Hi,
I'm trying to appply advanced firewall rules given in support page (https://help.mikrotik.com/docs/display/ ... d+Firewall).
I applied most of them successfully. But when I arriive at this part:
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" src-address-list=not_global_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" in-interface-list=WAN dst-address=192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
Once applyied, I'm getting ejected from router! So I connect to router by console to delete firewall raw rules.
Can someone explain to me why this part of rules reject me.
Thanks in advance.
PS:
I already added those list addresses:
/ipv6 firewall address-list
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
Re: Help on applying advanced firewall rules
Why. a ROUTER is for routing authorized traffic, you seem intent or focussed on blocking traffic.
Most of that is not needed.
Best start of with a basic firewall, ensure users on lan have access to services on input chain,
access to wan on forward chain and drop all else in both chains. Suffices for 95% of cases.
Most of that is not needed.
Best start of with a basic firewall, ensure users on lan have access to services on input chain,
access to wan on forward chain and drop all else in both chains. Suffices for 95% of cases.
Re: Help on applying advanced firewall rules
Hi,
Thanks for your reply.
Why? because it's indicated in official support page! It seems that it rise the device performance by handling trafic before arriving at firewall rules.
Am I wrong? All I want is to maximize security.
Thanks in advance
Thanks for your reply.
Why? because it's indicated in official support page! It seems that it rise the device performance by handling trafic before arriving at firewall rules.
Am I wrong? All I want is to maximize security.
Thanks in advance
Re: Help on applying advanced firewall rules
Try adding the rules one by one to find the one that leads to ejection.
Re: Help on applying advanced firewall rules
I would say unless you understand what each rule is doing, what raw means vice other filter categories etc..... then you are over your head and shouldnt be applying these rules....... and should go for a clean lean and safe config. If interested let me know.
Re: Help on applying advanced firewall rules
@llamajaja has good wisdon… but if this is your personal device then go hack it.
Although consider something like GNS3 (it can virtualize RouterOS). It's better because you won't "brick" your LAN and can always reset to a clean slate.
Although consider something like GNS3 (it can virtualize RouterOS). It's better because you won't "brick" your LAN and can always reset to a clean slate.
Re: Help on applying advanced firewall rules
Hi there!
I won't help you, because I didn't do this kind of rules, but it's interesting for me. Can I ask you a few questions?
1) Are you doing it (or planning to do so) in running environment?
2) What's the biggest expected advantage for you and why? Security or better CPU performance maybe?
If you have just one network 192.168.88.0/24 I think you don't really need to do it so advanced but it's your network - try, learn, rise
If you are just using the examples from article to ask but your network is more complex - good luck
EDIT: Of course others can share their thoughts as well
I won't help you, because I didn't do this kind of rules, but it's interesting for me. Can I ask you a few questions?
1) Are you doing it (or planning to do so) in running environment?
2) What's the biggest expected advantage for you and why? Security or better CPU performance maybe?
If you have just one network 192.168.88.0/24 I think you don't really need to do it so advanced but it's your network - try, learn, rise
If you are just using the examples from article to ask but your network is more complex - good luck
EDIT: Of course others can share their thoughts as well
Re: Help on applying advanced firewall rules
I have ipv6 running well with the Basic Mikrotik ipv6 firewall, but I had to make a couple of modifications to get it to work with my internet provide - Starlink. I wanted to test the Advanced firewall in Mikrotik to learn and see whether I had any weaknesses in the Basic implementation given the modifications I made...
So, I have a couple of spots where I had to change the RAW section in order to get it to work and I'd appreciate a nudge in helping to understand why:
1. I need to disable the following address list item: add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6 (latest versions of iOS 7 have an Io interface that shows up automatically, so maybe there is a reason why this now needs to be disabled?)
2. I need to disable the last rule in the RAW ICMPv6 list: add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
This next one bothers me more - what ICMPv6 packets could have failed to be accepted in the previous accepted rules in RAW that the firewall wants to drop, but I need to disable in order to get ipv6 working?
Thanks for any advice you can provide.
So, I have a couple of spots where I had to change the RAW section in order to get it to work and I'd appreciate a nudge in helping to understand why:
1. I need to disable the following address list item: add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6 (latest versions of iOS 7 have an Io interface that shows up automatically, so maybe there is a reason why this now needs to be disabled?)
2. I need to disable the last rule in the RAW ICMPv6 list: add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
This next one bothers me more - what ICMPv6 packets could have failed to be accepted in the previous accepted rules in RAW that the firewall wants to drop, but I need to disable in order to get ipv6 working?
