to / configured on the BNG so the delegated /56s are reachable.
• The NAS must have working API credentials in ProxPanel, otherwise the per-customer pool can’t be provisioned automatically (the DB still records the assignment, but you’ll need to create the customer-<id> pool manually or re-toggle once the NAS is reachable).

Related pages

• IP Allocation — the IPv4 counterpart (static IP vs. pool, duplicate-IP defenses).
• IP Pools — how named pools and Framed-Pool work for IPv4, the same mechanism Framed-IPv6-Pool uses for the delegated prefix.
• Subscriber Detail — where the per-subscriber IPv6 toggle and connected-device list surface in the panel.