Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

SSL/SSH/WINBOX to router not working using the ipv6 address

Locked
 
jharry
just joined
Topic Author
Posts: 8
Joined: Tue Feb 26, 2019 11:47 pm

SSL/SSH/WINBOX to router not working using the ipv6 address

Wed Feb 27, 2019 1:31 am

Hello World,

I am very new to the Mikrotik world, I have all the above mentioned services working properly over IPv4, however I recently activated IPv6 on the router but not all things seem to be working, I get a 20/20 on ipv6-test.com but when I try to access the router using it's IPv6 address and SSH for example it does not want to connect. Same with SSL or through WINBOX.

I followed this guide to get my IPv6 running:
Code: Select all
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input comment="drop anything else"
add action=accept chain=forward comment="Accept outbound via Aussie" \
    connection-state="" out-interface=ether5-wan
add action=accept chain=forward comment="Allow established and related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop other forwards"
/ipv6 dhcp-client
add add-default-route=yes interface=ether5-wan pool-name=abb \
    pool-prefix-length=56 request=address,prefix use-peer-dns=no
/ipv6 address
add address=::1 eui-64=yes from-pool=abb interface=bridge1
then I added my own for SSH

add action=accept chain=input comment="accept SSH" protocol=tcp dst-port=XXX22

However I still cannot get it tot work. Can someone help me. Thanks.
Top
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: SSL/SSH/WINBOX to router not working using the ipv6 address

Wed Feb 27, 2019 11:06 am

Edit my own typo /7 -> /8
Hi, you have some typos in your firewall rules.

Multicast addresses are ff00::/8, and link-local ff80::/10 (twice, in the address-list and in the multicast rule. See https://www.ripe.net/participate/member ... e_card.pdf

Change as
Code: Select all
/ipv6 firewall address-list set address=fe80::/10 numbers=[find  where address~"fe80::/16"]
/ipv6 firewall address-list set address=ff00::/8 numbers=[find  where address~"ff00::/16"]
/ipv6 firewall filter set src-address=fe80::/10 numbers=[find  where src-address~"fe80::/16"]
This is not the cause of your problem, though. You don't specify the ordering of the rules after you inserted the rule for accepting ssh port.

It is important that it is located before the "drop anything else" rule.

You can drag and drop them at the webfig ui or winbox, or use something like
Code: Select all
/ipv6 firewall filter move numbers=[find where chain=input and comment~"SSH"] destination=[find where chain=input and comment="drop anything else"]
Provided there is no other rule containing "SSH" in comments. The
Code: Select all
~
operator is regular expression matching and can be dangerous
Top
Locked
  4. RouterOS
  5. Beginner Basics