Community discussions

MikroTik App
 
xphyr
just joined
Topic Author
Posts: 2
Joined: Mon May 10, 2021 6:23 pm

IPv6 Firewall - not passing tcp traffic

Mon May 10, 2021 7:03 pm

I have been happily using my Mikrotik RB3011 router for home use for a little over a year and it works great for everything I have tried to setup so far. Nothing to fancy, multiple vlans and multiple routed subnets all working great with IPv4. I decided it was time to try IPv6 and so I enabled the IPv6 module, and installed the "default" set of IPv6 firewall rules. I can get IPv6 addresses on all my machines, and can even ping IPv6 addresses like "google.com" for test purposes. BUT if I try to connect to a service (say web site, ssh, etc) the connection is never made. It seems like either its dropping all incoming connections regardless of if they are related, established. I am hoping someone with a better understanding of the firewall rules than I might be able to help:
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
Thanks for any thoughts or assistance on this.

Who is online

Users browsing this forum: Sailwebwifi, teleport and 34 guests