Review of IPv4 + IPv6 firewall rules (CCR2116, dual-VLAN LAN/WAN, SLAAC to DHCPv6-PD)

RemarkableGarbage · December 22, 2025, 5:14am

Hi all,

I’m looking for a review and critique of my IPv4 and IPv6 firewall rules on a CCR2116 (Router OS 7.20.6).

I’m comfortable with RouterOS, but still refining my understanding of edge hardening, and would really value a second set of experienced eyes - especially around correctness and unintended side effects (not just lock it down more).

I am transitioning from a double-NAT setup to running my router directly at the edge, and at the same time my ISP is moving to DHCPv6-PD (technically I am moving from ATT to XFinity), so I want to ensure nothing subtle is broken or fragile.

I’m very open to being told I am wrong, especially if something here is fragile, unnecessary, or subtly incorrect.

Thanks in advance - I appreciate the collective experience here!

Design Goals

IPv4: classic default-deny WAN, explicit forwards
IPv6:
- Allow only required ICMPv6
- LAN multicast (mDNS due to Home Automation) works reliably
- Avoid rules that silently break IPv6
No IPv4/6 management access from WAN

Topology (simple)

VLAN A - LAN (trusted)
- IPv4 DHCP/DNS server
- IPv6 SLAAC today, moving to DHCPv6-PD
VLAN B - WAN (untrusted/ISP)
- Want to avoid NAT66
- No inbound IPv6 services intended
Router acts as:
- IPv4/6 Firewall
- IPv4/6 router (IPv6 PD+RA)

Some specific feedback I am looking for:

ICMPv6 scope (types allowed vs blocked - i have a lot of rules)
INPUT vs FORWARD philosophy for IPv6
mDNS + multicast handling on LAN
Any rules that are technically correct but brittle long-term
Anything typically missed when moving to DHCPv6-PD

Firewall & Config:

IPv4 Firewall”

# 2025-12-21 16:19:44 by RouterOS 7.20.6
# model = CCR2116-12G-4S+

/ip firewall address-list
    # Active Networks for spcific actions LAN_XXX
    add address=10.42.111.0/24 comment="Core network LAN" list=LAN_111
    add address=10.42.112.0/24 comment="VPN LAN Range" list=VPN_112
    add address=10.42.113.0/24 comment="VPN Range WireGuard" list=VPN_113
    add address=10.42.143.0/24 comment="Core Netowrk TestNet LAN" list=LAN_143

    # All active networks in a single list LAN_ALL
    add address=10.42.111.0/24 comment="Core network LAN" list=LAN_ALL
    add address=10.42.112.0/24 comment="VPN LAN Range" list=LAN_ALL
    add address=10.42.113.0/24 comment="VPN Range WireGuard" list=LAN_ALL
    add address=10.42.143.0/24 comment="Core Netowrk TestNet LAN" list=LAN_ALL

    add address=10.42.111.0/24 comment="Standard Network" list=MGMT_RANGE

/ip firewall filter
    #Jump out of rule proccessing as quicky as you can
    add action=fasttrack-connection chain=forward comment="Enable FastTrack for est/rel" connection-state=established,related hw-offload=yes
    add action=accept chain=forward comment="Catch non-fasttrack est/rel" connection-state=established,related,untracked
    add action=accept chain=input comment="Skip input chain if already est/rel" connection-state=established,related,untracked
    add action=accept chain=input comment="Always allow Management Port" in-interface=ether13
    add action=drop chain=input connection-state=invalid log-prefix=invalid
    add action=drop chain=forward connection-state=invalid log-prefix=invalid

