[@core] /ipv6 firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=input action=drop connection-state=invalid
1 chain=input action=accept connection-state=established
2 chain=input action=accept connection-state=related
3 chain=input action=accept protocol=udp
4 chain=input action=accept protocol=icmp
5 X chain=input action=accept src-address=route1/64
6 chain=input action=accept src-address=route2/48
7 chain=input action=accept protocol=tcp dst-port=80
8 chain=input action=accept protocol=tcp dst-port=1723
9 ;;; accept connections from outside to ip camera
chain=input action=accept dst-address=route1:id/128
10 chain=input action=drop
I have a 6to4 tunnel (sit1) setup via tunnelbroker.net.
The route1/64 is my routed network @home.
why does’t the rule 0 work properly? If I enable that rule all input connections are broken. It’s as if ipv6 connections are all treated as invalid?
when I disable rule 0, and leave rule 5 also disabled, why doesn’t the ping from outside pass to ip camera?
It’s as if rules 4 and 9 aren’t even considered!
Anyone has an explanation?
ROS 3.22 here.
edit: figured out the rule 4 problem… forgot i need icmpv6 specifically, why doesn’t rule 9 apply then?
The input chain is for traffic to the router, not for traffic through the router like traffic from the outside through the router to an IP camera behind the router. That traffic is handled in the forward chain.
That I don’t know, sorry. Going by your short description here it sounds like a bug. Collect data (packet/byte hits against rules together with opening connections showing that all traffic matches that rule) and open a bug report with support@mikrotik.com.
If input manages packets whose destination is one of the router’s IPs…
Then WHY did it matter when i eg disabled rule no. 5 in the setup i showed on the beginning?
With rule 5 disabled ping didn’t pass, with rule 5 enabled i was able to ping the ip cam from outside.
How come?
A friend mentioned that when using 6to4 tunnel all ipv6 traffic actually first goes to the router as it’s the tunnel’s endpoint.
So INPUT chain does seem to be considered for traffic going through the router to my network.
So far I understand only ipv4 traffic (that tunnels ipv6 packets) has an endpoint on the router itself and not ipv6 traffic. So I’m still skeptic about my friends explanation.
I tested with winbox and the first rule (rule 0) was enabled.
Resetting the counters and accessing ipv6.google.com gets me 720B/10p of data against that same rule (naturally connection to ipv6.google.com timeouts)
Disabling that rule gets me a working ipv6.google.com site and traffic on the following rules: 4 - 936B/13p, 9 - 227KB/362p, 12 - 504B/7p.
Bug. Your understanding is right. The IPv4 packets encapsulating their IPv6 payload are in the input chain, the IPv6 traffic going through the router is not.