ipv6 firewall rules clients in LAN privacy/security thing?

RouterOS Beginner Basics
1

Hello network guru’s and ninja’s.

Getting my feet wet with ipv6 and RouterOS 7.15.

I have ipv6 working for all clients in my LAN. I get a /48 range from my provider and it all looks good.

Now I have ipv4 and ipv6 dual stack working with RouterOS.

But I wondered something…

With ipv4 my clients are behind a NAT and are private behind the NAT.

With ipv6 they are exposed to the internet and can be pinged when I go for example to ipv6-test.com with any device in the LAN.

This made me wonder. Is this not a security and/or a privacy risk exposing my clients like that?

My current ipv6 firewall looks like this:

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Note actively used IPv6 addresses for 1 minute
      chain=forward action=add-src-to-address-list src-address=2a10:3781:***::/48 dst-address=!2a10:3781:***::/48 address-list=ipv6_in_use 
      address-list-timeout=1m 

 1    chain=forward action=add-dst-to-address-list src-address=2a10:3781:***::/48 dst-address=!2a10:3781:***::/48 address-list=ipv6_addresses_contacted 
      address-list-timeout=1m 

 2    ;;; Accept ping6
      chain=input action=accept protocol=icmpv6 in-interface=Freedom 

 3    chain=input action=accept in-interface=LAN 

 4    chain=forward action=accept in-interface=Freedom out-interface=LAN 

 5    ;;; Forward related connections
      chain=forward action=accept connection-state=related in-interface=Freedom 

 6    ;;; Forward established connections
      chain=forward action=accept connection-state=established in-interface=Freedom 

 7    chain=forward action=accept src-address-list=ipv6_addresses_contacted dst-address-list=ipv6_in_use 

 8    chain=forward action=passthrough src-address-list=!ipv6_addresses_contacted in-interface=Freedom log=yes 

 9    ;;; Drop traffic not destined for a used address
      chain=forward action=drop dst-address-list=!ipv6_in_use in-interface=Freedom log=yes log-prefix="drop_to_unused_ipv6-addr" 

10    chain=forward action=reject reject-with=icmp-no-route in-interface=Freedom

The outgoing interface “Freedom” is the PPPoE client going to my Freedom internet provider here in the Netherlands.

How can I make this more private/secure for my clients without breaking ipv6?

2

I did not check the IPv6 firewall rules in depth, so I don’t know if they are MT default or something compeltely different (but from afar they do seem a very custom rules). My experience is that MT default IPv6 firewall rules are pretty secure.

As to the privacy: in IPv6 working ICMP is way more important than it’s in IPv6 … so anybody blindly blocking ICMPv6 is doing themself a bad favour. Which means it’s normal that those “check IPv6 connectivity” pages will successfully ping you (as client of their page). However, things are not as bleak: method of issuing IPv6 addresses (the only one supported by ROS) is to announce the prefix (sort of network address) and then devices “invent” their addresses according to this prefix. The method is known as SLAAC. And this method allows a feature, which helps with privacy: devices tend to assume a permanent IPv6 address (which is based on MAC address of the network interface), but they also use temporary IPv6 addresses which are (apart from prefix part) random … and are used only for some time. And they use these temporary addresses when starting egress connections (the permanent IPv6 address is only used to accept ingress connections if there are any), so they will use different addresses with time.

The prefix length is most often /64, which gives huge number of addresses possible to use (around 4 bilion times more than total number of IPv4 addresses … all available for your own LAN) … and this makes any port scanner efforts futile.
And, if using MT’s default IPv6 firewall filter rules, FW will still block any ingress connection (apart from ICMPv6 connections … and even with IPv4, blocking ICMP is not enhancing securiy in any meaningful way).

3

Hi Mkx,

I used the firewall rule set not from MT but use a custom one, that’s why I was wondering if everything looks okay or could be better.

4

This one:

4 chain=forward action=accept in-interface=Freedom out-interface=LAN

It’s letting anything from internet to access your LAN. Making most of the rest of rules irrelevant. Remember that anything not handled by explicit rules will be implicitly allowed/accepted (and that includes chain=input, i.e. connections to router itself). You have the ultimate “reject all else” rule (which is overshadowed by above quoted rule anyway) which puts unnecessary burden on your router by sending replies to sender … it’s customary to simply drop forbidden packets which both makes router less stressed and life of a port scanner harder (it has to wait for timeout to happen instead of moving to another port/address immediately after receiving ICMP reply).

I’m strongly recommending you to have a look at default rules (execute /system/default-configuration/print) for inspiration. I’d say they are waaay better than what you showed in your opening post.

5

That wont show any default firewall rules. Is there anywhere I can find the default ipv6 firewall rules?

I am confident that I have setup the ipv4 side decently. Those firewall rules are good. Its the ipv6 I am struggling a bit with. Isn’t the default-configurations settings only applying a default ipv4 router setup?

I disabled for now rule #4. It shows it had 25.4 GiB of traffic. It was doing something.

6

Which device do you use? “Pro” line of devices (CCR, CRS and RB1100) come with empty defaults, the rest come with decent defaults.

Here’s default from 7.14.3:

                     /ipv6 firewall {
                       address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
                       address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
                       address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
                       address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
                       address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
                       address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
                       address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
                       address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
                       address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
                       filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
                       filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
                       filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
                       filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
                       filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
                       filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                     }

It also relies on (manually managed) interface lists LAN and WAN.


No, as soon as IPv6 is enabled on router (in ROS v6 it needed optional package, in v7 it’s default) it’ll have default config. However, if IPv6 functionality gets enabled after initial setup is already done, then default config doesn’t get applied (only if reset to factory default is performed).


It sure did … it accepted all the internet->LAN traffic. But it did so undiscriminately, making the later rules (which are supposed to block some traffic) NO-OP.

7

I am using a Chinese HUNSN RS34g since one year as a firewall/router.

https://www.amazon.nl/-/en/dp/B09PHJSFP1?psc=1

I am running the x86 version of RouterOS and payed Mikrotik for a license a couple of weeks back.

On this device I had pfsense and opensense running fine but I always wanted to get my feet wet with RouterOS.

I am looking at the RB5009*. That sure does look like a cool device to play with and to learn with, but not now. I need to do it all with this Chinese box.

Thank you for supplying the default ipv6 rules! I will edit them (change interfaces names etc) to reflect my current setup.

8

Ah, yes, AFAIK CHR/x86 falls into “Pro” category, hence no default config.

9

I am not sure, but I thought I saw a default ipv4 config just after the first setup of my x86 device a month ago, but no ipv6.. but I went the blank route.

I have decent experience with ipv4 and firewall/routing so that helped allot starting from a blank.

Based on the fine MikroTik documentation and YouTube (The Network Berg mainly) I made a good working ipv4 router/firewall. The next step was ipv6.

For now I disabled ipv6 completely. I will order a RB 5009 and go from there.