    #Input Chain
    add action=drop chain=input comment="Block Bad SNMP" dst-address=10.42.111.1 dst-port=161 log=yes log-prefix="SNMP_Oops" protocol=udp src-address=!10.42.143.31
    add action=accept chain=input comment="Allow LAN" src-address-list=LAN_111
    add action=accept chain=input comment="Allow OVPN" src-address-list=VPN_112
    add action=accept chain=input comment="Allow WVPN" src-address-list=VPN_113
    add action=accept chain=input comment="Allow TEST" src-address-list=LAN_143
    add action=accept chain=input comment="Home Assistant 1" dst-port=23040-23050 in-interface-list=listWAN port="" protocol=tcp
    add action=accept chain=input comment="Home Assistant 2" dst-port=23040-23050 in-interface-list=listWAN port="" protocol=udp
    add action=accept chain=input comment="Allow ICMP" in-interface-list=listWAN protocol=icmp
    add action=accept chain=input comment="Allow SSH" dst-port=22 port="" protocol=tcp src-address-list=LAN_ALL
    add action=accept chain=input comment="Allow Syslog"  dst-address=10.42.1.10 dst-port=27644 in-interface-list=listWAN protocol=udp src-address=10.42.1.254
    add action=drop chain=input comment="Protect SMB" dst-port=445 protocol=tcp src-address-list=!LAN_ALL
    add action=drop chain=input comment="Protect DNS TCP" dst-port=53 protocol=tcp src-address-list=!LAN_ALL
    add action=drop chain=input comment="Protect DNS UDP" dst-port=53 protocol=udp src-address-list=!LAN_ALL
    add action=drop chain=input comment="Drop everything else from a WAN port" in-interface-list=listWAN log=yes log-prefix=ip4_nomatch

    #Forward Chain
    add action=accept chain=forward comment="Forward LAN" connection-state=new src-address-list=LAN_111
    add action=accept chain=forward comment="Forward OVPN" connection-state=new src-address-list=VPN_112
    add action=accept chain=forward comment="Forward WVPN" connection-state=new src-address-list=VPN_113
    add action=accept chain=forward comment="Forward TEST" connection-state=new src-address-list=LAN_143
    add action=drop chain=forward comment="Block WAN to LAN/VPN" dst-address-list=LAN_ALL in-interface-list=listWAN log=yes log-prefix=Forward_W2L
    add action=accept chain=forward connection-nat-state=dstnat connection-state=new dst-address-list=!LAN_ALL in-interface-list=listWAN
    add action=drop chain=forward log=yes log-prefix=nomatch

/ip firewall nat
    add action=masquerade chain=srcnat out-interface-list=listWAN
    add action=dst-nat chain=dstnat comment="Home Assistant 2" dst-port=23043 in-interface-list=listWAN protocol=tcp to-addresses=10.42.111.12 to-ports=8123
    add action=dst-nat chain=dstnat comment="ATT rSyslog" dst-port=27644 in-interface-list=listWAN log-prefix=att_log protocol=udp src-address=10.42.1.254 to-addresses=10.42.111.31 to-ports=5514
    add action=dst-nat chain=dstnat comment="ATT Gateway 1" dst-address=10.42.1.10 dst-port=8080 in-interface-list=listLAN protocol=tcp to-addresses=10.42.1.254 to-ports=80
    add action=dst-nat chain=dstnat comment="ATT Gateway 2" dst-address=10.42.1.10 dst-port=8081 in-interface-list=listLAN protocol=tcp to-addresses=10.42.1.254 to-ports=443

IPv6 Firewall:

# 2025-12-21 18:06:53 by RouterOS 7.20.6
# model = CCR2116-12G-4S+

/ipv6 firewall filter
    #Input Chain - Quick Exits
    add action=accept chain=input comment="Accept Est/Rel" connection-state=established,related
    add action=drop chain=input comment="Drop Invalid" connection-state=invalid

    #Input Chain - ICMPv6 Madness
    add action=accept chain=input comment="ICMPv6 No Reach" icmp-options=1:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 BigP" icmp-options=2:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Time Lim" icmp-options=3:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Bad" icmp-options=4:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Echo Rep" icmp-options=129:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Echo Req" icmp-options=128:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 MLD" icmp-options=130:0-255 in-interface-list=!listWAN protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 MLD" icmp-options=131:0-255 in-interface-list=!listWAN protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 MLD" icmp-options=132:0-255 in-interface-list=!listWAN protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Router Sol" icmp-options=133:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Router Adv" icmp-options=134:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Neighbor Sol" icmp-options=135:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 Neighbor Adv" icmp-options=136:0-255 protocol=icmpv6
    add action=accept chain=input comment="ICMPv6 MLD" icmp-options=143:0-255 in-interface-list=!listWAN protocol=icmpv6

