Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Guest WiFi IPv6 firewall weirdness [SOLVED]

Post Reply
 
ojnab
just joined
Topic Author
Posts: 20
Joined: Thu Nov 03, 2022 11:46 pm

Guest WiFi IPv6 firewall weirdness [SOLVED]

Thu Jan 18, 2024 12:16 am

As per my previous post about setting up guest WiFi with untagged and VLAN tagged bridged networks between a CCR boundary router an ax2 AP and Audience WiFi extender viewtopic.php?t=203304

IPv4 routing works perfectly with the firewall set to block any access to my local network
Code: Select all
[admin@boundary] > /ip firewall filter print

 3    ;;; block guest from private LAN
      chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/16 

 6    ;;; block guest from this router
      chain=input action=drop src-address=10.0.0.0/24 

[admin@boundary] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 2 ADS  0.0.0.0/0                          XXXXXXX              1
 

[admin@ax2] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS       GATEWAY       DISTANCE
DAc 10.0.0.0/24       guest-bridge         0
DAc 192.168.180.0/24  bridge               0
I can route IPv4 using NAT to the internet from both networks, and on the guest network any attempt to login to the router is dropped.

I have the same configuration for IPv6 but it doesn't work unless i allow input to my boundary router ???
Code: Select all
[admin@boundary] > /ipv6 firewall filter print

 2    ;;; block guest from private LANs
      chain=forward action=drop src-address=XXXX:XXXX:XXXX:200::/64 dst-address=XXXX:XXXX:XXXX:0::/56 
      
 6 X  ;;; block guest from this router
      chain=input action=drop src-address=XXXX:XXXX:XXXX:200::/64 
      
[admin@boundary] > /ipv6 route  print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
 0 ADS  ::/0                     fe80::XXXX:XXXX:XXXX...        1
 

[admin@ax2] > /ipv6 route print 
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS             GATEWAY             DISTANCE
  DAc  XXXX:XXXX:XXXX:1::/64    bridge                     0
  DAc  XXXX:XXXX:XXXX:200::/64  guest-bridge               0
  DAc  fe80::%bridge/64        bridge                     0
  DAc  fe80::%guest-bridge/64  guest-bridge               0
If I try to ping www,he.net with rule 6 enabled I get no answer, but if I disable it then I get a response, but rule 6 is an input rule not a forward rule, so what on earth is going on?

How do I allow the router to route IPv6 traffic to the internet whilst at the same time blocking any attempt to connect to the router itself?
Last edited by ojnab on Thu Jan 18, 2024 2:22 am, edited 1 time in total.
Top
 
ojnab
just joined
Topic Author
Posts: 20
Joined: Thu Nov 03, 2022 11:46 pm

Re: Guest WiFi IPv6 firewall weirdness

Thu Jan 18, 2024 2:21 am

Found the problem

The IPv6 firewall behaves differently to the IPv4 firewall for EoIP interfaces

The simple solution was to set a dst-address on the firewall rule
Code: Select all
[admin@SwissMikroTik] > /ipv6  firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 6    ;;; block guest from this router
      chain=input action=drop src-address=XXXX:XXXX:XXXX:200::/64 dst-address=XXXX:XXXX:XXXX::/48
Top
Post Reply

Who is online

Users browsing this forum: svh79 and 10 guests
  4. RouterOS
  5. Wireless Networking