Hi,
I'm almost certainly making a fundamental error but I can't see where ipv6
can be configured on my new hEX S RB760iGS. Software version is MikroTik RouterOS 6.49.13.
Is it available in this version? in the terminal, when I try to use ping6:
bad command name ping6 (line 1 column 1)
What do I need to do?
Re: ipv6 issues with hEX S RB760iGS
solved it with a bit more reading 
/system package enable ipv6
then reboot. It's not enabled by default.
/system package enable ipv6
then reboot. It's not enabled by default.
Re: ipv6 issues with hEX S RB760iGS
On ROS v6, ipv6 package is optional and by default it's not even installed (it has to be downloaded from mikrotik download page in extras archive, unpacked and uploaded to device). And since it's installed later than the rest of system, default setup doesn't get applied (that only gets applied when configuration is reset to factory defaults and it includes all optional packages installed and enabled at that particular time). After a package is installed, it's automatically enabled as well.
So somebody did some job regarding IPv6 on your device. And very likely it's completely unconfigured (meaning no IPv6 firewall, etc.). Or it's configured to certain extent, but if you didn't do the work so far by yourself, you can't rely on any if config that might be present. Either way, draw your own conclusions.
So somebody did some job regarding IPv6 on your device. And very likely it's completely unconfigured (meaning no IPv6 firewall, etc.). Or it's configured to certain extent, but if you didn't do the work so far by yourself, you can't rely on any if config that might be present. Either way, draw your own conclusions.
Re: ipv6 issues with hEX S RB760iGS
You're right, ipv6 wasn't there at all, I had to install it.
Found I couldn't configure it, so went with osv7 which apparently has better support.
It's still not configured properly though, see my other thread viewtopic.php?t=205139
Found I couldn't configure it, so went with osv7 which apparently has better support.
It's still not configured properly though, see my other thread viewtopic.php?t=205139
Re: ipv6 issues with hEX S RB760iGS
If you went from v6 to v7 via upgrade, then upgrade process converts existing config. Since IPv6 config was empty, it remained empty after upgrade. Upgrade never applies default config.
You can see default config (including IPv6) by running command /system/default-configuration/print inside a really wide terminal window. You can copy-paste it to get something to work on.
You can see default config (including IPv6) by running command /system/default-configuration/print inside a really wide terminal window. You can copy-paste it to get something to work on.
Re: ipv6 issues with hEX S RB760iGS
It wasn't empty before upgrade. What happened was this:
1. bought router - it has routeros 6
2. no ipv6, so install ipv6
3. tried to configure it and failed to get a working config
4. upgraded to routeros7
5. still failing to get a working config
1. bought router - it has routeros 6
2. no ipv6, so install ipv6
3. tried to configure it and failed to get a working config
4. upgraded to routeros7
5. still failing to get a working config
Thanks, that's useful to know.You can see default config (including IPv6) by running command /system/default-configuration/print inside a really wide terminal window.
Re: ipv6 issues with hEX S RB760iGS
Most importantly, don't forget to copy the IPv6 firewall rules from the default configuration. If you don't intend to use IPSEC with IPv6, you can disable the rules related to ipsec and ESP, AH to save CPU resources. IPv6 has no fasttrack supports in RouterOS so expect that the routing performance of your hEX S will be limited at around 280 Mbps when using IPv6.
Re: ipv6 issues with hEX S RB760iGS
I thought there was no default firewall config for ipv6 on routerOS? Mind you, I didn't note the date of the documents I
read. They might have been old.
There was nothing in the ipv6 firewall section. I wanted to protect the RB760 itself and only itself
as the connected machines have their own firewalls and policies. So I made the following rule:
and then scanned the ND ::1 via http://www.ipv6scanner.com/cgi-bin/main.py
...which produced "filtered" for all common ports
read. They might have been old.
There was nothing in the ipv6 firewall section. I wanted to protect the RB760 itself and only itself
as the connected machines have their own firewalls and policies. So I made the following rule:
and then scanned the ND ::1 via http://www.ipv6scanner.com/cgi-bin/main.py
...which produced "filtered" for all common ports
You do not have the required permissions to view the files attached to this post.
