Community discussions

MikroTik App
 
veso266
newbie
Topic Author
Posts: 27
Joined: Sat Sep 17, 2016 8:34 pm

IPV6 Firewall allow specific port on specific ip only

Wed Sep 18, 2019 7:58 pm

Hi there, I recently have setup ipv6 on my router, after following some recomended firewall settings from here: https://wiki.mikrotik.com/wiki/Manual:S ... or_clients
/ipv6 firewall filter
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=bridge protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface=pppoe-out1 src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
now this works great, every incomming request gets dropped
the problem is I would like to allow port 80 and 53 to be reached from outside, the same I did in ipv4 with port forward (block everything while allow specific port to be reached)

for example
would like to allow only port 80 and 53 here: 2a00:ee2:900:e700:5c47:2365:b1d2:67d
while blocking everyhing else on every other ip

Thanks for Anwsering and Best Regards
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPV6 Firewall allow specific port on specific ip only

Wed Sep 18, 2019 8:05 pm

Think about it, it can't be easier:
/ipv6 firewall filter
add chain=forward dst-addres=2a00:ee2:900:e700:5c47:2365:b1d2:67d protocol=tcp dst-port=80 action=accept
...
And of course it needs to be before the last drop rule.
 
veso266
newbie
Topic Author
Posts: 27
Joined: Sat Sep 17, 2016 8:34 pm

Re: IPV6 Firewall allow specific port on specific ip only

Wed Sep 18, 2019 10:26 pm

Thank you I would never thought it is so easy
 
veso266
newbie
Topic Author
Posts: 27
Joined: Sat Sep 17, 2016 8:34 pm

Re: IPV6 Firewall allow specific port on specific ip only

Thu Sep 19, 2019 7:32 pm

Hi
does someone know why something like this: http://www.ipv6scanner.com/cgi-bin/main.py
reports ports as being filtered instead of closed, how can a tool know if a port is blocked by firewall or it is closed?
can I change my firewall rules so ports will aphear closed not filtered?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPV6 Firewall allow specific port on specific ip only

Thu Sep 19, 2019 9:51 pm

It's action=drop, it silently discards packets and ports will show as filtered. If you use action=reject instead, router will send back info about closed ports. By default, if you don't have any firewall, closed ports send back either tcp reset or icmp port unreachable. There are also other icmp messages you can send, but I don't remember exactly how scanners interpret them.
 
veso266
newbie
Topic Author
Posts: 27
Joined: Sat Sep 17, 2016 8:34 pm

Re: IPV6 Firewall allow specific port on specific ip only

Fri Sep 20, 2019 4:34 pm

so that is what is diferent
BTW which one need less power to perform its action: "drop" or "reject"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPV6 Firewall allow specific port on specific ip only

Fri Sep 20, 2019 4:53 pm

Drop just discards packets, reject sends extra packets back, so it's more expensive. On the other hand, you'll hardly see any difference, maybe if someone will be DDoSing you, but not otherwise.

But reject is cleaner solution and makes debugging easier, because if something is blocked by mistake, you get clear info. With drop you'll have only timeout and then you can wonder what's wrong.

Some believe that drop is safer, because it hides device from bad guys, but that's debatable.
 
empctn
just joined
Posts: 1
Joined: Sun Dec 12, 2021 12:44 am

Re: IPV6 Firewall allow specific port on specific ip only

Sun Dec 12, 2021 12:50 am

Is there another way to specify a port for a specific ipv6 client other than by ip in Forward - Firewall? My ipv6 is dynamic, it can always be changing the range, it would always have to be changing the rule. I've already tried Bridge Port Out, but apparently in Forward this option doesn't work.

Who is online

Users browsing this forum: No registered users and 16 guests