IPv6 WAN to LAN block rule stops traffic.

BobbyMcgee · Fri Aug 16, 2024 3:55 pm

Hello.

Have a Mikrotik router with working IPv6.

If I create a rule that blocks traffic from WAN to LAN, the router is not working with IPv6.

From WAN to LAN

Taught that the router should only care about where the traffic is initialised from?

add action=drop chain=forward comment="IPv6 WAN to LAN"  in-interface=WAN out-interface=LAN

dang21000 · Fri Aug 16, 2024 10:21 pm

Maybe because you kill icmp traffic... and without icmp, nothing work.

BobbyMcgee · Sat Aug 17, 2024 10:14 am

This is NOT working

add action=drop chain=forward comment="IPv6 WAN to LAN"  in-interface=WAN out-interface=LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

This is working

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="IPv6 WAN to LAN"  in-interface=WAN out-interface=LAN

tdw · Sat Aug 17, 2024 1:02 pm

Rules are evaluated in strict order, if you drop any packets arriving from an interface in the WAN list destined for an interface in the LAN list before other rules then bidirectional communication will always fail.

With the not working example replies to connections initiated from LAN devices will also be dropped by the first rule in addition to attempted connections initiated from WAN devices.

With the working example replies to connections initiated from LAN devices are permitted as the initial outbound packet from the LAN device creates a connection table entry so the reply matches established. Only then will packets which have not been matched by the first rule be processed by the second rule.

IPv6 WAN to LAN block rule stops traffic. [SOLVED]

IPv6 WAN to LAN block rule stops traffic.

Re: IPv6 WAN to LAN block rule stops traffic.

Re: IPv6 WAN to LAN block rule stops traffic.

Re: IPv6 WAN to LAN block rule stops traffic. [SOLVED]