Community discussions

MikroTik App
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

ipv6 firewall question

Tue Jun 13, 2017 2:40 am

I was wondering why input chain accept established, related gets no activiy, ie. bytes and packets stay at 0.

Here is an export of my ipv6 firewall, please offer suggestions, critique, etc. Thanks!

add action=accept chain=forward comment=\
"Allow established, related connections" connection-state=\
established,related
add action=accept chain=forward comment="Allow limited ICMP forwarding" limit=\
50/5s,5 protocol=icmpv6
add action=add-src-to-address-list address-list=Whitelist address-list-timeout=\
0s chain=forward comment="Whitelisted sources"
add chain=forward comment="Allow whitelisted hosts and networks" \
src-address-list=Whitelist
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward log-prefix="v6 DROP INVALID" out-interface=\
ether2-master
add action=accept chain=input comment="Allow established, related connections" \
connection-state=established,related
add action=accept chain=input comment="Allow limited ICMP" limit=50/5s,5 \
protocol=icmpv6
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=input comment=\
"Allow DHCPv6 replies on WAN from link-local" dst-address=fe80::/64 \
dst-port=546 in-interface=ether1 protocol=udp src-address=fe80::/64
add action=add-src-to-address-list address-list=Whitelist address-list-timeout=\
0s chain=input comment="Whitelisted sources"
add action=accept chain=input comment="Allow whitelisted sources" \
src-address-list=Whitelist
add action=drop chain=input comment="drop all from WAN" in-interface=ether1 \
log-prefix="v6 DROP INVALID"
add action=accept chain=output connection-state=established,related
add action=drop chain=output connection-state=invalid log=yes log-prefix=\
"v6 DROP INVALID"
 
proximus
Member Candidate
Member Candidate
Posts: 113
Joined: Tue Oct 04, 2011 1:46 pm

Re: ipv6 firewall question  [SOLVED]

Tue Jun 13, 2017 4:14 am

Sounds like you are applying IPv4 NAT concepts to IPv6. Where in IPv4 NAT, connections on the input chain are TO the router (the NAT address) .. this is the established return traffic to a LAN device request that has been NAT'ed to the WAN address. In IPv6, there is typically no NAT and practically everything is THRU the router (not actually destine TO it), therefore there is nothing on the input chain, just forward chain. So, the only traffic on the input would be something like ICMPv6 probes monitoring the WAN interface, or DHCPv6, etc.

Who is online

Users browsing this forum: cvalavik and 37 guests