[Mikrotik] IPv6 Newbie

Keith Barber keith at reliablevi.com
Wed Jan 30 16:06:12 CST 2013

We just use a very simple 'nat' type firewall.  If it didn't originate from us, then drop it.

/ipv6 firewall filter
add action=accept chain=forward comment=Established connection-state=\
    established disabled=no
add action=accept chain=forward comment=Related connection-state=related \
add action=drop chain=forward comment="Drop netbios" disabled=no dst-port=\
    135-139,445 protocol=tcp
add action=drop chain=forward comment="Drop netbios" disabled=no dst-port=\
    135-139,445 protocol=udp
add action=accept chain=forward comment="In from LAN" disabled=no \
add action=log chain=forward comment=\
    "Nothing else, though. Log the remaining" disabled=yes in-interface=\
    vlan47 log-prefix=IPV6_INBOUND
add action=drop chain=forward comment="Nothing else, though" disabled=no \

----- Original Message -----
From: "Rory McCann" <rmm.lists at gmail.com>
To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
Sent: Wednesday, January 30, 2013 5:42:27 PM
Subject: [Mikrotik] IPv6 Newbie

Hey guys,

So I decided to set myself up with a couple of free tunnels from HE so I 
could play around with IPv6. I've got everything up and working 
correctly, but one thing I'm nervous about is that with my computers now 
publicly accessible via IPv6, what is the best way to protect/firewall 
traffic at the router? Using MT 5.22 on an x86 box, here's some of the 
rules I have in place:

/ipv6 firewall filter
add action=reject chain=input comment="Winbox Filtering" disabled=no 
dst-port=8291 protocol=tcp reject-with=tcp-reset 
add action=reject chain=input comment="SSH Filtering" disabled=no 
dst-port=22 protocol=tcp reject-with=tcp-reset src-address-list=!IPv6-Space
add action=drop chain=forward comment="Block all 
unidentified/non-established traffic" connection-state=new disabled=no 
dst-address-list=IPv6-Space src-address-list=!IPv6-Space

The Winbox and SSH rules drop SSH traffic not coming from my prefix 
("IPv6-Space" address list). I also have a rule that matches 
connection-state to new and drops the traffic if it's destined to my 
prefix and coming from outside my prefix using that same address list. 
That stopped the ability to access my servers/computers from the public 
net, so that seems to be what I was looking for, however I'm wondering 
if there are some other rules I should put in place or adjust to further 
protect my devices?

How are you guys handling this? My network is a corporate network so I'm 
not serving any customers, just playing around.


Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: rory at mkap.com

Mikrotik mailing list
Mikrotik at mail.butchevans.com

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

More information about the Mikrotik mailing list