Thanks for any advice you can provide.
Re: Help on applying advanced firewall rules
In both cases you need to log to see what packets are being matched.
Re: Help on applying advanced firewall rules
Hi there!
Can you post the output of the following commands?
Also, when posting commands or outputs, consider using the code tag (the button is </> above). This presents the information in a nicer format.
Can you post the output of the following commands?
Code: Select all
/ip/address/print
/ip/firewall/address-list/print
/interface/list/member/print
Re: Help on applying advanced firewall rules
The log errors show ICMP codes 136, 134 (router and neighbor advertisements) and 143 (multicast)
Currently, I have to disable the address list item that shows an "X" below - the Io-related one and I have to disable the last drop rule in the advanced ipv6 firewall to get it to work. The above error codes show up in the log if I enable the last drop rule. Thanks for your help!
Currently, I have to disable the address list item that shows an "X" below - the Io-related one and I have to disable the last drop rule in the advanced ipv6 firewall to get it to work. The above error codes show up in the log if I enable the last drop rule. Thanks for your help!
Code: Select all
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, FROM-POOL, INTERFACE, ADVERTISE
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2605:xxxx:xxxx:xx00:xxxx:xxff:fexx:6245/64 Starlink-v6 Local yes
1 G 2605:xxxx:xxxx:xx03:xxxx:xxff:fexx:6245/64 Starlink-v6 VLAN-10-Main yes
2 G 2605:xxxx:xxxx:xx01:xxxx:xxff:fexx:6245/64 Starlink-v6 VLAN-20-Guest yes
3 G 2605:xxxx:xxxx:xx02:xxxx:xxff:fexx:6245/64 Starlink-v6 VLAN-30-IoT yes
4 D ::1/128 lo no
5 DL fe80::xxxx:xxff:fexx:6245/64 VLAN-10-Main no
6 DL fe80::xxxx:xxff:fexx:6245/64 Local no
7 DL fe80::xxxx:xxff:fexx:6245/64 VLAN-30-IoT no
8 DL fe80::xxxx:xxff:fexx:6245/64 VLAN-20-Guest no
9 DL fe80::xxxx:xxff:fexx:6243/64 WAN2-Verizon no
10 DL fe80::xxxx:xxff:fexx:6242/64 WAN1-Starlink no
11 DL fe80::xxxx:xxff:fexx:6244/64 WAN3-Eclipse no
12 DG 2605:xxxx:xxxx:xxxx:xxxx:xxff:fexx:6242/64 WAN1-Starlink noCode: Select all
Columns: LIST, INTERFACE
# LIST INTERFACE
0 LAN Local
1 WAN WAN1-Starlink
2 VLAN VLAN-20-Guest
3 VLAN VLAN-30-IoT
4 VLAN VLAN-10-Main
5 WAN WAN2-Verizon
6 WAN WAN3-Eclipse
7 VLAN LocalCode: Select all
Flags: X - DISABLED
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
;;; Local Network
0 allowed 2605:xxxx:xxxx:xxxx::/56 2024-03-18 18:16:17
;;; multicast
1 allowed ff02::/16 2024-03-27 13:08:57
;;; DHCPv6 client server value
2 allowed 2605:xxxx:xxxx:xxxx::1/128 2024-03-27 14:16:06
;;; RFC6890 Linked-Scoped Unicast
3 no_forward_ipv6 fe80::/10 2024-04-16 14:54:03
;;; Multicast
4 no_forward_ipv6 ff00::/8 2024-04-16 14:54:03
;;; RFC6890 lo
5 X bad_ipv6 ::1/128 2024-04-16 14:54:51
;;; RFC6890 IPv4 mapped
6 bad_ipv6 ::ffff:0.0.0.0/96 2024-04-16 14:54:51
;;; RFC6890
7 bad_ipv6 2001::/23 2024-04-16 14:54:51
;;; RFC6890 documentation
8 bad_ipv6 2001:db8::/32 2024-04-16 14:54:51
;;; RFC6890 orchid
9 bad_ipv6 2001:10::/28 2024-04-16 14:54:51
;;; IPV4 compat
10 bad_ipv6 ::/96 2024-04-16 14:54:51
;;; RFC6890 Discard-only
11 not_global_ipv6 100::/64 x 2024-04-16 14:55:26
;;; RFC6890 TEREDO
12 not_global_ipv6 2001::/32 2024-04-16 14:55:26
;;; RFC6890 Benchmark
13 not_global_ipv6 2001:2::/48 2024-04-16 14:55:26
;;; RFC6890 Unique-Local
14 not_global_ipv6 fc00::/7 2024-04-16 14:55:26
;;; Unspecified
15 bad_dst_ipv6 ::/128 2024-04-16 14:55:58
;;; Unspecified
16 bad_src_ipv6 ::/128 2024-04-16 14:56:20
;;; Multicast
17 bad_src_ipv6 ff00::/8 2024-04-16 14:56:20
Re: Help on applying advanced firewall rules
Note that in the respective ICMP RAW rules I have replaced the standard advanced firewall "LAN" in-interface-list with "VLAN" - I have my bridge in LAN and also in VLAN, so it's a broader list than just LAN. The firewall (as opposed to RAW tab) modifications I had to make for Starlink were based on a user's post in Github or Reddit specific to Starlink ipv6 implementation in Mikrotik - in addition to the multicast range, I also have to specifically accept packets sourced from the Global addresses given to my LAN interfaces (bridge and VLANs below) and the Global address Starlink provides to the router itself. I am not sure why the link-local information isn't enough as it would seem to be from the Mikrotik-provided firewall configurations.
