Community discussions

 
davorin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun Mar 03, 2019 6:23 pm

IPv6 hosts reachable behind LAN

Tue Sep 03, 2019 11:05 pm

Good evening

Just got a IPv6 PD from my ISP...and after following this guide: https://www.netdaily.org/tag/ipv6-prefi ... -mikrotik/
I get a sub delegation on the LAN side as well...

But all my IPv6 hosts behind LAN are now reachable from the internet now...so what firewall rules do I have to add so my IPv6 hosts are not reachable from the outside?


thanks in advance
richard
 
mkx
Forum Guru
Forum Guru
Posts: 2778
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 hosts reachable behind LAN

Tue Sep 03, 2019 11:24 pm

Start off with default rules for IPv6 firewall ... they are hidden inside script that you can get by executing /system default-configuration print under /ipv6 firewall
BR,
Metod
 
davorin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun Mar 03, 2019 6:23 pm

Re: IPv6 hosts reachable behind LAN

Tue Sep 03, 2019 11:47 pm

Hello

Meanwhile I've found this setup:

0 chain=input protocol=icmpv6
1 chain=input connection-state=established,related
2 chain=input protocol=udp in-interface=ether1 src-port=547 dst-port=546
3 chain=input action=drop connection-state=invalid
4 chain=input action=drop connection-state=new in-interface=ether1
5 chain=forward protocol=icmpv6
6 chain=forward connection-state=established,related
7 chain=forward connection-state=new in-interface=!ether1
8 chain=forward action=drop connection-state=invalid
9 chain=forward action=drop connection-state=new in-interface=ether1

I can still ping my laptop behind...but can't login via ssh to it...

Probably icmp is enabled by default or by this rule above...

Any better method to test from an IPv6 host outside to test that a firewall rule works fine?


So far I am happy with the easy IPv6 setup on RouterOS and that I have now 2^80 fixed v6 addresses from my cable provider...but only a v4 /29 (o;


cheers
richard
 
mkx
Forum Guru
Forum Guru
Posts: 2778
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 hosts reachable behind LAN

Wed Sep 04, 2019 7:53 am

The mentioned default IPv6 firewall setup is a bit more complex (the code below is from 6.45.1):
/ipv6 firewall
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

Note that it relies on two interface lists (LAN and WAN) and one has to properly configure that part as well.
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 2778
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 hosts reachable behind LAN

Wed Sep 04, 2019 7:58 am

I can still ping my laptop behind...but can't login via ssh to it...

Probably icmp is enabled by default or by this rule above...

Any better method to test from an IPv6 host outside to test that a firewall rule works fine?

ICMPv6 is essential for IPv6 to work, so it's normal that ping on IPv6 works.

There are a few IPv6 port scanners allowing you to to test security of an IPv6 host. Not perfect (mostly they only test a few well known service ports), but should give you an idea of firewall performance.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 23 guests