My IPv6 (6.49.2) config uses DHCP-PD to set router's IP and get a delegate prefix for SLAAC clients (settings forward=yes accept-router-advertisements=no accept-redirects=no, dhcp-client add-default-route=yes).
It looks like there is a typo in the guide in one of the ICMPv6 rules:
Code: Select all
/ipv6 firewall raw add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
Dropping the ::/128 doesn't seem right either:
Code: Select all
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
/ipv6 firewall raw add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
Code: Select all
/ipv6 firewall raw add action=accept chain=prerouting src-address=::/128 dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6
---
My current ICMPv6-related firewall looks like this:
Code: Select all
/ipv6 firewall address-list
add address=fe80::/10 list=link_local
/ipv6 firewall raw
# ...
# Drop bogon IPs
# ...
# In SOHO we only want MLD from local devices (such as IoT, including Apple Homekit)
add chain=prerouting comment="Jump to ICMPv6 chain" \
action=jump jump-target=icmpv6 protocol=icmpv6
add chain=icmpv6 comment="Drop MLD Query from WAN" \
action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=130:0-255
add chain=icmpv6 comment="Drop MLDv1 Report from WAN" \
action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=131:0-255
add chain=icmpv6 comment="Drop MLDv1 Done from WAN" \
action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=132:0-255
add chain=icmpv6 comment="Drop MLDv2 Report from WAN" \
action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=143:0-255
# There is no reason to let internet query local nodes for information
add chain=icmpv6 comment="Drop Node Information Query from WAN" \
action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=139:0-255
# Extended Echo Request may allow internet to reach link-local interfaces of otherwise protected devices
add chain=icmpv6 comment="Drop Extended Echo Request from WAN" \
action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=160:0-255
add chain=icmpv6 comment="Back to prerouting" \
action=return
/ipv6 firewall filter
# chain=forward:
# ...
# - Accept Established, Related, Untracked
# - Drop Invalid
# - Drop bogon IPs
# ...
# Most of the ICMPv6 should never reach the forward chain in the New connection state (Established, Related, Untracked are accepted and Invalid is dropped above)
add chain=forward comment="Jump to ICMPv6 chain" \
action=jump jump-target=icmpv6-forward protocol=icmpv6
add chain=icmpv6-forward comment="Accept Echo Request from LAN" \
action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=128:0-255
add chain=icmpv6-forward comment="Accept Echo Request from All to Pingable" \
action=accept out-interface-list=LAN-PINGABLE protocol=icmpv6 icmp-options=128:0-255
add chain=icmpv6-forward comment="Reject All ICMPv6 from LAN" \
action=reject in-interface-list=LAN reject-with=icmp-admin-prohibited
add chain=icmpv6-forward comment="Drop All ICMPv6 from WAN" \
action=drop in-interface-list=WAN
add chain=icmpv6-forward comment="Back to forward" \
action=return
# chain=input
# RouterOS is trusted to properly handle ICMPv6 requests thrown at it with respect to its configuration (/ipv6 settings and /ipv6 nd) as wells required authentication (IPsec)
add action=accept chain=input comment="Accept ICMPv6" protocol=icmpv6