For the server role, I cannot see anything that would have to be set specifically to enable client connections via IPv6.
So post the export of the current configuration - don't forget to obfuscate the public and global IP addresses. There are too many things that may be wrong to list them all.
Here you go
# jul/02/2022 01:02:36 by RouterOS 7.3.1
# software id =
#
# model = RB4011iGS+
# serial number =
/interface bridge
add name=bridge1-LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=""
set [ find default-name=ether2 ] name="ether2-ISP Backup"
set [ find default-name=ether3 ] name=\
"ether3-Synology 820.3ad Link Aggregation"
set [ find default-name=ether4 ] name="ether4-Marv PC"
set [ find default-name=ether6 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full,2500M-full loop-protect=on \
name="ether6-Marv PC"
set [ find default-name=ether7 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full loop-protect=on name=\
"ether7-Marv PC"
set [ find default-name=sfp-sfpplus1 ] advertise=\
1000M-full,10000M-full,2500M-full,5000M-full auto-negotiation=no
/interface l2tp-server
add name=l2tp-in1 user=vpn
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1-LAN name=vlan11 vlan-id=11
add interface=bridge1-LAN name=vlan12 vlan-id=12
add interface=bridge1-LAN name=vlan15 vlan-id=1
add interface=bridge1-LAN name=vlan20 vlan-id=20
/interface bonding
add mode=802.3ad name="Synology DS 918+" slaves=\
"ether3-Synology 820.3ad Link Aggregation,ether4-Marv PC"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
bc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des" \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=10.25.23.20-10.25.23.200
add name=pool-VLAN ranges=192.168.11.21-192.168.11.250
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=ovpn-pool ranges=192.168.12.21-192.168.12.250
add name=pool-VLAN12 ranges=192.168.13.21-192.168.13.250
add name=pool-VLAN20 ranges=192.168.20.21-192.168.20.250
add name=pool-OVPN ranges=192.168.15.21-192.168.15.250
add name=dhcp_pool8 ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1-LAN lease-time=1d name=server-LAN
add address-pool=pool-VLAN interface=vlan11 lease-time=1d name=server-VLAN
add address-pool=pool-VLAN12 interface=vlan12 lease-time=1d name=\
server-VLAN12
add address-pool=pool-VLAN20 interface=vlan20 name=server-VLAN20
add address-pool=pool-OVPN interface=vlan15 name=OVPN
/ipv6 dhcp-server option
add code=23 name=DNS value=0xfd000000000000000000000000000001
/ipv6 pool
add name=ULA-pool6 prefix=fd00::/64 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add interface-list=LAN local-address=pool-OVPN name=ovpn remote-address=\
pool-OVPN
set *FFFFFFFE dns-server=10.25.23.1 local-address=192.168.89.1 \
remote-address=vpn remote-ipv6-prefix-pool=IPV6
/queue simple
add max-limit=10M/10M name=queue-VLAN11 target=vlan11
add max-limit=20M/20M name=queue-VLAN12 target=vlan12
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
add fib name=to_ISP2
/tool traffic-generator port
add interface=sfp-sfpplus1 name=port1
/interface bridge port
add bridge=bridge1-LAN ingress-filtering=no interface=ether8
add bridge=bridge1-LAN ingress-filtering=no interface=ether9
add bridge=bridge1-LAN ingress-filtering=no interface=ether10
add bridge=bridge1-LAN ingress-filtering=no interface="Synology DS 918+"
add bridge=bridge1-LAN ingress-filtering=no interface=ether5
add bridge=bridge1-LAN ingress-filtering=no interface=l2tp-in1
add bridge=bridge1-LAN ingress-filtering=no interface="ether6-Marv PC"
add bridge=bridge1-LAN ingress-filtering=no interface="ether7-Marv PC"
add bridge=bridge1-LAN ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes l2tpv3-ether-interface-list=LAN use-ipsec=yes
/interface list member
add comment=defconf interface=bridge1-LAN list=LAN
add comment=defconf interface="" list=WAN
add interface=vlan12 list=LAN
add interface=vlan15 list=LAN
add interface=l2tp-in1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=ovpn enabled=\
yes keepalive-timeout=120 require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.25.23.1/24 interface=bridge1-LAN network=10.25.23.0
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=192.168.13.1/24 interface=vlan12 network=192.168.13.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.15.1/24 interface=vlan15 network=192.168.15.0
add address=192.168.1.2/24 interface=ether10 network=192.168.1.0
add address=10.2.0.1/24 interface=wireguard1 network=10.2.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface="ether2-ISP Backup" use-peer-dns=no
add interface="" use-peer-dns=no
/ip dhcp-server network
add address=10.25.23.0/24 comment=LAN dns-server=10.25.23.1 gateway=\
10.25.23.1 netmask=24
add address=192.168.11.0/24 comment=VLAN dns-server=8.8.8.8 gateway=\
192.168.11.1
add address=192.168.13.0/24 gateway=192.168.13.1
add address=192.168.15.0/24 gateway=192.168.15.1
add address=192.168.20.0/24 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes cache-size=10240KiB servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=10.25.23.20 disabled=yes name=marv-server
/ip firewall address-list
add address=192.168.10.51 comment=OPPO-F7 list="Family Safe Browsing"
