[Mikrotik] IPv6 Newbie

Rory McCann rmm.lists at gmail.com
Thu Jan 31 10:27:18 CST 2013

Thanks for all the input guys!

Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: rory at mkap.com

On 1/30/2013 4:36 PM, Don Gould wrote:
> Hi Rory,
> http://www.jrwz.net/technical/mikrotik-ipv6/s06.html
> You will note that he accepts icmpv6 traffic.
> 2   chain=forward action=accept protocol=icmpv6
> I was concerned about this, so I raised some discussion around our 
> local NOG about it at the time.
> It seems that if you don't accept the icmpv6 traffic then 'stuff will 
> break'.
> The rest of the site has some useful stuff about tunnels on it as 
> well.  I found it quite a useful resource.
> D
> On 31/01/2013 10:42 a.m., Rory McCann wrote:
>> Hey guys,
>> So I decided to set myself up with a couple of free tunnels from HE so I
>> could play around with IPv6. I've got everything up and working
>> correctly, but one thing I'm nervous about is that with my computers now
>> publicly accessible via IPv6, what is the best way to protect/firewall
>> traffic at the router? Using MT 5.22 on an x86 box, here's some of the
>> rules I have in place:
>> /ipv6 firewall filter
>> add action=reject chain=input comment="Winbox Filtering" disabled=no
>> dst-port=8291 protocol=tcp reject-with=tcp-reset
>> src-address-list=!IPv6-Space
>> add action=reject chain=input comment="SSH Filtering" disabled=no
>> dst-port=22 protocol=tcp reject-with=tcp-reset 
>> src-address-list=!IPv6-Space
>> add action=drop chain=forward comment="Block all
>> unidentified/non-established traffic" connection-state=new disabled=no
>> dst-address-list=IPv6-Space src-address-list=!IPv6-Space
>> The Winbox and SSH rules drop SSH traffic not coming from my prefix
>> ("IPv6-Space" address list). I also have a rule that matches
>> connection-state to new and drops the traffic if it's destined to my
>> prefix and coming from outside my prefix using that same address list.
>> That stopped the ability to access my servers/computers from the public
>> net, so that seems to be what I was looking for, however I'm wondering
>> if there are some other rules I should put in place or adjust to further
>> protect my devices?
>> How are you guys handling this? My network is a corporate network so I'm
>> not serving any customers, just playing around.
>> Thanks!

More information about the Mikrotik mailing list