Re: Help on applying advanced firewall rules
Well, it seems you sent me the ipv6 bits and not the ip(v4) ones - can you send again the ipv4 addresses and address-list?
Re: Help on applying advanced firewall rules
I wasn't sure whether you wanted ipv4 or not since that is working fine for me, but here it is as well.... The member list is already above.
Code: Select all
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 10.10.1.1/24 10.10.1.0 Local
1 10.10.20.1/24 10.10.20.0 VLAN-20-Guest
2 10.10.30.1/24 10.10.30.0 VLAN-30-IoT
3 10.10.10.1/24 10.10.10.0 VLAN-10-Main
4 D 192.168.2.2/24 192.168.2.0 WAN2-Verizon
5 D xxx.xxx.xxx.xxx/21 129.222.16.0 WAN1-Starlink
6 D 192.168.3.238/24 192.168.3.0 WAN3-Eclipse
Code: Select all
Flags: X - DISABLED
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
0 LAN 10.10.1.0/24 1970-01-02 00:00:35
;;; 6to4 relay Anycast [RFC 3068]
1 not_in_internet 192.88.99.0/24 1970-01-02 00:00:35
2 allowed_to_router 10.10.1.0/24 1970-01-02 00:00:35
;;; RFC6890
3 not_in_internet 0.0.0.0/8 1970-01-02 00:00:35
;;; RFC6890
4 not_in_internet 172.16.0.0/12 1970-01-02 00:00:35
;;; RFC6890
5 not_in_internet 192.168.0.0/16 1970-01-02 00:00:35
;;; RFC6890
6 not_in_internet 10.0.0.0/8 1970-01-02 00:00:35
;;; RFC6890
7 not_in_internet 169.254.0.0/16 1970-01-02 00:00:35
;;; RFC6890
8 not_in_internet 127.0.0.0/8 1970-01-02 00:00:35
;;; Multicast
9 not_in_internet 224.0.0.0/4 1970-01-02 00:00:35
;;; RFC6890
10 not_in_internet 198.18.0.0/15 1970-01-02 00:00:35
;;; RFC6890
11 not_in_internet 192.0.0.0/24 1970-01-02 00:00:35
;;; RFC6890
12 not_in_internet 192.0.2.0/24 1970-01-02 00:00:35
;;; RFC6890
13 not_in_internet 198.51.100.0/24 1970-01-02 00:00:35
;;; RFC6890
14 not_in_internet 203.0.113.0/24 1970-01-02 00:00:35
;;; RFC6890
15 not_in_internet 100.64.0.0/10 1970-01-02 00:00:35
;;; RFC6890
16 not_in_internet 240.0.0.0/4 1970-01-02 00:00:35
17 allowed_to_router 10.10.10.0/24 2023-07-11 14:14:41
Last edited by pfturner on Fri Apr 19, 2024 2:02 pm, edited 1 time in total.
Re: Help on applying advanced firewall rules
Hi there!
Then I am confused - you said you had issues when you added the ip firewall raw rules - do you mean you have issues when you do the same with the ipv6 firewall raw rules?
Then I am confused - you said you had issues when you added the ip firewall raw rules - do you mean you have issues when you do the same with the ipv6 firewall raw rules?