    #Input Chain - Misc
    add action=accept chain=input comment="DHCPv6 Client" dst-port=546 in-interface-list=listWAN protocol=udp src-port=547
    add action=accept chain=input comment="DHCPv6 Server" dst-port=547 in-interface-list=!listWAN protocol=udp
    add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
    add action=drop chain=input comment="Drop ICMPv6 ALL" log=yes log-prefix=ICMPv6_Odds protocol=icmpv6
    add action=drop chain=input comment="defconf: block local link IPv6 addresses" in-interface-list=listWAN log=yes log-prefix=dropLL_from_public src-address=fe80::/10
    add action=drop chain=input comment="Drop All Else - WAN" in-interface-list=listWAN
    add action=drop chain=input comment="Drop All Else - Input" log=yes log-prefix=ipv6_NM_Input

    #Forward Chain
    add action=accept chain=forward comment="Accept Est/Rel" connection-state=established,related
    add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
    add action=drop chain=forward comment="Drop Hops > 1" hop-limit=equal:1 protocol=icmpv6
    add action=accept chain=forward comment="Forward ICMPv6" in-interface-list=!listWAN protocol=icmpv6
    add action=accept chain=forward comment="Forward Non-WAN" connection-state=new in-interface-list=!listWAN
    add action=drop chain=forward comment="Drop All Else - WAN" in-interface-list=listWAN
    add action=drop chain=forward comment="Drop All Else - Forward" log=yes log-prefix=ipv6_NM_forward

Router Config:

