Help on applying advanced firewall rules

vingjfg · April 21, 2024, 6:45am

As pfturner said, you need to accept NDP advertisements on the WAN interface. Try adding the following and move them above the final deny

/ipv6/firewall/raw
add  chain=icmp6 action=accept in-interface-list=WAN icmp-options=134:0-255 limit=5,10:packet log=no log-prefix="" \
        protocol=icmpv6 hop-limit=equal:255 comment="RFC4890 router advertisement"
add chain=icmp6 action=accept in-interface-list=WAN icmp-options=136:0-255 limit=5,10:packet log=no log-prefix="" \
        protocol=icmpv6 hop-limit=equal:255 comment="RFC4890 neighbor advertisement"

pfturner · April 21, 2024, 4:26pm

Thanks! I believe I have it working well now with your advice!

pfturner · April 21, 2024, 10:20pm

I am getting some dropped forward chain packets related to multicast - not sure if this is normal when the devices (like Rokus, printers, etc.) are not being requested by iphones, etc. I have a mDNS repeater running in a container to share those devices across the main and guest vlans.

Drop_Input_Else input: in:VLAN-10-Main out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, [fe80::e638:83ff:fexx:xxxx]:48276->[ff02::1]:10001, len 335

Any thoughts on this last current issue? Thanks!

Kentzo · April 22, 2024, 2:27pm

Are you sure it’s the forward chain and not the input chain? Link-local addresses are not supposed to be forwarded.

My opinion is that with very few exceptions you should not firewall input (multicast or otherwise) from LAN on the router.

Please make sure to report all problems you encountered using their firewall template to https://help.mikrotik.com/servicedesk/servicedesk/customer/portal/1

pfturner · April 22, 2024, 7:27pm

Sorry, I don’t read my own log headers! You are correct, those errors are on the input chain.

pfturner · April 23, 2024, 7:12pm

So, living with this for a few days, I still have the dropped firewall input rule where linked-local addresses are failing where the destination address is ff02::1. I know it’s a multicast issue. These drops occur regularly (several different ones) - with the exact same ones appearing every 10 seconds.

Example:
Drop_Input_Else input: in:VLAN-10-Main out:(unknown 0), connection-state:new src-mac e4:38:xx:xx:xx:xx, proto UDP, [fe80::xxxx:xxxx:xxxx:xxxx]:48457->[ff02::1]:10001, len 337

I only have tagged traffic via VLANs in my implementation.

Do you think it might be related to:

http://forum.mikrotik.com/t/rb5009-ros-7-1-1-igmp-snooping-issue-with-l2-hw-offload/155045/1

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403#BridgeIGMP/MLDsnooping-BasicIGMPsnoopingconfiguration
Bridge IGMP querier implementation can only send untagged IGMP queries. In case tagged IGMP queries should be sent or IGMP queries should be generated in multiple VLANs, it is possible to install a multicast package, add a VLAN interface and configure a PIM interface on VLAN. The PIM interface can be used as an IGMP querier.

I have a mDNS repeater handling the devices I want to see across VLANs, but ideally I’d like to get there without needing that.

Any help would be appreciated.

Kentzo · April 23, 2024, 8:47pm

Something in your network multicasts a packet to all nodes (ff02::1) using the 10001 port. “All nodes” also includes the router itself. You have a firewall rule that blocks such packets on the router. Everything seem to work as configured.

FYI mDNSv6 uses the ff02::fb. See https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml

pfturner · April 24, 2024, 1:47pm

Thanks - based on your insights I did some googling. It looks like that port is being used by my Unifi APs. The MAC addresses correspond to the APs.

Still some work to do to understand the multicast side of things in ipv6.