I only use a subset of the DHCPv6 delegated prefix. For packets towards all unused subnets I want the following rules:
- Silently drop packets from WAN
- Reject with ICMPv6 unreachable packets from LAN
Since the prefix may change (advertised lifetime is only about 90min) and re-allocation by RouterOS is somewhat arbitrary I'm not quite sure how to approach this problem. My current thoughts are that if I had a dynamic address-list of all unused subnets I could add corresponding firewall rules via out-interface-list matcher. Or I could add a routing mark and then have route filter / policed route.
-
-
bandit1200
just joined
- Posts: 23
- Joined:
Re: Track IPv6 pool allocations for firewall and routes
are you worried about the whole /56 changing or just which /64 s are assigned to each lan changing?
There should be a dynamically created route for the entire /56 (or /60 if you are like me on Xfinity) to a black hole already there. That way only the assigned /64s are routed.
As i understand, the entire /56 is routed to your wan, then only the /64s you are using are routed to your lans, everything else is blackholed. Is that not already doing what you want? Or i missed?
There should be a dynamically created route for the entire /56 (or /60 if you are like me on Xfinity) to a black hole already there. That way only the assigned /64s are routed.
As i understand, the entire /56 is routed to your wan, then only the /64s you are using are routed to your lans, everything else is blackholed. Is that not already doing what you want? Or i missed?
Re: Track IPv6 pool allocations for firewall and routes
I want proper ICMPv6 errors when packets for un-allocated prefix originate from my LAN.
-
-
bandit1200
just joined
- Posts: 23
- Joined:
Re: Track IPv6 pool allocations for firewall and routes
Got it.
I think Cisco equipment has the option to allow black hole routes reply w/ unreachable, but I may be misremembering. Anyway....
So if MT doesn't have that option, how about this:
Create a dummy interface and point the black hole route to it. I would expect once a packet arrives at that interface, it will attempt neighbor solicitation and return an unreachable.
That may work. I wouldn't assign that dummy interface any global addresses, just the route pointing at it. What do you think?
(Just incidentally, my vlan, ppp etc /64 assignments stay stable across reboots, so I haven't perceived the same need here you have. I've never seen them change outside of me fiddling with things.)
I think Cisco equipment has the option to allow black hole routes reply w/ unreachable, but I may be misremembering. Anyway....
So if MT doesn't have that option, how about this:
Create a dummy interface and point the black hole route to it. I would expect once a packet arrives at that interface, it will attempt neighbor solicitation and return an unreachable.
That may work. I wouldn't assign that dummy interface any global addresses, just the route pointing at it. What do you think?
(Just incidentally, my vlan, ppp etc /64 assignments stay stable across reboots, so I haven't perceived the same need here you have. I've never seen them change outside of me fiddling with things.)
Re: Track IPv6 pool allocations for firewall and routes
I think you can have that in RouterOS as well via /routing/rule, but I cannot get around how to make it work. I want 2 tables:I think Cisco equipment has the option to allow black hole routes reply w/ unreachable, but I may be misremembering. Anyway....
- main with all the routes + unreachable route for the delegated prefix
- WAN with one blackhole rule for the delegated prefix and everything else being delegated the main
I do not understand how you delegate lookups (including default ones) from one table to another in RouterOS...
I still need to differentiate my traffic, WAN and LAN.Create a dummy interface and point the black hole route to it.
-
-
bandit1200
just joined
- Posts: 23
- Joined:
Re: Track IPv6 pool allocations for firewall and routes
Since the route is to a dummy interface, the forwarding firewall filter will apply. Just put in a drop rule for WAN traffic to that interface. No?I still need to differentiate my traffic, WAN and LAN.
That would also give you a lot of options on when you want drop vs unreachable just by messing with the firewall rules.
Re: Track IPv6 pool allocations for firewall and routes
Somehow it feels that policy routing is “more” right.
What would you suggest as a dummy interface, a port-less bridge?
What would you suggest as a dummy interface, a port-less bridge?
-
-
bandit1200
just joined
- Posts: 23
- Joined:
Re: Track IPv6 pool allocations for firewall and routes
Yeah, I tried it with a bridge I named "DeadEnd" 
. No addresses, no ND, nothing on it. Worked as expected, returning unreachable.
It does seem like you should be able to use route policies etc. I suspect you are better with those than I am. No opinion on what's best.
One thing to consider either way is that you might need to write some scripts in the event your PD Pool assignment changes from the ISP or for when the lease is renewed manually or after an outage. The dynamic black hole route gets created then, too, so you will need to be sure it doesn't get in the way, or gets deleted. And you'll obviously need to change your static route if the PD pool prefix changes, I'm sure you already considered that.
It would be interesting to see if adding "Pool Relative Reservations" would be a feature MT would consider, and if there are other use cases for it. You could then assign 1st, 2nd, etc /64 specifically to interfaces. It would give more control which us MT enthusiasts always appreciate.
. No addresses, no ND, nothing on it. Worked as expected, returning unreachable.It does seem like you should be able to use route policies etc. I suspect you are better with those than I am. No opinion on what's best.
One thing to consider either way is that you might need to write some scripts in the event your PD Pool assignment changes from the ISP or for when the lease is renewed manually or after an outage. The dynamic black hole route gets created then, too, so you will need to be sure it doesn't get in the way, or gets deleted. And you'll obviously need to change your static route if the PD pool prefix changes, I'm sure you already considered that.
It would be interesting to see if adding "Pool Relative Reservations" would be a feature MT would consider, and if there are other use cases for it. You could then assign 1st, 2nd, etc /64 specifically to interfaces. It would give more control which us MT enthusiasts always appreciate.
Re: Track IPv6 pool allocations for firewall and routes [SOLVED]
Looks like that a dummy interface you suggested is indeed a better solution. For reference why non-blackhole routes were dropped in v7 viewtopic.php?p=853939#p853939
Ended up with the following:
With DHCPv6 Client script being:
This approach also allowed to rewrite a bunch of firewall rules, that prevented packets with non-global destination crossing WAN, as routes. Thank you for this idea!
Ended up with the following:
Code: Select all
/interface/bridge add name=trap
/ipv6/firewall/filter add chain=forward action=reject reject-with=icmp-address-unreachable in-interface-list=LAN out-interface-list=TRAP
/ipv6/firewall/filter add chain=forward action=drop out-interface-list=TRAP
With DHCPv6 Client script being:
Code: Select all
:global argManagedID "some-unique-string"
# Redirect unused prefix allocations to trap
/ipv6/route {
disable [find dst-address=$"pd-prefix" blackhole]
:local varTrapRouteIdx ([find comment~"$argManagedID\$"]->0)
:if ($varTrapRouteIdx) do={
set dst-address=$"pd-prefix" $varTrapRouteIdx
} else={
add dst-address=$"pd-prefix" gateway=trap comment="Managed: DHCPv6 / $argManagedID"
}
}