ipv6 + tunnelbroker interface

BlackRat · September 26, 2016, 8:42am

Please provide working example of ipv6 filter rules.
We have tunnelbroker interface sit1. LAN-interface is bridge-local.
We have internal DNS-server with static ipv6 address (all LAN servers have static address too).
Now we have rules:
/ipv6 firewall filter
add action=accept chain=input comment=“Allow established connections” connection-state=established
add action=accept chain=input comment=“Allow related connections” connection-state=related
add action=accept chain=input comment=“Allow limited ICMP” limit=50/5s,5:packet protocol=icmpv6
add action=accept chain=forward protocol=icmpv6
add action=accept chain=input comment=“Allow UDP” protocol=udp
add action=drop chain=input
add action=accept chain=forward comment=“Allow any to internet” out-interface=sit1
add action=accept chain=forward comment=“Allow established connections” connection-state=established
add action=accept chain=forward comment=“Allow related connections” connection-state=related
add action=drop chain=forward

DNS settings:
/ip dns
set servers=2001:470:xx:xxx::8

ND settings
/ipv6 nd
set [ find default=yes ] advertise-dns=yes interface=bridge-local

address settings
/ipv6 address
add address=2001:470:xx:xxx::2 advertise=no interface=sit1
add address=2001:470:xx:xxx::1 interface=bridge-local

Now I see some problem with http/https access from internal network to the outside:
11:22:38 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a02:6b8::90]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57665, len 20
11:22:38 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a03:2880:2130:cf83:face:b00c:0:25de]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57603, len 20
11:22:39 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a02:6b8::90]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57665, len 20
11:22:39 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a03:2880:2130:cf83:face:b00c:0:25de]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57603, len 20
11:22:42 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a02:6b8::90]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57665, len 20
11:22:42 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a03:2880:2130:cf83:face:b00c:0:25de]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57603, len 20
11:22:47 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a02:6b8::90]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57665, len 20
11:22:47 firewall,info forward: in:sit1 out:bridge-local, proto TCP (ACK), [2a03:2880:2130:cf83:face:b00c:0:25de]:443->[2001:470:xx:xxx:74f4:868a:4544:518b]:57603, len 20

I need internet access for all LAN, but only icmp from outside fore security reasons..
Please help.

ZeroByte · September 26, 2016, 2:48pm

Try allowing all ICMPv6 in the input chain (disable the throttle) - perhaps a PMTUD issue is happening. IPv6 does not allow packet fragmentation, so PMTUD (path mtu discovery) is critical. It depends on ICMP messages.

I’d also disable the allow all udp input rule, or add the condition in-interface=bridge-local

Simply allowing all UDP will open your router to being a DNS-amp DDoS attack reflector host (unless you’ve set allow-remote-requests=no)