# 2025-12-21 18:17:01 by RouterOS 7.20.6
#
# model = CCR2116-12G-4S+
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Net 1"
set [ find default-name=ether2 ] comment="WAN Net 2"
set [ find default-name=ether7 ] comment="NAS Bond 1"
set [ find default-name=ether8 ] comment="NAS Bond 2"
set [ find default-name=sfp-sfpplus1 ] comment="DAC to S312 Bonded"
set [ find default-name=sfp-sfpplus2 ] comment="DAC to S312 Bonded"
set [ find default-name=sfp-sfpplus3 ] comment="DAC to S312 Bonded"
set [ find default-name=sfp-sfpplus4 ] comment="DAC to S312 Bonded"
/interface vlan
add interface=bridge1 name=VLAN_10 vlan-id=10
add interface=bridge1 name=VLAN_20 vlan-id=20
/interface bonding
add comment="2GB Bond for NAS" mode=802.3ad name=BOND_NAS slaves=\
    ether7,ether8 transmit-hash-policy=layer-3-and-4
add comment="40GB bond for core switch" mode=802.3ad name=BOND_S312 slaves=\
    sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 transmit-hash-policy=\
    layer-3-and-4
/interface list
add name=listLAN
add name=listWAN
add name=listMGMT
/ip dhcp-server option
add code=6 name="AdGuard DNS2" value="'10.42.111.28''10.42.111.14'"
add code=6 name="Google DNS" value="'8.8.8.8''8.8.4.4'"
/ip pool
add comment=LAN name=LAN_DHCP_111_POOL ranges=10.42.111.145-10.42.111.239
add comment=VPN_OPENVPN name=VPN_112_POOL ranges=\
    10.42.112.2-10.42.112.254
add comment=LAN_TestNet name=LAN_DHCP_143_POOL ranges=\
    10.42.143.140-10.42.143.239
/ip dhcp-server
add address-pool=LAN_DHCP_111_POOL interface=VLAN_10 lease-script=\
    lease-script lease-time=8h name=LAN_DHCP_111 use-reconfigure=yes
/ip smb users
add name=user1
/port
set 0 name=serial0
/ppp profile
add dns-server=10.42.111.28,10.42.111.14 local-address=10.42.112.1 \
    name=OVPN_Profile remote-address=VPN_112_POOL
add dns-server=10.42.111.28,10.42.111.14 local-address=10.42.112.1 \
    name=OVPN_Profile_2025 remote-address=VPN_112_POOL use-encryption=yes
/snmp community
add addresses=10.42.143.31/32 authentication-protocol=SHA1 comment=zabbix \
    encryption-protocol=AES name=zabbix
/system logging action
add disk-file-count=20 disk-file-name=nvme1/log/syslog name=nvmedisk target=\
    disk
add disk-file-count=20 disk-file-name=nvme1/log/firewall name=nvmefirewall \
    target=disk
add disk-file-count=20 disk-file-name=nvme1/log/debug name=nvmedebug target=\
    disk
add name=openobserve remote=10.42.111.31 remote-log-format=syslog \
    remote-port=5514 src-address=10.42.111.1 target=remote
add disk-file-count=20 disk-file-name=nvme1/log/emptynet name=emptynet \
    target=disk
/user group
add name=xxxxx policy="xxxx"
/ip smb
set comment=comment domain=domain enabled=yes interfaces=VLAN_10
/dude
set data-directory=nvme1/dude
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether11 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether12 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=BOND_S312
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=BOND_NAS pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!listWAN
/interface bridge vlan
add bridge=bridge1 tagged=BOND_S312,bridge1 untagged=\
    ether3,ether4,ether5,ether6,ether9,ether10,ether11,ether12,BOND_NAS \
    vlan-ids=10
add bridge=bridge1 tagged=bridge1,BOND_S312 untagged=ether2,ether1 vlan-ids=\
    20
add bridge=bridge1 comment="Home Automation MAC Based" tagged=bridge1 \
    vlan-ids=30
/interface detect-internet
set detect-interface-list=listWAN internet-interface-list=listWAN \
    lan-interface-list=listLAN wan-interface-list=listWAN
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list member
add interface=VLAN_10 list=listLAN
add interface=VLAN_20 list=listWAN
add interface=ether13 list=listMGMT
/interface ovpn-server server
add certificate=xxxx cipher="xxxx" default-profile=xxx \
    disabled=no mac-address=xxxx name=xxxx port=xxxx \
    redirect-gateway=xxx require-client-certificate=xxx
add certificate=yyyy cipher="yyyy" default-profile=yyyy \
    disabled=no mac-address=yyyy name=ovpn-server-2025 port=\
    yyyy protocol=yyyy redirect-gateway=yyyy require-client-certificate=yyy
/ip address
add address=10.42.111.1/24 comment=\
    "Private IP Address - Use for local network" interface=VLAN_10 network=\
    10.42.111.0
add address=10.42.1.10/24 comment="Public IP Address - Double-NAT with ATT" \
    interface=VLAN_20 network=10.42.1.0
add address=10.42.143.1/24 comment="TestNet Network" interface=VLAN_10 \
    network=10.42.143.0
/ip dhcp-server network
add address=10.42.111.0/24 dns-server=10.42.111.1 domain=lan gateway=\
    10.42.111.1 netmask=24 ntp-server=10.42.111.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB doh-max-server-connections=\
    10 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=\
    yes
/ip dns static
add address=1.1.1.1 comment="Static - Cloudflaire Resolver Backup" name=\
