Hello
If i want make ipv6 as secure as possible, meaning not used at all or blocked entirely, will
/ipv6 settings set disable-ipv6=yes
be enough?
Or is it better to have it enabled and set the firewall rules below?
/ipv6 firewall filter
add action=drop chain=input comment=“Drop all IPv6 ICMP traffic” protocol=icmpv6
add action=drop chain=input comment=“Drop all other IPv6 traffic”
add action=drop chain=forward comment=“Drop all IPv6 forward traffic”
add action=drop chain=output comment=“Drop all IPv6 output traffic”
/ipv6 nd
set [ find default=yes ] disabled=yes
if so are the rules effective or is something missing?
But dsiabling it will keep me safe from WAN side? In a home network ipv6 bridge traffic should not impose a security risk if I am not mistaken?
If I enbale ipv6 and have the mentioned firewall rules in place will this add any security whatsoever?
Also I noticed that when I check my browser info on https://browserleaks.com/ip, even though ipv6 is disabled on the mikrotik router, browserleaks still shows a ipv6 DNS server. Should this not also be blocked when ipv6 is disabled? If not where/how do I disable ipv6 DNS?
I’d say don’t fight it, IPv6 is the future. But it’s also true that you’ll be able to survive without it for quite some time. Also it’s not clear what kind of security you’re after.
That DNS server seems to be outgoing address of whatever resolver you use. If it’s run by someone else, you can’t influence it, it can be IPv6 even if you use IPv4. If it bothers you (I’m not sure why), you’d have to run one yourself.
The security I am after is simple, I have ipv4 firewall rules and I would like to ensure that there is no unnecessary threat via ipv6. therefore my questions is: is it better to disable ipv6 or is it better to have it enabled and set the above mentioned ipv6 firewall rules?
which of these two options ensures that I wont have any ipv6 security risk?
Disabling IPv6 support on router is definitely a safer option … with firewall rules it’s always possible to screw something up. But as @Sob wrote: IPv6 is here to stay and it’s only a matter of time when you’ll have to bite into this nut … so you better crack it open before biting it.
Thanks a lot mkx. Yes I agree, sooner or later I will need to rely on ipv6 as well, but for the moment it is simpler if I can first fully get my head around ipv4 firewall rules.
So if i set
/ipv6 settings set disable-ipv6=yes
my mikrotik router will automatically block everything from wan to lan and from lan to wan via ipv6. Correct?
Regardless of whether you disable IPv6 or not, the obvious thing to do is to leave the default MikroTik rules in place.
There is no guarantee that in a future update IPv6 will be mandatory and there will no longer be the option to disable it, so altering the firewall exposes the router to the internet.
My ISP so far is not making IPv6 available - which does not bother me at all. I have my main router setup as a IPv6 DHCP client and I look every once in a while to see if it is able to get an address. Otherwise I have “drop all” rules in both Input and Forward chains. I also have packet counter passthrough rules for both the WAN and every VLAN just to see if anything is sending IPV6 packets towards the router.