Re: Help on applying advanced firewall rules
I have been using a slightly modified version of MT's basic ipv6 firewall - I am not clear on why my Starlink internet connection seems to require these slight modifications. I thought I would try the MT advanced ipv6 firewall to see if I could drill down to see where the problem is. To get the advanced ipv6 firewall to allow ipv6 to work I have to do the following:
1. Disable the address list item: add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
2. Disable the final advanced ipv6 RAW rule: Drop other ICMP
3. I still have to include in the advanced ipv6 firewall an accept input and accept forward rules that permit traffic from my global address for the Starlink internet and the global addresses for my bridge and VLANs.
On #2, the ICMP traffic that is getting dropped are not getting picked up by the LAN-only accept rules for ICMP types 134, 136 and 143 - it seems that some of the traffic getting dropped has the global address of the Starlink interface.
I'm not sure why MT's ipv6 firewalls do not work without the above - the standard uses LAN and !LAN - which I have replaced with VLAN (which my definition includes the bridge (LAN) and three VLANs). Does an address list that refers to LAN or VLAN include both the ipv4 and ipv6 addresses? If so, does it include the global as well as link-local addresses?
1. Disable the address list item: add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
2. Disable the final advanced ipv6 RAW rule: Drop other ICMP
3. I still have to include in the advanced ipv6 firewall an accept input and accept forward rules that permit traffic from my global address for the Starlink internet and the global addresses for my bridge and VLANs.
On #2, the ICMP traffic that is getting dropped are not getting picked up by the LAN-only accept rules for ICMP types 134, 136 and 143 - it seems that some of the traffic getting dropped has the global address of the Starlink interface.
I'm not sure why MT's ipv6 firewalls do not work without the above - the standard uses LAN and !LAN - which I have replaced with VLAN (which my definition includes the bridge (LAN) and three VLANs). Does an address list that refers to LAN or VLAN include both the ipv4 and ipv6 addresses? If so, does it include the global as well as link-local addresses?
Re: Help on applying advanced firewall rules
OK! I was uncertain as you posted the ip firewall raw for IPv4 and information for IPv6 - but mentioned the issues related to connectivity so I went with IPv4. I saw a few things in the info you sent, namely that you use the interface-list name "VLAN" and not "LAN", keep in mind that that means that WAN and VLAN are matched by "!LAN".
IPv4 and IPv6 are different parts of the firewall, filtering one doesn't change the other.
Can you post the output of the following command?
IPv4 and IPv6 are different parts of the firewall, filtering one doesn't change the other.
Can you post the output of the following command?
Code: Select all
/ipv6/firewall/raw/print
Re: Help on applying advanced firewall rules
Code: Select all
Flags: X - disabled, I - invalid; D - dynamic
0 X ;;; Enable for transparent firewall
chain=prerouting action=accept log=no log-prefix=""
1 X ;;; RFC4291, section 2.7.1
chain=prerouting action=accept icmp-options=135:0-255 log=no log-prefix="" protocol=icmpv6 src-address=::/128 dst-address=ff02::1:ff00:0/104
2 X ;;; Drop bogon IP's
chain=prerouting action=drop log=no log-prefix="" src-address-list=bad_ipv6
3 X ;;; Drop bogon IP's
chain=prerouting action=drop log=no log-prefix="" dst-address-list=bad_ipv6
4 X ;;; Drop packets with bad SRC ipv6
chain=prerouting action=drop log=no log-prefix="" src-address-list=bad_src_ipv6
5 X ;;; Drop packets with bad dst ipv6
chain=prerouting action=drop log=no log-prefix="" dst-address-list=bad_dst_ipv6
6 X ;;; Drop non global from WAN
chain=prerouting action=drop in-interface-list=WAN log=no log-prefix="" src-address-list=not_global_ipv6
7 X ;;; Jump to ICMPv6 chain
chain=prerouting action=jump jump-target=icmp6 log=no log-prefix="" protocol=icmpv6
8 X ;;; Accept local multicast scope
chain=prerouting action=accept log=no log-prefix="" dst-address=ff02::/16
9 X ;;; Drop other multicast destinations
chain=prerouting action=drop log=no log-prefix="" dst-address=ff00::/8
10 X ;;; Accept everything else from WAN
chain=prerouting action=accept in-interface-list=WAN log=no log-prefix=""
