I have a switched network with foreign devices. I use CRS326 as switch.
I want to filter out the IPv6 Router Advertisement packet only (ICMPv6 type 134 only) in this switched network.
In HP switch there are “ra-guard” option, but I want to use Mikrotik.
I also tried switch Rule and bridge filtering, but I can only filter all types of ICMPv6.
Does anyone know a solution to this?
CRS3xx series switches have ACL functionality. You can use the “redirect-to-cpu” parameter to send all icmpv6 packets to the cpu. The decision whether the packet matches the icmp-type can be done with a suitable firewall rule
Thank you for answer. But I have more question. I redirected all of ICMPv6 to CPU from switch chip. But the next step?
I found all of ICMPv6 packet only the prerouting section of Mangle and Raw table. How can I forward back to the target switch ports?
To be fair: I never tried this myself. And im not sure if the packet will reach the ip-firewall or just bridge-firewall. You will need to check this out. But Mangle is the wrong place - you need to try firewall-filter with “chain=forward”. (you maybe need to enable the setting “use-ip-firewall” in your bridge)
The following forum post appear to provide the necessary requirements to allow one to ‘tick the box’ to comply with RFC 6105 or superseding RFC 7113:
[SOLVED] CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 RA Guard