Community discussions

MikroTik App
 
whitbread
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Fri Nov 08, 2013 9:55 pm

ipv6 package

Sat Mar 13, 2021 5:55 pm

I do not use ipv6 at the moment and I am not planning to do so.

Just a simple question: What implication does it have to install and activate vs. to not install or disable the ipv6 package?
Is it safe to leave it disabled when I want make sure, that no ipv6 traffic takes place?
Or is it better to activate the package, implement firewall rules and a default route type 'unreachable'?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: ipv6 package

Sat Mar 13, 2021 8:49 pm

No real point in installing the IPv6 package if you are not going to use it (neither do I).
 
whitbread
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Fri Nov 08, 2013 9:55 pm

Re: ipv6 package

Sun Mar 14, 2021 9:05 am

Thx for your answer.
So, not installing ipv6 package does block any ipv6 traffic?
I do not want to end in ipv6 traffic going through my router without being aware of it!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: ipv6 package

Sun Mar 14, 2021 10:47 am

router can only pass traffic between L3 interfaces. In case of IPv6 this means interfaces with IPv6 address set and without ipv6 package you can't set IPv6 address and this means router blocks all IPv6 traffic between distinct interfaces (note that there's difference between interface and port).

bridge can pass any L2 traffic (including, but not limited to, IPv6, IPX, etc.). But that would happen anyway unless there is some special setup in place (e.g. bridge filters, use of IP firewall for bridge traffic, etc.).
 
whitbread
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Fri Nov 08, 2013 9:55 pm

Re: ipv6 package

Sun Mar 14, 2021 3:11 pm

hmm ok - this answer seems concluding. Let me ask if I understand it correctly:
As long as ipv6 package is disabled or not installed, no routing takes place, but unhindered traffic within any L2 segment takes place.
If I take a look at a usual switch setup (bridge with hw offloading) this means, that any traffic between interfaces in the same subnet / vlan takes place as long as ipv6 is not active. So if need to block ipv6 traffic even within a L2 segment I need to activate the package and implement appropriate rules (bridge filter or ipv6 firewall)?

Concluding this means that a setup with activated ipv6 package but with deactivated ipv6 forwarding is almost the same (accept traffic to an from the Mikrotik device) as a setup with deactivated / not installed ipv6 package?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: ipv6 package

Sun Mar 14, 2021 10:30 pm

So if need to block ipv6 traffic even within a L2 segment I need to activate the package and implement appropriate rules (bridge filter or ipv6 firewall)?
Blocking IPv6 traffic within L2 domain does not rely on ipv6 package at all.

You can do it on (SW) bridge by configuring bridge firewall and blocking fames with certain ether type (bridge firewall property 802.3-type) ... 0x0800 is used for IPv4 and 0x86DD is used for IPv6.
Some switch chips (I don't think all of them) support filters and can filter traffic passing between ports in hardware.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: ipv6 package

Mon Mar 15, 2021 1:10 am

Concluding this means that a setup with activated ipv6 package but with deactivated ipv6 forwarding is almost the same (accept traffic to an from the Mikrotik device) as a setup with deactivated / not installed ipv6 package?
Almost, but not quite - activating the IPv6 package on a router that is already set up will not generate IPv6 firewall rules, and the automatic link-local addresses will therefore be unprotected. Someone on the same subnet as your WAN interface could use the link local and winbox or SSH into your router if there was no password set.

The safest thing to do if you want to activate the package is to activate the package and then reset the router to factory defaults - the factory defaults include the v6 firewall if you reset to them after the IPv6 package has been enabled. If you do not want to have to reset the router to factory defaults, you can issue the command
/system default-configuration print
to see the MikroTik factory default configuration and copy and paste in the ipv6 firewall rule section from that to your router's live config.
 
whitbread
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Fri Nov 08, 2013 9:55 pm

Re: ipv6 package

Mon Mar 15, 2021 9:54 pm

OK this information is pretty useful. As I am running a lot of mibse devices it is not a good idea to use bridge filters. Actually I use hw-offloading / switching with vlan enabled. If I understand it correctly ipv6 traffic is isolated the same way as ipv4 is. VLAN10 devices cannot connect with VLAN20 devices unless ipv6-routing takes place. So either disable ipv6 package or disable ipv6 forwarding, right?

I do not have any wan interfaces being available from the outside, but i have full blocking ipv6 firewall rules in place anyway.

Who is online

Users browsing this forum: infabo, patrikg, Semrush [Bot] and 42 guests