I’ve beem wondering and researching if would be possible to find a way to create some fixed firewall rules to some internal hosts to publish services. My ISP gives a /64 prefix that works right. The problem is that the prefix is dynamic, so i can’t have a firewall rule with destination address fixed to permit that particular protocol to just one specific host. Once the prefix is renewed, the firewall rule turns useless.
Is there a way to maybe fix the mac address or the interface to the rule? Something alike the ipv6 gateway route field, where is appears the address%interface?
you can do this by scripting. E.g. I change the IPv6 prefix for DNS and IPv6 firewall after every reconnect.
Anyway you will run into the next problem, which is caused by Mikrotik’s RADV implemenation.
First ND advertises the DNS server set in “/ip dns”, therefore you will not be able to use the builtin RouterOS DNS.
Second ND advertises the IPv6 prefix with a lifetime of 30 days. So your clients will not invalidate old IPv6 prefixes if the new one is provided after the reconnect.
So your clients will fill up with many invalid IPv6 prefix/address until you reboot or manually invalide them.
I think I may be loosing some IPv6 concept. I didn’t understand why I would have these problems informed by you if I do that script you mencioned. The script will just update my forwarding firewall rule to permit traffic to some specific host only. It will be something like “this host has no more the ipv6 address ‘a’ and it is now ‘b’, change the dst-addres”. I was not thinking on change DNS or other configurations, unless it’s necessary.