Community discussions

MikroTik App
 
yeahbuddy
just joined
Topic Author
Posts: 3
Joined: Thu Dec 31, 2020 12:48 am

IPv6 Firewall

Mon Jan 04, 2021 8:04 pm

Hello, after I enabled the IPv6 package and set up the IPv6 on the hAP ac2 (v6.48) I realized, that my IPv6 firewall is completely empty by default. Can someone help me up with some basic FW rules for home use?
Thanks.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 737
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: IPv6 Firewall

Tue Jan 05, 2021 10:15 am

After enabling ipv6 package, the ipv6 firewall is in the default configuration.

https://help.mikrotik.com/docs/display/ ... igurations
/system default-configuration print

You can copy/paste the /ipv6 firewall part from there (make sure your terminal window is wide enough for all contents to be displayed).

/ipv6 firewall {
  address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
  address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
  address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
  address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
  address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
  address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
  address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
  address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
  address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
  address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
  address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
  address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
  address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
  filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
  filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
  filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
  filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
  filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
  filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
  filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}
 
yeahbuddy
just joined
Topic Author
Posts: 3
Joined: Thu Dec 31, 2020 12:48 am

Re: IPv6 Firewall

Tue Jan 05, 2021 10:51 am

Thanks, not sure why it wasn't applied automatically.
 
kalamaja
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed May 23, 2018 3:13 pm

Re: IPv6 Firewall

Tue Jan 05, 2021 11:31 am

It is as with other parts of MT, you may want to start with default configuration or with empty configuration. ipv6 module is disabled by default, so correct flow to start using it is to enable module, reset configuration to get default configuration for all enabled modules and then apply your configuration. Or apply it from /system default-configuration print, if you have existing configuration.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 737
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: IPv6 Firewall

Tue Jan 05, 2021 12:12 pm

not sure why it wasn't applied automatically.
Default configuration is not re-applied on module activation. Maybe it should (for firewall) but that's up to the product team.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 Firewall

Tue Jan 05, 2021 4:37 pm

It is a bug/shortcoming in RouterOS.
When you add a new package, the default configuration for that package is not applied.
Workaround: always enable IPv6 as first thing when you receive a new router, then update to the newest RouterOS version, and then reset to factory defaults.
When you do the reset with IPv6 package enabled, you get the correct default configuration.
And when you do it only after updating RouterOS, you get the most actual default configuration.
(out-of-the-box RouterOS version is often old, and the default configuration applied at first boot is out-of-date)
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 628
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: IPv6 Firewall

Tue Jan 05, 2021 5:40 pm

It is a bug/shortcoming in RouterOS.
When you add a new package, the default configuration for that package is not applied.
Workaround: always enable IPv6 as first thing when you receive a new router, then update to the newest RouterOS version, and then reset to factory defaults.
When you do the reset with IPv6 package enabled, you get the correct default configuration.
That's a great suggestion for a new installation, but does not help for an existing configuration with a couple hundred lines of configuration. However the list provided earlier is a good help. I recently enabled IPv6 - just to play with a little on my RB750Gr3. I created an EXTREMELY restrictive firewall, but will take a look at the default listed earlier.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Tue Jan 05, 2021 5:51 pm

In the ruleset above, where is the rule which actually creates connection states from egress traffic? Is connection state tracking enabled implicitly? How does this work?
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 Firewall

Tue Jan 05, 2021 7:51 pm

In the ruleset above, where is the rule which actually creates connection states from egress traffic? Is connection state tracking enabled implicitly? How does this work?
This ruleset relies on the fact that in RouterOS there is a "default allow" at the end of each chain.
So when the packet does not match any of the rules above it is accepted. The rules explicitly drop any traffic "not from LAN" but traffic "from LAN" (outbound connections) is accepted because it hits the end of the chain where a default allow is present.

