IPv6 statefull firewall

RouterOS General
1

Hi, I have a native IPv6 connection which works fine. But problems start when I create firewall rules to secure inner network. It looks like IPv6 firewall is not stateful. First two rules don’t capture any packets and the last one drops everything. Am I doing wrong something?

CCR, ROS v6.0.

/ipv6 firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward protocol=udp
add chain=forward protocol=icmpv6
add action=drop chain=forward connection-state=new disabled=no in-interface=Inet_br1 out-interface=Intra_br0
2

I’m not sure what you are trying to do, but I would think you should also create an accept rule for traffic from inside to outside.

3

Drop rule is for internet->intranet only, so reverse traffic must be accepted by default. There is nothing special, just basic firewall rules. I have the same for IPv4.

4

Sounds reasonable.
I almost have the same, only difference is that I allow outgoing and than block everything.
Does that change the behaviour?

I’m also curious why icmp and udp are needed.
For IPv4, those are not applicable.

5

Icmp is vital for ipv6 fragmentation and neighbor discovery capabilities. Udp rule can be ignored. What do you mean by they are not applicable in ipv4?

6

Is there IPv6 traffic through the router? The accept rules for Established & Related will normally show plenty of hits if they are the top rules on a system running IPv6 traffic. I have that running on many systems although those systems are generally on ROS 5 at this point.

7

Yes, there is traffic. Without the drop rule I can access any ipv6 enabled webpage on my pc. But with it enabled everything timeouts and the drop rule counter is increasing. And it is the last rule in a list.

It behaves like it can’t hit connections by state. Because everything is dropped even with connection-state=new in the drop rule.

8

I am not sure of your interface naming, but what you should be doing is :

Permit NEW connections from internal to external (action=accept)

Then below all your earlier rules have a rule with no selection criteria and action=drop - the “drop all” rule.

You seem to be attempting to block NEW connections inbound which isn’t a good plan - better to explicitly Permit certain traffic and Deny everything else.

9

Inet is an internet bridge interface, Intra is a LAN bridge interface. I blocked NEW because I don’t want any new connection to access LAN from internet. In the end it doesn’t even matter if I block only NEW or all states. The problem is that firewall doesn’t hit connections with the state established or related. And these rules are at the first place. But packet counters are always zero.

10

Are these all if the IPv6 firewall rules in place?

Perhaps there is a connection tracking bug but you would also see no ESTABLISHED or RELATED hits if no NEW connections can be made.

Is this the first ROS6 version you have tried or did you have any of the RC versions? Any difference?

11

I would see established and related states from new connections coming from LAN, because only new connection from internet are blocked. I’ve been using CCR with 6RCs for several months, but only now I’ve tried to enable IPv6.

12

It might be worth uploading the config. Is there any way you can test whether a non-bridged WAN interface shows the same behaviour?

13

So I’m not alone. It must be some ugly bug.
http://forum.mikrotik.com/t/v6-0-released/66371/1