    cloudflare-dns.com type=A
add address=8.8.8.8 comment="Static - Google DNS Backup" name=dns.google \
    type=A
add address=10.42.111.1 comment="Static - Core Router" name=R2116.lan type=\
    A
add address=10.42.111.2 comment="Static - Core 10G Switch" name=S312.lan \
    type=A
/ip firewall address-list
add address=10.42.111.0/24 comment="Core network LAN" list=LAN_111
add address=10.42.111.0/24 comment="Standard Network" list=MGMT_RANGE
add address=10.42.1.0/24 comment="Double NAT Rante" list=MGMT_RANGE
add address=10.42.112.0/24 comment="VPN LAN Range" list=VPN_112
add address=10.42.112.0/24 comment="VPN OVPN" list=MGMT_RANGE
add address=10.42.113.0/24 comment="VPN Range WireGuard" list=VPN_113
add address=10.42.143.0/24 comment="Core Netowrk TestNet LAN" list=LAN_143
add address=10.42.111.0/24 comment="Core network LAN" list=LAN_ALL
add address=10.42.143.0/24 comment="Core Netowrk TestNet LAN" list=LAN_ALL
add address=10.42.113.0/24 comment="VPN Range WireGuard" list=LAN_ALL
add address=10.42.112.0/24 comment="VPN LAN Range" list=LAN_ALL
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "Enable FastTrack for est/rel" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="Catch non-fasttrack est/rel" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Skip input chain if already est/rel" \
    connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid log-prefix=invalid
add action=drop chain=forward connection-state=invalid log-prefix=invalid
add action=drop chain=input comment="Block SNMP From Non-Zabbix" dst-address=\
    10.42.111.1 dst-port=161 log=yes log-prefix="SNMP Attack" protocol=udp \
    src-address=!10.42.143.31
add action=accept chain=input src-address-list=LAN_111
add action=accept chain=input src-address-list=LAN_143
add action=accept chain=input src-address-list=VPN_112
add action=accept chain=input comment="Home Assistant" dst-port=23040-23050 \
    in-interface-list=listWAN port="" protocol=tcp
add action=accept chain=input comment="Home Assistant 2" dst-port=23040-23050 \
    in-interface-list=listWAN port="" protocol=udp
add action=accept chain=input comment="allow ICMP" in-interface-list=listWAN \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" disabled=yes dst-port=\
    8291 in-interface-list=listWAN port="" protocol=tcp
add action=accept chain=input comment="allow SSH" dst-port=22 port="" \
    protocol=tcp src-address-list=LAN_ALL
add action=accept chain=input dst-address=10.42.1.10 dst-port=27644 \
    in-interface-list=listWAN protocol=udp src-address=10.42.1.254
add action=accept chain=input comment=\
    "Always allow port 13 - Management Port" in-interface=ether13
add action=drop chain=input comment="Protect SMB" dst-port=445 protocol=tcp \
    src-address-list=!LAN_ALL
add action=drop chain=input comment="Protect DNS TCP" dst-port=53 protocol=\
    tcp src-address-list=!LAN_ALL
add action=drop chain=input comment="Protect DNS UDP" dst-port=53 protocol=\
    udp src-address-list=!LAN_ALL
add action=drop chain=input comment="Drop everything else from a WAN port" \
    in-interface-list=listWAN log=yes log-prefix=nomatch
add action=accept chain=forward comment="Forward LAN" connection-state=new \
    src-address-list=LAN_111
add action=accept chain=forward comment="Forward VPN" connection-state=new \
    src-address-list=VPN_112
add action=accept chain=forward comment="Forward TEST" connection-state=new \
    src-address-list=LAN_143
add action=drop chain=forward comment="Block WAN to Core LAN/VPN" \
    dst-address-list=LAN_ALL in-interface-list=listWAN log=yes log-prefix=\
    Forward_W2L
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new dst-address-list=!LAN_ALL in-interface-list=listWAN
add action=drop chain=forward log=yes log-prefix=nomatch
add action=accept chain=forward comment="Intervlan - 100 to 200" disabled=yes \
    in-interface=VLAN_10 out-interface=VLAN_20
add action=accept chain=forward disabled=yes in-interface=VLAN_20 \
    out-interface=VLAN_10
add action=accept chain=input comment="Test Allow All" disabled=yes \
    in-interface-list=listWAN
add action=accept chain=forward comment="Test Again" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=listWAN
add action=dst-nat chain=dstnat comment="Home Assistant 2" dst-port=23043 \
    in-interface-list=listWAN protocol=tcp to-addresses=10.42.111.12 \
    to-ports=8123
add action=dst-nat chain=dstnat comment="ATT rsyslog to OpenObserve" \
    dst-port=27644 in-interface-list=listWAN log-prefix=att_log protocol=udp \
    src-address=10.42.1.254 to-addresses=10.42.111.31 to-ports=5514
add action=dst-nat chain=dstnat comment="Access ATT PON" dst-address=\
    10.42.1.10 dst-port=8080 in-interface-list=listLAN protocol=tcp \
    to-addresses=10.42.1.254 to-ports=80
