Hi
I have setup in my house, i using capsman and one cap. I have a firewall on router. Am i need firewall on cap for input chain? (ipv4)
Second one, accept RA:yes on ipv6 settings for cap. Am i need firewall ipv6 on cap? Cap have a global ipv6 address. Because cap is my second dns server.
Thanks.
Am i need firewall on caps?
Last edited by İmposss on Wed Jul 06, 2022 5:52 pm, edited 1 time in total.
Re: Am i need firewall on caps?
If you trust all the devices in your home network, a firewall on the device connecting the home network to the internet is sufficient. If you don't trust all of them, and create multiple VLANs/SSIDs so that trusted devices would use one VLAN/SSID and non-trusted ones would use another, it may still be enough to have a firewall on the main router if the cAPs have no IP interfaces in the non-trusted VLANs. I have most of the client devices in "guest" network, so from these devices it is not only impossible to connect to the management interfaces of the Mikrotiks, but they even cannot exchange data with each other, only with servers in the internet.
NB: the proper name of a "public" address in the IPv6 vernacular is "global".
NB: the proper name of a "public" address in the IPv6 vernacular is "global".
Re: Am i need firewall on caps?
Thank youIf you trust all the devices in your home network, a firewall on the device connecting the home network to the internet is sufficient. If you don't trust all of them, and create multiple VLANs/SSIDs so that trusted devices would use one VLAN/SSID and non-trusted ones would use another, it may still be enough to have a firewall on the main router if the cAPs have no IP interfaces in the non-trusted VLANs. I have most of the client devices in "guest" network, so from these devices it is not only impossible to connect to the management interfaces of the Mikrotiks, but they even cannot exchange data with each other, only with servers in the internet.
NB: the proper name of a "public" address in the IPv6 vernacular is "global".
what is your opinion for ipv6?
Code: Select all
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" disabled=yes protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept linklocal" src-address=fe80::/10
add action=accept chain=input comment="defconf: accept multicast" src-address=fe00::/8
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all"