I do not like it. I always make the ruleset so that it ends in a "drop" rule, e.g. by changing that action=drop in-interface-list=!LAN into an action=accept in-interface-list=LAN and then adding a plain action=drop rule that drops anything not matched above.
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Wed Jan 06, 2021 4:46 am

I always make the ruleset so that it ends in a "drop" rule
OK, let's consider this simplified but working example:
/ipv6 firewall filter
add action=accept chain=input comment="Allow established and related" connection-state=established,related
add action=drop chain=input comment="Drop by default" in-interface=sit1
There is no explicit rule to create firewall state based on outgoing packets, and nevertheless state is created and return traffic via sit1 is being permitted. Where exactly is the state created in this example?
 
mducharme
Trainer
Trainer
Posts: 1128
Joined: Tue Jul 19, 2016 6:45 pm

Re: IPv6 Firewall

Wed Jan 06, 2021 4:57 am

There is no explicit rule to create firewall state based on outgoing packets, and nevertheless state is created and return traffic via sit1 is being permitted. Where exactly is the state created in this example?
Connection state tracking happens by default on "auto" when there is at least one firewall or NAT rule. It doesn't matter what the rule is, as long as long as at least one rule exists, all connections will be tracked. So because you have at least one IPv4 or IPv6 firewall or NAT rule, connection tracking happens for all IPv4 and IPv6 traffic.

If you add firewall rules and you don't want connections to be tracked, you have to change connection tracking from "auto" to "off".
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Wed Jan 06, 2021 5:10 am

Connection state tracking happens by default on "auto" when there is at least one firewall or NAT rule. It doesn't matter what the rule is, as long as long as at least one rule exists, all connections will be tracked. So because you have at least one IPv4 or IPv6 firewall or NAT rule, connection tracking happens for all IPv4 or IPv6 traffic.

If you add firewall rules and you don't want connections to be tracked, you have to change connection tracking from "auto" to "off".
Thank you, now I understand. I have even found the Firewall -> Connections -> Tracking button after your explanation.

Is this a MikroTik feature or a generic Linux iptables feature?
 
mducharme
Trainer
Trainer
Posts: 1128
Joined: Tue Jul 19, 2016 6:45 pm

Re: IPv6 Firewall

Wed Jan 06, 2021 6:03 am

Is this a MikroTik feature or a generic Linux iptables feature?
Connection tracking is part of iptables. My experience with Linux suggests that connections are tracked even if there are no iptables rules, so Linux uses what MikroTik calls the "on" setting instead of the "auto" setting. I'm not sure if you can change Linux from "on" to "auto", or whether this is something that MikroTik created.

I do know that on Linux it is surprisingly (and often frustratingly) difficult to turn off connection tracking permanently when you do not want it. Other processes can turn it back on again easily. Thankfully on MikroTik devices, connection tracking set to "off" is reliable.
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Wed Jan 06, 2021 7:39 am

Thank you mducharme for your very informative replies.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 Firewall

Wed Jan 06, 2021 12:05 pm

I always make the ruleset so that it ends in a "drop" rule
OK, let's consider this simplified but working example:
/ipv6 firewall filter
add action=accept chain=input comment="Allow established and related" connection-state=established,related
add action=drop chain=input comment="Drop by default" in-interface=sit1
There is no explicit rule to create firewall state based on outgoing packets, and nevertheless state is created and return traffic via sit1 is being permitted. Where exactly is the state created in this example?
Remember that there are different chains in the firewall. Your example with "input" might indicate that you think that all traffic incoming to your network is passing the "input" chain. That is not true!
The "input" chain is only for traffic incoming to and processed by the router itself. Traffic incoming from internet and being routed to your internal network is NOT passing through the "input" chain, it is processed by the "forward" chain only.
Rules in the "input" chain are for things like the admin interface of the router, the outer address of VPN tunnels, etc.
And for the replies on outgoing connections setup by the router itself, like resolving DNS via the IP->DNS resolver.

