My ISP is webpass, and what they provide is an ethernet port that gives you via DHCP a NAT’d IPv4 address to devices that don’t support IPv6, and an IPv6 address to devices that do support it. I would like to use my Mikrotik device to act as a simple stateful firewall and nothing else.
I have a RB750G, and I would like ether1 to be my WAN connection to the ISP and ether[2-5] to be switched LAN. To that end, I configured ether2 as my master switch port and slaved ether[3-5] to it, and created a bridge with ether1 and ether2 ports. Then I tried the configs posted here:
http://forum.mikrotik.com/t/ipv6-firewall-rule-examples/34162/1
But using this tool:
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
I still see my mac’s IPv6 SSH port reachable.
Any advice on how I should configure my Mikrotik device to act as a simple stateful IPv6 firewall?
Thanks in advance!
Here is my complete config:
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/system logging action
set 2 remember=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ipv6 firewall filter
add chain=input in-interface=bridge1 protocol=icmpv6
add chain=input connection-state=established in-interface=bridge1
add chain=input connection-state=related in-interface=bridge1
add action=drop chain=input in-interface=bridge1
/snmp
set trap-community=public