In order to write IPv6 rules that apply regardless of ipv6 prefix, you can do the following in OpenWRT:
::1234:dead:beef:abcd/-64
in ip6tables, you can specify a bitmask (to specify that the last 64 bits should match:
-d ::1234:dead:beef:abcd/::ffff:ffff:ffff:ffff
None of these seems to work when specifying dst-address on a ipv6 rule in RouterOS. Is there any plans on supporting this somehow? Anyone that has dynamic ipv6 prefixes has the problem that in the event you get a prefix change, your rule stops working. This is even more error prone because if you accidentally remove an ipv6 address from your interface, the old address is gonna be gone for a few days (or is it 30 by default?), adding an address will assign you a new /64 prefix, and eventually also revert back (this has happened to me). Having a rule that needs the full explicit /128 address is very unfortunate in all of these circumstances.
You may want to approach the question differently in RouterOS currently. Have a look at @Sob 's sample code of NPTv6 however keep in mind that there are some caveats some of which can be handled. If this solution fits the bill for you than the next step is using scripting to handle the change of the ISP provided prefix by changing the dst-prefix= value in the postrouting chain and dst-address= and src-prefix= values in the prerouting chain in the above referenced sample code.
Seems like a lot of hoops to jump through to achieve something simple. Other systems has already identified this need, and even so, doesn’t routerOS rely in iptables underneath the hood anyway, so it should basically already support it I reckon.
Some people also suggest not actually using the firewall for IPv6, just enable firewalls on the hosts. I could do that, but I then have the inverted problem, how do I enable all local prefix-ranges to connect to my server, but not from WAN. Everything is just a workaround for a lack of addressing.
I guess it would be much easier for me to create a host based address-list instead since I already have dynamic DNS running for this specific host. I hadn’t thought about that, and this also seems to resolve automatically nowadays (no scripting necessary).
Did they advice to leave the ignition key in the car also (just in case)? At minimum the documentation’s Building Advanced Firewall part has to be implemented on an Internet connected MikroTik router in a SOHO environment.