The "forward" chain is active in both directions, so you need to identify the direction of traffic by input or output interface.
The "input" chain has a separate chain for the opposite direction, the "output" chain. That is again only used for traffic originating from the router itself.
It is usually empty, and hence it "accepts all".
In your example, traffic outgoing from the router is implicitly accepted by the empty output chain, creates a connection tracking entry there, and its replies are accepted by the established/related rule in your input chain.
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Wed Jan 06, 2021 12:19 pm

Remember that there are different chains in the firewall. Your example with "input" might indicate that you think that all traffic incoming to your network is passing the "input" chain. That is not true!
The "input" chain is only for traffic incoming to and processed by the router itself.
Yes, I am aware of that. My simplified example was actually meant for a ping from the router itself etc.
In your example, traffic outgoing from the router is implicitly accepted by the empty output chain, creates a connection tracking entry there, and its replies are accepted by the established/related rule in your input chain.
As a person with FreeBSD/ipfw/pf background, I had a problem understanding that an empty output chain can create state. In ipfw or pf, an explicit outgoing "pass ... keep-state" rule is required to record state.

(well, pf can record state without an explicit "keep state" statement, but you still need a proper "pass" rule).
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 Firewall

Wed Jan 06, 2021 12:33 pm

Actually, connection tracking entries are not created by those filter chains, that happens elsewhere. When you need to avoid a tracking entry, you have to do that in the raw chains (prerouting and output), that is the only one that is "early enough" to drop packets or to pass them but not create a tracking entry.
By the time you reach the filter chains, the tracking entry already has been created.
That can be relevant e.g. in case of port scans or ddos attacks. Even when dropping traffic in the filter chain, you still can have issues with a large connection tracking table.
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Wed Jan 06, 2021 1:10 pm

Actually, connection tracking entries are not created by those filter chains, that happens elsewhere. When you need to avoid a tracking entry, you have to do that in the raw chains (prerouting and output), that is the only one that is "early enough" to drop packets or to pass them but not create a tracking entry.
By the time you reach the filter chains, the tracking entry already has been created.
That can be relevant e.g. in case of port scans or ddos attacks. Even when dropping traffic in the filter chain, you still can have issues with a large connection tracking table.
Thanks, this is useful information. I wonder if MikroTik is different from the generic Linux in this aspect.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 Firewall

Wed Jan 06, 2021 1:22 pm

It isn't. This is just Linux iptables.
(there are other firewall systems in Linux)
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Thu Jan 07, 2021 4:34 am

It isn't. This is just Linux iptables.
(there are other firewall systems in Linux)
It is strange however, that on Debian 10, when `iptables -L` has no rules (default configuration after installation), the output of `conntrack -L` is empty.
 
mducharme
Trainer
Trainer
Posts: 1128
Joined: Tue Jul 19, 2016 6:45 pm

Re: IPv6 Firewall

Thu Jan 07, 2021 6:48 am

It is strange however, that on Debian 10, when `iptables -L` has no rules (default configuration after installation), the output of `conntrack -L` is empty.
On CentOS 7, I run iptables -L and get this:
[root@srv /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
But running conntrack -L gives me several hundred lines of tracked connections as output.

EDIT: just tried on Ubuntu and conntrack -L shows nothing when there are no rules. Presumably, then, "auto" and "on" are from Linux, and CentOS uses the equivalent of the MikroTik "on" setting while Debian and Ubuntu use "auto".
 
User avatar
vas
just joined
Posts: 24
Joined: Mon Jan 04, 2021 5:35 am
Location: Tomsk, Russia
Contact:

Re: IPv6 Firewall

Thu Jan 07, 2021 7:57 am

Just tried on Ubuntu and conntrack -L shows nothing when there are no rules. Presumably, then, "auto" and "on" are from Linux, and CentOS uses the equivalent of the MikroTik "on" setting while Debian and Ubuntu use "auto".
Looks like it. Now we have the complete picture.

In fact, it looks more reasonable not to waste resources on connection tracking when this information is never used in any firewall rule.
 
gargvarun041
just joined
Posts: 1
Joined: Fri Jan 08, 2021 2:46 pm

Re: IPv6 Firewall

Fri Jan 08, 2021 3:28 pm

hello,

Thank you so much for sharing this helpful information, it helped me alot

Thanks and regards.:)

Who is online

Users browsing this forum: rzto and 89 guests