Community discussions

MikroTik App
 
r2504
just joined
Topic Author
Posts: 24
Joined: Sat Jan 21, 2012 3:00 pm

IPv6 firewall with Tunnelbroker

Sat Jan 21, 2012 3:13 pm

I recently setup an IPv6 tunnel via HE which is working fine, however I now noticed that I'm wide open to the internet, despite the fact that I defined an input drop rule in my IPv6 firewall. All the traffic seems to pass via another rule which accepts protocol 58 (icmpv6) ?

What's wrong, or what am I missing ?
 
TonyJr
Member Candidate
Member Candidate
Posts: 201
Joined: Sat Nov 12, 2011 1:30 am
Location: UK
Contact:

Re: IPv6 firewall with Tunnelbroker

Mon Jan 23, 2012 5:32 pm

You need rules for the forward chain. Here is my current v6 firewall:
/ipv6 firewall filter
add action=accept chain=input comment="RB-FW: Allow ICMPv6" disabled=no \
    protocol=icmpv6
add action=accept chain=input comment="RB-FW: Accept established connections" \
    connection-state=established disabled=no
add action=accept chain=input comment="RB-FW: Accept related connections" \
    connection-state=related disabled=no
add action=drop chain=input comment="RB-FW: Drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=input comment="RB-FW: UDP" disabled=no protocol=udp
add action=accept chain=input comment="RB-FW: From wlan" disabled=no \
    in-interface=wlan
add action=accept chain=input comment="RB-FW: From LAN" disabled=no \
    in-interface=lan
add action=accept chain=input comment="RB-FW: From Hotspot" disabled=no \
    in-interface=wlan-Public
add action=log chain=input comment="RB-FW: Log everything else" disabled=no \
    log-prefix="IPV6 INPUT DROP"
add action=drop chain=input comment="RB-FW: Drop everything else" disabled=no
add action=drop chain=forward comment="MAINFW drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=forward comment="MAINFW Accept UDP" disabled=no \
    protocol=udp
add action=accept chain=forward comment="MAINFW accept ICMPv6" disabled=no \
    protocol=icmpv6
add action=accept chain=forward comment=\
    "MAINFW accept established connections" connection-state=established \
    disabled=no
add action=accept chain=forward comment="MAINFW accept related connections" \
    connection-state=related disabled=no
add action=accept chain=forward comment="MAINFW forward from wlan" \
    disabled=no in-interface=wlan src-address=2001:470:xxxx:2::/64
add action=accept chain=forward comment="MAINFW forward from lan" disabled=no \
    in-interface=lan src-address=2001:470:xxxx:1::/64
add action=accept chain=forward comment="MAINFW: forward from wlan-IPv6" \
    disabled=no in-interface=wlan-IPv6 src-address=2001:470:xxxx:3::/64
add action=accept chain=forward comment=\
    "MAINFW forward from Hotspot, only to wan" disabled=yes in-interface=\
    wlan-Public out-interface=sit1
add action=drop chain=forward comment="MAINFW drop bit torrent on hotspot" \
    disabled=yes in-interface=wlan-Public protocol=tcp
add action=drop chain=forward comment="MAINFW drop anything else" disabled=no
 
User avatar
cybernetus
newbie
Posts: 41
Joined: Sat Sep 08, 2012 1:39 am
Location: Belo Horizonte/MG/Brazil
Contact:

Re: IPv6 firewall with Tunnelbroker

Sat Dec 22, 2012 4:33 am

Man, thanks for this firewall example.

works for me :-)
My RBs: RB751U-2HnD, RB951G-2Hnd , RB750-GL

Who is online

Users browsing this forum: alidamji, fabrix, Google [Bot], ichihaifu, Majestic-12 [Bot], mendeboz, sindy, sjoram and 99 guests