Community discussions

MikroTik App
  4. RouterOS
  5. General

IPv6 firewall rules  [SOLVED]

Post Reply
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

IPv6 firewall rules

Thu Feb 09, 2023 7:21 pm

Hello everyone,

I recently tried to implement some proper firewall rules for IPv6 by copying my currently existing and working IPv4 firewall rules.
But somehow it's not working really working.
My network consists of several VLANs to separate traffic from management LAN, DMZ, IoT and so on and I do only want to allow specific traffic to get from e.g. DMZ to my regular LAN.
The idead for my IPv4 firewall was to add each VLAN at a specific interface list and allow (port specific) traffic

The current set up would be:
Code: Select all
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward connection-state=established,related disabled=yes
add action=accept chain=forward connection-state=established,related out-interface-list=LAN
add action=accept chain=forward connection-state=established,related out-interface-list=WLAN
add action=accept chain=forward connection-state=established,related out-interface-list=Maria
add action=drop chain=forward comment="Drop invalid" connection-state=invalid disabled=yes log=yes log-prefix=invalid
add action=accept chain=forward comment=Calibre dst-address-list=Winserver dst-port=7000 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=Murmur dst-address-list=DB1 dst-port=64738 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=Murmur dst-address-list=DB1 dst-port=64738 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment=Matrix dst-address-list=wwwubuntu dst-port=8008,8448 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=Matrix dst-address-list=wwwubuntu dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Manage Engine" dst-address-list=Winserver dst-port=8022,8027,8031,8047-8048,8383,8553 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=Plex dst-address-list=Plex dst-port=32400 protocol=tcp
add action=accept chain=forward comment=Plex dst-address-list=Plex dst-port=32400 protocol=udp
add action=accept chain=forward comment="Mail HTTP" dst-address-list=Zimbra dst-port=80,443,587 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Mail IMAP" dst-address-list=Zimbra dst-port=143,993 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Mail SMTP" dst-address-list=Relay dst-port=25,465 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=TURN dst-address-list=wwwubuntu_turn in-interface-list=WAN
add action=accept chain=forward dst-address-list=Gitlab dst-port=22,80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address-list="Balancer 2" dst-port=3323 in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=2a0a:6040:4800:10::240/128 in-interface-list=WAN protocol=icmpv6
add action=accept chain=forward dst-address=2a0a:6040:4800:10::240/128 dst-port=8006 protocol=tcp
add action=accept chain=forward dst-address=2a0a:6040:4800:31::100/128
add action=accept chain=forward comment="Active Directory" dst-address-list="AD Server" dst-port=53,88,123,135,389,445,464,636,3268,3269 in-interface-list=DMZ protocol=tcp
add action=accept chain=forward comment="Active Directory" dst-address-list="AD Server" dst-port=53,88,123,135,389,445,464,636,3268,3269 in-interface-list=DMZ protocol=udp
add action=accept chain=forward dst-address-list=Winserver dst-port=139,445 in-interface-list=DMZ protocol=tcp
add action=accept chain=forward dst-address-list="AD Server" dst-port=53 in-interface-list=IoT protocol=udp
add action=accept chain=forward dst-address-list=Plex in-interface-list=IoT out-interface-list=DMZ
add action=drop chain=forward comment="Default deny" disabled=yes in-interface-list=!WAN out-interface-list=IoT
add action=drop chain=forward comment="Default deny" disabled=yes in-interface-list=!WAN out-interface-list=DMZ
add action=drop chain=forward comment="Default deny" disabled=yes in-interface-list=WAN
E.g. as soon as I enable the last rule which should drop any non-allowed traffic from the internet I only block myself from getting to the internet.

Anyone got an idead what I am doing wrong?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10514
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 firewall rules

Thu Feb 09, 2023 8:40 pm

Why not use the RouterOS supplied default firewall rules?
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: IPv6 firewall rules

Thu Feb 09, 2023 10:08 pm

Because I have several VLANs where I would like to only allow specific hosts/ports.