add address=192.168.10.52 comment=OPPO-A5s list="Family Safe Browsing"
add address=10.25.23.30 comment=Galaxy-J7-Pro list="Family Safe Browsing"
add address=192.168.10.53 comment=Galaxy-A10 list="Family Safe Browsing"
add address=10.25.23.27 comment=CodeAlpha list="Adult Filter"
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.10.0/24 comment="Marv Admin" list="Marv Admin"
add address=192.168.10.1 comment=Router list=Router
add address=192.168.11.0/24 list="Marv Admin"
add address=192.168.10.48 comment="MSI Marv" list="Adult Filter"
add address=192.168.11.21-192.168.11.250 comment="VLAN 11" list=\
"Adult Filter"
add address=192.168.10.46 comment="OPPO-F1 S" list="Family Safe Browsing"
add address=192.168.12.21-192.168.12.250 comment="VLAN 12" list=\
"Adult Filter"
add address=10.25.23.28 comment="Elijah A52" list="Family Safe Browsing"
add address=14.169.204.14 list=ssh_blacklist
add address=10.25.23.29 comment="Luke A52" list="Family Safe Browsing"
add address=10.25.23.25 comment=Marv-ROG list="Adult Filter"
add address=10.25.23.23 comment="Marv Admin" list="Marv Admin"
add address=10.25.23.5 list=Router
add address=10.25.23.23 comment="Marv PC" disabled=yes list=\
"Family Safe Browsing"
/ip firewall filter
add action=add-src-to-address-list address-list="Port Scan Attackers" \
address-list-timeout=1w3d chain=input comment="Port Scan Attackers" \
protocol=tcp psd=21,3s,3,1 src-mac-address=!80:61:5F:0D:E4:25
add action=add-src-to-address-list address-list="Port Scan Attackers" \
address-list-timeout=5d chain=forward comment="Port Scan Attackers" \
protocol=tcp psd=21,3s,3,1 src-mac-address=!80:61:5F:0D:E4:25
add action=accept chain=forward comment="Allow remote desktop" dst-port=3389 \
in-interface=all-ppp protocol=tcp
add action=fasttrack-connection chain=forward comment="Fastrack SFP+ Port" \
connection-state=established,related disabled=yes hw-offload=yes \
in-interface=bridge1-LAN
add action=fasttrack-connection chain=forward comment="Fastrack DNS TCP" \
disabled=yes dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fastrack DNS UDP" \
disabled=yes dst-port=53 hw-offload=yes protocol=udp
add action=drop chain=input comment="Drop incoming DNS request from WAN" \
dst-port=53 in-interface="" protocol=tcp
add action=drop chain=input comment="Drop incoming DNS request from WAN" \
dst-port=53 in-interface="" protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
dst-port=1701,4500,500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPSEC-ESP in-interface-list=WAN \
protocol=ipsec-esp
add action=accept chain=input comment=IPSEC-AH in-interface-list=WAN \
protocol=ipsec-ah
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=forward dst-port=3389 in-interface=all-ppp protocol=\
tcp
add action=drop chain=input src-address-list="Port Scan Attackers"
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input connection-state=established,related,new \
disabled=yes
add action=accept chain=forward connection-state=established,related,new \
disabled=yes
add action=add-src-to-address-list address-list="Trying to access router" \
address-list-timeout=none-dynamic chain=input dst-address-list=Router \
protocol=tcp src-address-list="!Marv Admin"
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain="add action=drop dst-address-list=no_forward_ipv6 commen\
t=\"defconf: drop bad forward IPs\"" comment=\
"defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Remote Desktop Connection" \
in-interface="" protocol=rdp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=ftp_blacklist content=\
"530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment=ssh_blacklist \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment=ssh_stage3 connection-state=\
new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment=ssh_stage2 connection-state=\
new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment=ssh_stage1 connection-state=\
new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ip firewall mangle
add action=change-ttl chain=prerouting disabled=yes new-ttl=increment:2 \
passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=ISP1_conn out-interface=\
""
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1 out-interface=""
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=ISP2_conn out-interface=\
"ether2-ISP Backup"
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2 out-interface="ether2-ISP Backup"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=""
add action=masquerade chain=srcnat out-interface="ether2-ISP Backup"
add action=dst-nat chain=dstnat comment="Family Safe Browsing" dst-port=53 \
protocol=udp src-address-list="Family Safe Browsing" to-addresses=\
185.228.168.168 to-ports=53
add action=dst-nat chain=dstnat comment="Family Safe Browsing" dst-port=53 \
protocol=tcp src-address-list="Family Safe Browsing" to-addresses=\
185.228.168.168 to-ports=53
add action=dst-nat chain=dstnat comment="Adult Filter" dst-port=53 protocol=\
udp src-address-list="Adult Filter" to-addresses=185.228.168.10 to-ports=\
53
add action=dst-nat chain=dstnat comment="Adult Filter" dst-port=53 protocol=\
tcp src-address-list="Adult Filter" to-addresses=185.228.168.10 to-ports=\
53
add action=masquerade chain=srcnat disabled=yes out-interface=\
