Difference and priority of IPv4 and IPv6 firewall filter?

zsczzq7n · October 25, 2025, 10:05am

I have tried to find the answer of my question in the documentation for Packet Flow but was not successful:

In which order are the packages processed with respect to IPv4 and IPv6?

For example, I would like to separate two VLANs, regardless if IPv4 or IPv6. My idea was to block forwarding on interface layer.

Would the firewall filter for IPv4

/ip firewall filter
add action=reject chain=forward in-interface=vlan7 out-interface=vlan16 reject-with=icmp-admin-prohibited

also work for IPv6 traffic or do I need a separate entry in IPv6 firewall filters:

/ipv6 firewall filter
add action=reject chain=forward in-interface=vlan7 out-interface=vlan16 reject-with=icmp-admin-prohibited

Are both (IPv4 and IPv6) filters are processed for every kind of traffic or is there a strict separation between IPv4 traffic and IPv6 traffic? If both are handled, in which order are they processed?

MrYan · October 25, 2025, 11:25am

You need separate filters for different IP versions (IPv4 and IPv6).

The router looks at the version of the packet received (in the Layer 2 header) and applies the relevant filters for that version.

So, IPv4 packets only traverse IPv4 filters and IPv6 packets only traverse IPv6 filters.