Community discussions

MikroTik App
 
Trekkie
newbie
Topic Author
Posts: 37
Joined: Thu Feb 07, 2013 1:48 am

ipv6 begginer questions

Mon Feb 11, 2013 5:20 pm

Ok.

So prior to now I didn't have a product that would let me reliably use IPV6. I got a new 493G RouterBoard and have been setting up my Hurricane Electric tunnel. Running RouterOS 5.23

I've got IPV6 working, I can ping and view ipv6.google.com and v6.facebook.com and other sites, but if I run test-ipv6.com it passes

If I do a scan IPv6 Host from HE I get:

Starting Nmap 5.00 ( http://nmap.org ) at 2013-02-11 07:02 PST
Interesting ports on xx
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
515/tcp open printer
548/tcp open afp
3689/tcp open rendezvous
5900/tcp open vnc
49152/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 34.10 seconds

Which means my software firewall on the computer is working and doing what I expect (I have those ports open). As best as I can tell, I'm good to go.

I did some searching, and I found one sample IPv6 firewall (http://forum.mikrotik.com/viewtopic.php ... w=previous), but if I enable it, traffic stops. I'm guessing I'm doing it wrong for now. Need to review the accept chains I'm pretty sure I goofed.

I was wondering if someone could answer what I think is a basic question. Ignoring the NAT as there is no NAT, would every other filter rule I do for IPv4 work for IPv6, meaning if I do everything 'the same way it would work the same way. Or is there anything new I should consider?

Also, using Autoconfigure I'm not getting DNS handed out (obviously). Are there any mechanisms to have the router advertise DNS servers?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 5594
Joined: Mon Apr 20, 2009 9:11 pm

Re: ipv6 begginer questions

Mon Feb 11, 2013 8:41 pm

I did some searching, and I found one sample IPv6 firewall (http://forum.mikrotik.com/viewtopic.php ... w=previous), but if I enable it, traffic stops. I'm guessing I'm doing it wrong for now. Need to review the accept chains I'm pretty sure I goofed.
If I see it correctly, that firewall has sit1 interface as WAN, but it does not allow new connections coming from there in forward chain. So only connections established from LAN will work, thanks to rules accepting established and related connections.

Some say it's good and secure and it's basically true, at least the secure part, because it does not allow anything in. But it also limits the possibilities in major way. Reachable all public addresses were supposed to be one of the good things that IPv6 brings back. So unless you're overly paranoid, you can allow incoming connections on router and leave filtering to firewalls on individual hosts.
Also, using Autoconfigure I'm not getting DNS handed out (obviously). Are there any mechanisms to have the router advertise DNS servers?
DHCPv6, stateless of stateful, but not in ROS 5 yet. Probably in ROS 6. Or DNS in RA advertisements if all hosts are either non-Windows ones or you are prepared to install third-party client to all Windows.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: verbovet and 34 guests