add action=dst-nat chain=dstnat comment="Access ATT PON" dst-address=\
    10.42.1.10 dst-port=8081 in-interface-list=listLAN protocol=tcp \
    to-addresses=10.42.1.254 to-ports=443
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=10.42.1.254 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=yes \
    target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www port=xxxxx
/ip smb shares
add directory=zzzz name=zzzz valid-users=zzzz
/ipv6 address
add address=::ffff:ffff:ffff:ffff eui-64=yes from-pool=att_ipv6 interface=\
    VLAN_10
/ipv6 dhcp-client
add add-default-route=yes interface=VLAN_20 pool-name=att_ipv6 prefix-hint=\
    ::/60 request=address,prefix use-peer-dns=no
/ipv6 firewall filter
add action=accept chain=input comment="Accept Est/Rel" connection-state=\
    established,related
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="ICMPv6 No Reach" icmp-options=1:0-255 \
    protocol=icmpv6
add action=accept chain=input comment="ICMPv6 BigP" icmp-options=2:0-255 \
    protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Time Lim" icmp-options=3:0-255 \
    protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Bad" icmp-options=4:0-255 \
    protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Echo Rep" icmp-options=\
    129:0-255 protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Echo Req" icmp-options=\
    128:0-255 protocol=icmpv6
add action=accept chain=input comment="ICMPv6 MLD" icmp-options=130:0-255 \
    in-interface-list=!listWAN protocol=icmpv6
add action=accept chain=input comment="ICMPv6 MLD" icmp-options=131:0-255 \
    in-interface-list=!listWAN protocol=icmpv6
add action=accept chain=input comment="ICMPv6 MLD" icmp-options=132:0-255 \
    in-interface-list=!listWAN protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Router Sol" icmp-options=\
    133:0-255 protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Router Adv" icmp-options=\
    134:0-255 protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Neighbor Sol" icmp-options=\
    135:0-255 protocol=icmpv6
add action=accept chain=input comment="ICMPv6 Neighbor Adv" icmp-options=\
    136:0-255 protocol=icmpv6
add action=accept chain=input comment="ICMPv6 MLD" icmp-options=143:0-255 \
    in-interface-list=!listWAN protocol=icmpv6
add action=accept chain=input comment="DHCPv6 Client" dst-port=546 \
    in-interface-list=listWAN protocol=udp src-port=547
add action=accept chain=input comment="DHCPv6 Server" dst-port=547 \
    in-interface-list=!listWAN protocol=udp
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=drop chain=input comment="Drop ICMPv6 ALL" log=yes log-prefix=\
    ICMPv6_Odds protocol=icmpv6
add action=drop chain=input comment=\
    "defconf: block local link IPv6 addresses" in-interface-list=listWAN log=\
    yes log-prefix=dropLL_from_public src-address=fe80::/10
add action=drop chain=input comment="Drop All Else - WAN" in-interface-list=\
    listWAN
add action=drop chain=input comment="Drop All Else - Input" log=yes \
    log-prefix=ipv6_NM_Input
add action=accept chain=forward comment="Accept Est/Rel" connection-state=\
    established,related
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Hops > 1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="Forward ICMPv6" in-interface-list=\
    !listWAN protocol=icmpv6
add action=accept chain=forward comment="Forward Non-WAN" connection-state=\
    new in-interface-list=!listWAN
add action=drop chain=forward comment="Drop All Else - WAN" \
    in-interface-list=listWAN
add action=drop chain=forward comment="Drop All Else - Forward" log=yes \
    log-prefix=ipv6_NM_forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
add interface=VLAN_10 ra-delay=5s ra-interval=5s-30s
/ppp secret
add name=xxxx profile=OVPN_Profile service=ovpn
add name=yyyy profile=OVPN_Profile service=ovpn
/snmp
set enabled=yes engine-id-suffix=CCR2116 location="Valt 101" trap-version=3
/system clock
set time-zone-name=America/New_York
/system identity
set name=R2116
/system logging
set 0 topics=info,!firewall,!ovpn,!fetch
add action=nvmedisk topics=critical
add action=nvmefirewall topics=firewall
add action=nvmedisk topics=error
add action=openobserve topics=critical
add action=openobserve topics=error
add action=openobserve topics=warning
add action=openobserve topics=account
add action=openobserve topics=system
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=10.42.111.255,10.42.112.255 \
    enabled=yes local-clock-stratum=4 manycast=yes multicast=yes \
    use-local-clock=yes
/system ntp client servers
add address=162.159.200.123
add address=162.159.200.1
add address=time.cloudflare.com
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=listLAN
/tool mac-server mac-winbox
set allowed-interface-list=listLAN
/tool romon
set enabled=no
/tool romon port
add forbid=yes interface=VLAN_20