IPv4 routing works perfectly with the firewall set to block any access to my local network
Code: Select all
[admin@boundary] > /ip firewall filter print
3 ;;; block guest from private LAN
chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/16
6 ;;; block guest from this router
chain=input action=drop src-address=10.0.0.0/24
[admin@boundary] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
2 ADS 0.0.0.0/0 XXXXXXX 1
[admin@ax2] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 10.0.0.0/24 guest-bridge 0
DAc 192.168.180.0/24 bridge 0
I have the same configuration for IPv6 but it doesn't work unless i allow input to my boundary router ???
Code: Select all
[admin@boundary] > /ipv6 firewall filter print
2 ;;; block guest from private LANs
chain=forward action=drop src-address=XXXX:XXXX:XXXX:200::/64 dst-address=XXXX:XXXX:XXXX:0::/56
6 X ;;; block guest from this router
chain=input action=drop src-address=XXXX:XXXX:XXXX:200::/64
[admin@boundary] > /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 ADS ::/0 fe80::XXXX:XXXX:XXXX... 1
[admin@ax2] > /ipv6 route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAc XXXX:XXXX:XXXX:1::/64 bridge 0
DAc XXXX:XXXX:XXXX:200::/64 guest-bridge 0
DAc fe80::%bridge/64 bridge 0
DAc fe80::%guest-bridge/64 guest-bridge 0
How do I allow the router to route IPv6 traffic to the internet whilst at the same time blocking any attempt to connect to the router itself?