Ok I am NOOB on Mikrotik - ipv6 Firewall help

stevef9432203 · March 19, 2011, 4:26am

Hi all -

Iv'e the the basics working pretty well IPv4, and IPV6 thru HE tunnel.

I've got a working IPV6 firewall, but would appreciate an suggestion for improvement. ( I know it probably Sucks)

mar/18/2011 21:23:58 by RouterOS 5.0rc11

software id = SDFH-MR7B

/ipv6 firewall filter
add action=accept chain=input comment="Router - VPN Start" connection-state=new disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input comment="Router - GRE Allow" disabled=no protocol=gre
add action=accept chain=input comment="Router - VPN UDP" disabled=no dst-port=1723 protocol=udp
add action=accept chain=input comment="Router - Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Router - Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Router- UDP" disabled=no protocol=udp
add action=accept chain=input comment="Router - Allow limited pings" disabled=no limit=50/5s,2 protocol=icmpv6
add action=log chain=input comment="Router - Log Excess IPv6 Pings" disabled=no log-prefix="Excess IPv6 Pings"
add action=drop chain=input comment="Router - Drop excess pings" disabled=no protocol=icmpv6
add action=accept chain=input comment="Router - From our LAN" disabled=no in-interface=ether3 src-address=2001:470:xxxx:1::/64
add action=accept chain=input comment="Router - From our WLAN1" disabled=no in-interface=wlan1 src-address=2001:470:xxxx:2::/64
add action=log chain=input comment="Router - Log everything else" disabled=no log-prefix="DROP IP6 INPUT"
add action=drop chain=input comment="Router - Drop everything else" disabled=no
add action=drop chain=forward comment="Lan - Drop invalid Connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Lan - Accept established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Lan - Accept related connections" connection-state=related disabled=no
add action=accept chain=forward comment="Lan - Accept UDP" disabled=no protocol=udp
add action=accept chain=forward comment="Lan - Allow limited pings" disabled=no limit=50/5s,2
add action=log chain=forward comment="Lan - Log excess pings" disabled=no log-prefix="Excess IPv6 pings" protocol=icmpv6
add action=drop chain=forward comment="Lan - Drop excess pings" disabled=no protocol=icmpv6
add action=accept chain=forward comment="Lan - From our Lan" disabled=no in-interface=ether3 src-address=2001:470:yyyy:1::/64
add action=accept chain=forward comment="WLan - From Wlan" disabled=no in-interface=wlan1 src-address=2001:470:yyyy:2::/64
add action=accept chain=forward comment="Lan - Accept SSH connection to mediaserver" disabled=no dst-address=
2001:470:xxxx:1:214:xxxx:5ff:fe6:792/128 dst-port=22 protocol=tcp
add action=log chain=forward comment="Lan - Log everything else" disabled=no log-prefix="Log IPv6"
add action=reject chain=forward comment="Lan - Drop everything else" connection-state=new disabled=no in-interface=sit1

Any comments helpful.

fewi · March 19, 2011, 4:37am

That’s really not bad at all, but do not drop ICMPv6. In IPv6 routers can no longer fragment and end hosts must use icmpv6 for MTU path discovery. It is also used for neighbor solicitation (the ARP of IPv6) and router discovery and auto configuration. Read up on that, and unconditionally allow the required ICMPv6 types.

stevef9432203 · March 20, 2011, 5:21am

Per your suggestion I've removed deny for icmpv6

mar/19/2011 22:19:15 by RouterOS 5.0rc11

software id = SDFH-MR7B

/ipv6 firewall filter
add action=accept chain=input comment="Router - VPN Start" connection-state=new disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input comment="Router - GRE Allow" disabled=no protocol=gre
add action=accept chain=input comment="Router - VPN UDP" disabled=no dst-port=1723 protocol=udp
add action=accept chain=input comment="Router - Allow IPv6 ICMP Traffic" disabled=no protocol=icmpv6
add action=accept chain=input comment="Router - Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Router - Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Router- UDP" disabled=no protocol=udp
add action=accept chain=input comment="Router - From our LAN" disabled=no in-interface=ether3 src-address=2001:zzz:xxxxf:1::/64
add action=accept chain=input comment="Router - From our WLAN1" disabled=no in-interface=wlan1 src-address=2001:zzz:xxxxf:2::/64
add action=log chain=input comment="Router - Log everything else" disabled=no log-prefix="DROP IP6 INPUT"
add action=drop chain=input comment="Router - Drop everything else" disabled=no
add action=drop chain=forward comment="Lan - Drop invalid Connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Lan - Accept UDP" disabled=no protocol=udp
add action=accept chain=forward comment="LAN - Accept ICMPv6 " disabled=no protocol=icmpv6
add action=accept chain=forward comment="Lan - Accept established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Lan - Accept related connections" connection-state=related disabled=no
add action=accept chain=forward comment="Lan - From our Lan" disabled=no in-interface=ether3 src-address=2001:yyy:xxxx:1::/64
add action=accept chain=forward comment="WLan - From Wlan" disabled=no in-interface=wlan1 src-address=2001:yyy:xxxx:2::/64
add action=accept chain=forward comment="Lan - Accept SSH connection to mediaserver" disabled=no dst-address=
2001:zzzz:zzzzzf:1:214:85ff:yyyy:792/128 dst-port=22 protocol=tcp
add action=log chain=forward comment="Lan - Log everything else" disabled=no log-prefix="Log IPv6"
add action=reject chain=forward comment="Lan - Drop everything else" connection-state=new disabled=no in-interface=sit1