Re: ipv6 issues with hEX S RB760iGS
There are default IPv6 firewall rules for the default configuration, if you reset the router's configuration in RouterOS7, or in RouterOS6 with the IPv6 package installed. The rules look similar to those here, but not identical: https://help.mikrotik.com/docs/display/ ... d+Firewall. For instance, the raw rules are not used. When you run the commandI thought there was no default firewall config for ipv6 on routerOS? Mind you, I didn't note the date of the documents I
read. They might have been old.
There was nothing in the ipv6 firewall section. I wanted to protect the RB760 itself and only itself
as the connected machines have their own firewalls and policies. So I made the following rule:
ipv6-firewall.png
and then scanned the ND ::1 via http://www.ipv6scanner.com/cgi-bin/main.py
...which produced "filtered" for all common ports
Code: Select all
/system default-configuration printas suggested by @mkx, you can see these rules included in the output. That's what you should copy if you don't want to reset your router back to the default configuration.
The single rule from your screenshot is not good enough, because it blocks all IPv6 WAN communications of your router, it blocks all responses, not just incoming connections, and doesn't protect clients in your LAN network, which use the chain "forward". IPv6 addresses in your LAN will be accessible from the internet with no protection. Also please note that ICMP is very important for a functional IPv6 and should not be blindly blocked.
You do not have the required permissions to view the files attached to this post.
Re: ipv6 issues with hEX S RB760iGS
I don't want ipv6 firewall rules on the router at all for clients on the ext-LAN, as each client has their own firewall and policies and services.The single rule from your screenshot is not good enough, because it blocks all IPv6 WAN communications of your router, it blocks all responses, not just incoming connections, and doesn't protect clients in your LAN network, which use the chain "forward". IPv6 addresses in your LAN will be accessible from the internet with no protection. Also please note that ICMP is very important for a functional IPv6 and should not be blindly blocked.
They need to be directly accessible from the internet. Same goes for ipv4.
I *want* to block all connections from the internet to services on the router only, but I *also* want to access those services from my LAN,
hence the !LAN rule. These two things are my primary concern. I'm not bothered if I can't ping from the router itself. (but see edit)
edit: I'm wondering how the ipv6 got started in the first place. Probably because I enabled the rule after ipv6 started working, and haven't rebooted it since. in other words, yeah I realise ipv6 probably won't work after I reboot unless I sort the rules out effectively, at least for icmpv6, because, as you rightly point out, in v6 icmp is a requirement for it to work.
Re: ipv6 issues with hEX S RB760iGS
Then you can probably ignore the MikroTik's default rules for the forward chain (but it's still good to block forwarding for packets with source or destination in the "bad_ipv6" list). As for the input chain, if you block everything not from the LAN interface list, DHCPv6 prefix delegation won't work because that requires that the router accepts incoming UDP packets on port 546 from the link-local address range on the WAN interface. So, you should include at least the line with the comment "defconf: accept DHCPv6-Client prefix delegation." in front of your drop-all input rule.
I still think it's not bad to copy the rules from the chain "input", and remove the rules related to IKE/ipsec/esp/ah if you want. If you need to disable ICMPv6 echo (ping) but still allow the other vital types, you can copy the raw rules from the bottom of this page and disable the raw icmp6 echo rules https://help.mikrotik.com/docs/display/ ... v6RAWRules. But IMHO there is no needs to block ICMPv6 echo to your router.
I still think it's not bad to copy the rules from the chain "input", and remove the rules related to IKE/ipsec/esp/ah if you want. If you need to disable ICMPv6 echo (ping) but still allow the other vital types, you can copy the raw rules from the bottom of this page and disable the raw icmp6 echo rules https://help.mikrotik.com/docs/display/ ... v6RAWRules. But IMHO there is no needs to block ICMPv6 echo to your router.
Re: ipv6 issues with hEX S RB760iGS
ok, done that. In the web frontend, it appears under the "raw" tab and not under "Filter Rules"So, you should include at least the line with the comment "defconf: accept DHCPv6-Client prefix delegation." in front of your drop-all input rule.
good ideaI still think it's not bad to copy the rules from the chain "input", and remove the rules related to IKE/ipsec/esp/ah if you want.
I agree. it also makes things like netdiag difficult if esp. ipv6 icmp is blockedIf you need to disable ICMPv6 echo (ping) but still allow the other vital types, you can copy the raw rules from the bottom of this page and disable the raw icmp6 echo rules https://help.mikrotik.com/docs/display/ ... v6RAWRules. But IMHO there is no needs to block ICMPv6 echo to your router.