"ether2-ISP Backup"
add action=dst-nat chain=dstnat comment="Open VPN" disabled=yes dst-port=1194 \
in-interface=all-ppp in-interface-list=all protocol=tcp src-port=1194 \
to-addresses=192.168.10.0/24 to-ports=3389
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.25.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=src-nat chain=srcnat comment="Enable to access PLDT Onu" \
dst-address=192.168.1.1 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat in-interface="" protocol=tcp \
src-port=3389 to-addresses=192.168.10.22
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from VPN" in-interface=all-ppp
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address-list=\
192.168.10.0/24,192.168.11.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.10.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
yes
/ip route
add disabled=no dst-address=8.8.8.8/32 gateway=112.206.128.1 scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=192.168.0.1 scope=10
add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=8.8.8.8 \
routing-table=to_ISP1
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 routing-table=to_ISP1
add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=8.8.4.4 \
routing-table=to_ISP2
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 routing-table=to_ISP2
add disabled=no dst-address=8.8.8.8/32 gateway=10.111.0.1 scope=10
add disabled=no dst-address=208.67.222.222/32 gateway=10.111.0.1 scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=10.112.0.1 scope=10
add check-gateway=ping disabled=no dst-address=10.10.10.1/32 gateway=\
208.67.222.222 scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=8.8.4.4 \
scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=\
208.67.220.220 scope=10
add check-gateway=ping disabled=no dst-address=10.10.10.1/32 gateway=8.8.8.8 \
scope=10
add check-gateway=ping disabled=no dst-address=10.10.10.1/32 gateway=\
208.67.222.222 scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=8.8.4.4 \
scope=10
add check-gateway=ping disabled=no dst-address=10.20.20.2/32 gateway=\
208.67.220.220 scope=10
add disabled=yes dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-table=\
to_ISP1
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=10.20.20.2 \
routing-table=to_ISP1
add disabled=yes dst-address=0.0.0.0/0 gateway=10.20.20.2 routing-table=\
to_ISP2
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=10.10.10.1 \
routing-table=to_ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.25.23.0/24,192.168.89.0/24,192.168.0.0/24
set api-ssl disabled=yes
/ipv6 address
add address=fd00::1/128 advertise=no comment="IPv6 ULA address" disabled=yes \
interface=bridge1-LAN
add disabled=yes from-pool=IPV6 interface=wireguard1
/ipv6 dhcp-client
add add-default-route=yes interface="" pool-name=IPV6 request=\
prefix use-peer-dns=no
/ipv6 dhcp-server
add address-pool="" dhcp-option=DNS disabled=yes interface=bridge1-LAN name=\
LAN-dhcp6
/ipv6 firewall address-list
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="drop incoming dns request from WAN" \
dst-port=53 in-interface="" protocol=udp
add action=drop chain=input comment="drop incoming dns request from WAN" \
dst-port=53 in-interface="" protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept (established, related)" \
connection-state=established,related
add action=accept chain=input comment="Drop DHCP (>10/sec)" in-interface=\
"" protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" limit=\
10,5:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
in-interface="" protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" in-interface=\
"!" protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface=\
""
add action=reject chain=input comment="Reject everything else" reject-with=\
icmp-no-route
add action=accept chain=output comment="Accept all"
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
invalid
add action=accept chain=forward comment="Accept (established, related)" \
connection-state=established,related
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
in-interface="" limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
in-interface="" protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface=\
"!"
add action=accept chain=forward comment="Accept outgoing" out-interface=\
""
add action=drop chain=forward comment="Drop external" in-interface=\
""
add action=reject chain=forward comment="Reject everything else" reject-with=\
icmp-no-route
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface=""
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp \
src-address-list=Test to-address=2a0d
1::/128 to-ports=53
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
dst-address=ff02::1:ff00:0/104 icmp-options=135:0-255 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes other-configuration=\
yes
add advertise-dns=no interface=bridge1-LAN other-configuration=yes
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=ovpn profile=ovpn service=ovpn
add name=marv profile=default-encryption service=l2tp
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool traffic-generator packet-template
add mac-protocol=ip name=packet-template1