Community discussions

MikroTik App
 
zsolt
just joined
Topic Author
Posts: 9
Joined: Sat Nov 04, 2017 9:57 am

IPv6 Router Advertisement packet filtering in switched network

Fri Jan 03, 2020 9:36 pm

I have a switched network with foreign devices. I use CRS326 as switch.
I want to filter out the IPv6 Router Advertisement packet only (ICMPv6 type 134 only) in this switched network.

In HP switch there are "ra-guard" option, but I want to use Mikrotik.
I also tried switch Rule and bridge filtering, but I can only filter all types of ICMPv6.

Does anyone know a solution to this?
 
Exiver
Member Candidate
Member Candidate
Posts: 122
Joined: Sat Jan 10, 2015 6:45 pm

Re: IPv6 Router Advertisement packet filtering in switched network

Sat Jan 04, 2020 1:09 am

CRS3xx series switches have ACL functionality. You can use the "redirect-to-cpu" parameter to send all icmpv6 packets to the cpu. The decision whether the packet matches the icmp-type can be done with a suitable firewall rule
 
zsolt
just joined
Topic Author
Posts: 9
Joined: Sat Nov 04, 2017 9:57 am

Re: IPv6 Router Advertisement packet filtering in switched network

Sun Jan 05, 2020 11:28 am

Thank you for answer. But I have more question. I redirected all of ICMPv6 to CPU from switch chip. But the next step?
I found all of ICMPv6 packet only the prerouting section of Mangle and Raw table. How can I forward back to the target switch ports?
 
Exiver
Member Candidate
Member Candidate
Posts: 122
Joined: Sat Jan 10, 2015 6:45 pm

Re: IPv6 Router Advertisement packet filtering in switched network

Sun Jan 05, 2020 3:00 pm

To be fair: I never tried this myself. And im not sure if the packet will reach the ip-firewall or just bridge-firewall. You will need to check this out. But Mangle is the wrong place - you need to try firewall-filter with "chain=forward". (you maybe need to enable the setting "use-ip-firewall" in your bridge)
 
bbs2web
Member Candidate
Member Candidate
Posts: 232
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: IPv6 Router Advertisement packet filtering in switched network

Wed Oct 19, 2022 6:42 am

The following forum post appear to provide the necessary requirements to allow one to 'tick the box' to comply with RFC 6105 or superseding RFC 7113:

[SOLVED] CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 RA Guard

Who is online

Users browsing this forum: No registered users and 18 guests