11 X ;;; Accept everything else from VLANs
chain=prerouting action=accept in-interface-list=VLAN log=no log-prefix=""
12 X ;;; Drop the rest
chain=prerouting action=drop log=no log-prefix=""
13 X ;;; RFC4890 drop ll if hop-limit!=255
chain=icmp6 action=drop log=no log-prefix="" protocol=icmpv6 dst-address=fe80::/10 hop-limit=not-equal:255
14 X ;;; DST unreachable
chain=icmp6 action=accept icmp-options=1:0-255 log=no log-prefix="" protocol=icmpv6
15 X ;;; Packet too big
chain=icmp6 action=accept icmp-options=2:0-255 log=no log-prefix="" protocol=icmpv6
16 X ;;; Limit exceeded
chain=icmp6 action=accept icmp-options=3:0-1 log=no log-prefix="" protocol=icmpv6
17 X ;;; Bad header
chain=icmp6 action=accept icmp-options=4:0-2 log=no log-prefix="" protocol=icmpv6
18 X ;;; Mobile home agent address discovery (ICMP Type 144)
chain=icmp6 action=accept icmp-options=144:0-255 log=no log-prefix="" protocol=icmpv6
19 X ;;; Mobile home agent address discovery (ICMP Type 145)
chain=icmp6 action=accept icmp-options=145:0-255 log=no log-prefix="" protocol=icmpv6
20 X ;;; Mobile prefix solic
chain=icmp6 action=accept icmp-options=146:0-255 log=no log-prefix="" protocol=icmpv6
21 X ;;; Mobile prefix advert
chain=icmp6 action=accept icmp-options=147:0-255 log=no log-prefix="" protocol=icmpv6
22 X ;;; Echo request limit 5,10
chain=icmp6 action=accept icmp-options=128:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6
23 X ;;; Echo reply limit 5,10
chain=icmp6 action=accept icmp-options=129:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6
24 X ;;; RFC4890 router solic limit 5,10 only LAN
chain=icmp6 action=accept in-interface-list=VLAN icmp-options=133:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255
25 X ;;; RFC4890 router advert limit 5,10 only LAN
chain=icmp6 action=accept in-interface-list=VLAN icmp-options=134:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255
26 X ;;; RFC4890 neighbor solic limit 5,10 only LAN
chain=icmp6 action=accept in-interface-list=VLAN icmp-options=135:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255
27 X ;;; RFC4890 neighbor advert limit 5,10 only LAN
chain=icmp6 action=accept in-interface-list=VLAN icmp-options=136:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255
28 X ;;; RFC4890 inverse ND solic limit 5,10 only LAN
chain=icmp6 action=accept in-interface-list=VLAN icmp-options=141:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255
29 X ;;; RFC4890 inverse ND advert limit 5,10 only LAN
chain=icmp6 action=accept in-interface-list=VLAN icmp-options=142:0-255 limit=5,10:packet log=no log-prefix="" protocol=icmpv6 hop-limit=equal:255
30 X ;;; Drop other ICMP
chain=icmp6 action=drop log=yes log-prefix="dropped_ipv6" protocol=icmpv6
Re: Help on applying advanced firewall rules
Rules 25 and 26 (ICMP 134 and 136) might help me the most. Apart from having to turn off the ::/1 Io address list item...
Re: Help on applying advanced firewall rules
Instead of disabling the rules, can you change it to passthrough with log and then attach here the packets whose dropping breaks your network, exactly as it appears in the log?
The rule that only allows ICMPv6 Type 134 from LAN is plain wrong for an edge router: it is supposed to receive RAs from the upstream (WAN), configure itself and then advertise itself to the downstream (LAN).
I recommend reading https://datatracker.ietf.org/doc/html/rfc4890
The rule that only allows ICMPv6 Type 134 from LAN is plain wrong for an edge router: it is supposed to receive RAs from the upstream (WAN), configure itself and then advertise itself to the downstream (LAN).
I recommend reading https://datatracker.ietf.org/doc/html/rfc4890
Re: Help on applying advanced firewall rules
As pfturner said, you need to accept NDP advertisements on the WAN interface. Try adding the following and move them above the final deny
Code: Select all
/ipv6/firewall/raw
add chain=icmp6 action=accept in-interface-list=WAN icmp-options=134:0-255 limit=5,10:packet log=no log-prefix="" \
protocol=icmpv6 hop-limit=equal:255 comment="RFC4890 router advertisement"
add chain=icmp6 action=accept in-interface-list=WAN icmp-options=136:0-255 limit=5,10:packet log=no log-prefix="" \
protocol=icmpv6 hop-limit=equal:255 comment="RFC4890 neighbor advertisement"
Re: Help on applying advanced firewall rules
Thanks! I believe I have it working well now with your advice!
