Community discussions

MikroTik App
 
n377
just joined
Topic Author
Posts: 1
Joined: Fri Oct 30, 2020 6:03 pm

Updating the firewall when a dynamic IPv6 prefix delegation changes

Tue Nov 03, 2020 8:36 pm

Here is a script that updates IPv6 firewall address list entries when an IPv6 prefix changes:

https://n377.de/mikrotik-routeros-script-update-the-firewall-with-dynamic-ipv6-prefix.html

You can just get the script and start using it. A how-to is included. If you want to know more about why I wrote it, here is the rationale:

RouterOS doesn't have a facility for filtering network traffic based on a dynamic prefix. If you want to allow traffic just to a particular server on your network, but its IPv6 prefix is dynamic, there is currently no way to do that with built-in RouterOS functionality, except scripting.

In practical terms, this is what you will find when your ISP assigns dynamic prefixes: Let's say a random /56 prefix is assigned to your router every time you connect to your ISP (after a power outage, RouterOS update, daily, etc.). The router puts this prefix in an address pool and assigns /64s from this pool to your LAN segments. The server in your LAN assigns itself an EUI-64 address from that /64. You want to allow (for example) external HTTPS traffic on TCP port 443 to reach just that server, but the firewall has no way of matching just on the interface identifier part of the address. If you put the full address in a firewall rule, it will stop working as soon as you reconnect to the ISP and your LAN is renumbered with the new IPv6 prefix. If you simply allow TCP port 443 to the LAN interface without checking the address, you expose all servers on your LAN.

At this point you realize you need a script, because otherwise you would have to constantly update firewall rules manually or leave the firewall too far open.

With this script you put the IPv6 address of your server in an IPv6 address list, attach a comment with some extra information to that address list entry, and let the script perform the update when you get a new prefix. You can then use the address list instead of static addresses in your firewall rules.

The script doesn't just look at the prefix of an address pool to update the address list entries, because the assignment of sub-prefixes to interfaces is also not static in RouterOS: The bits between the prefix from the internet provider and your interface identifiers can change. Therefore the script looks at the address assigned to a given interface and uses that to update the address list entry.

So there you are, a script that allows you to have a proper IPv6 firewall on a Mikrotik router even if your ISP assigns dynamic prefixes.

Who is online

Users browsing this forum: pvatolin and 9 guests