Re: Help on applying advanced firewall rules
I am getting some dropped forward chain packets related to multicast - not sure if this is normal when the devices (like Rokus, printers, etc.) are not being requested by iphones, etc. I have a mDNS repeater running in a container to share those devices across the main and guest vlans.
Drop_Input_Else input: in:VLAN-10-Main out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, [fe80::e638:83ff:fexx:xxxx]:48276->[ff02::1]:10001, len 335
Any thoughts on this last current issue? Thanks!
Drop_Input_Else input: in:VLAN-10-Main out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, [fe80::e638:83ff:fexx:xxxx]:48276->[ff02::1]:10001, len 335
Any thoughts on this last current issue? Thanks!
Re: Help on applying advanced firewall rules
Are you sure it’s the forward chain and not the input chain? Link-local addresses are not supposed to be forwarded.
My opinion is that with very few exceptions you should not firewall input (multicast or otherwise) from LAN on the router.
Please make sure to report all problems you encountered using their firewall template to https://help.mikrotik.com/servicedesk/s ... r/portal/1
My opinion is that with very few exceptions you should not firewall input (multicast or otherwise) from LAN on the router.
Please make sure to report all problems you encountered using their firewall template to https://help.mikrotik.com/servicedesk/s ... r/portal/1
Re: Help on applying advanced firewall rules
Sorry, I don't read my own log headers! You are correct, those errors are on the input chain.
Re: Help on applying advanced firewall rules
So, living with this for a few days, I still have the dropped firewall input rule where linked-local addresses are failing where the destination address is ff02::1. I know it's a multicast issue. These drops occur regularly (several different ones) - with the exact same ones appearing every 10 seconds.
Example:
Drop_Input_Else input: in:VLAN-10-Main out:(unknown 0), connection-state:new src-mac e4:38:xx:xx:xx:xx, proto UDP, [fe80::xxxx:xxxx:xxxx:xxxx]:48457->[ff02::1]:10001, len 337
I only have tagged traffic via VLANs in my implementation.
Do you think it might be related to:
viewtopic.php?t=182314?
https://help.mikrotik.com/docs/pages/vi ... figuration
Bridge IGMP querier implementation can only send untagged IGMP queries. In case tagged IGMP queries should be sent or IGMP queries should be generated in multiple VLANs, it is possible to install a multicast package, add a VLAN interface and configure a PIM interface on VLAN. The PIM interface can be used as an IGMP querier.
I have a mDNS repeater handling the devices I want to see across VLANs, but ideally I'd like to get there without needing that.
Any help would be appreciated.
Example:
Drop_Input_Else input: in:VLAN-10-Main out:(unknown 0), connection-state:new src-mac e4:38:xx:xx:xx:xx, proto UDP, [fe80::xxxx:xxxx:xxxx:xxxx]:48457->[ff02::1]:10001, len 337
I only have tagged traffic via VLANs in my implementation.
Do you think it might be related to:
viewtopic.php?t=182314?
https://help.mikrotik.com/docs/pages/vi ... figuration
Bridge IGMP querier implementation can only send untagged IGMP queries. In case tagged IGMP queries should be sent or IGMP queries should be generated in multiple VLANs, it is possible to install a multicast package, add a VLAN interface and configure a PIM interface on VLAN. The PIM interface can be used as an IGMP querier.
I have a mDNS repeater handling the devices I want to see across VLANs, but ideally I'd like to get there without needing that.
Any help would be appreciated.
Re: Help on applying advanced firewall rules
Something in your network multicasts a packet to all nodes (ff02::1) using the 10001 port. "All nodes" also includes the router itself. You have a firewall rule that blocks such packets on the router. Everything seem to work as configured.
FYI mDNSv6 uses the ff02::fb. See https://www.iana.org/assignments/ipv6-m ... sses.xhtml
FYI mDNSv6 uses the ff02::fb. See https://www.iana.org/assignments/ipv6-m ... sses.xhtml
Re: Help on applying advanced firewall rules
Thanks - based on your insights I did some googling. It looks like that port is being used by my Unifi APs. The MAC addresses correspond to the APs.
Still some work to do to understand the multicast side of things in ipv6.
Still some work to do to understand the multicast side of things in ipv6.
Who is online
Users browsing this forum: Amazon [Bot], Bing [Bot] and 21 guests