Mikrotiks default firewall rules are more into WAN/LAN but not for LAN#1 LAN#2 and so on
Top
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:
Contact ConradPino

Re: IPv6 firewall rules  [SOLVED]

Fri Feb 10, 2023 8:37 am

I read firewall rules and suggest starting with small rule set which works and then build incrementally. Some points to consider:
  • VLAN partitions networks affecting IPv4 AND IPv6
  • IPv6 should follow IPv4 subnet design and routing plan
  • IPv6 replaced IPv4 ARP with ICMPv6 Neighbor Discovery
  • IPv4 ICMP tolerates firewall block without breaking connections
  • ICMPv6 is very different and only experts should attempt blocking
  • Multiple forward established,related rules hurt performance needlessly
  • Manage connections at initial establishment and allow flow unimpeded.

This rule set treats leaves LAN and WLAN unrestricted; DMZ and IoT can use WAN; ICMPv6 ND and ping are unrestricted:
Code: Select all
add action=accept chain=wanin6 dst-address-list=Winserver dst-port=7000 protocol=tcp
add action=accept chain=wanin6 dst-address-list=Zimbra dst-port=80,143,443,587,993 protocol=tcp
add action=accept chain=wanin6 dst-address-list=Relay dst-port=25,465 protocol=tcp

add action=accept chain=forward connection-state=established,related
add action=accept chain=forward protocol=icmpv6
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward in-interface-list=WLAN
add action=accept chain=forward in-interface-list=DMZ out-interface-list=WAN
add action=accept chain=forward in-interface-list=IoT out-interface-list=WAN
add action=jump chain=forward in-interface-list=WAN jump-target=wanin6
add action=reject chain=forward
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: IPv6 firewall rules

Fri Feb 10, 2023 12:58 pm

Thanks @ConradPino I will start my journey with your suggestions!
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: IPv6 firewall rules

Fri Feb 10, 2023 1:18 pm

Just a further question: Wouldn't it be better to drop any non allowed traffic instead of rejecting it?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10514
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 firewall rules

Fri Feb 10, 2023 2:23 pm

Your firewall and its behavior is entirely your own design and responsibility.
I suggested the use of the default firewall because that usually is good enough, but when you have different requirements you can implement them in your own set of rules according to your own requirements.
The difference between reject and drop is often a matter of taste, and reject usually only serves a purpose when there is an admin that would recognize a reject and act upon it.
(most "modern systems" ignore all rejects and treat them the same as drops, i.e. they use the same timeouts and vague error messages)
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: IPv6 firewall rules

Fri Feb 10, 2023 2:58 pm

Thanks for clarification.
I think I managed it for IPv6 now thanks to you!

May I additional just ask: Does it make sense to also create a dedicated jump-rule for IPv4 addresses?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10514
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPv6 firewall rules

Fri Feb 10, 2023 3:50 pm

In the routers where I have complex firewalls I always make use of separate chains and jump rules for special purposes.
It makes the firewall easier to understand and also more efficient in operation.
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: IPv6 firewall rules

Fri Feb 10, 2023 3:51 pm

Thanks for clarification!
As I used an OPNsense firewall before I am still learning what is best practice on Mikrotik
Top
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:
Contact ConradPino

Re: IPv6 firewall rules

Fri Feb 10, 2023 7:30 pm

Just a further question: Wouldn't it be better to drop any non allowed traffic instead of rejecting it?
I start with "reject" to accelerate ping tests as waiting for timeouts to perform next test is tedious. @pe1chl, I agree drop or reject is into the personal taste or working style domains.

The jump to wanin6 chain tested in-interface-list=WAN just once as repeating within wanin6 chain is redundant, a performance issue. Look for repeated tests within rules as those are candidates for separate chains.

In perfect world, wanin6 chain jump rule would also test protocol=tcp but the dst-port, src-port, port tests require protocol in same rule.
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: IPv6 firewall rules

Fri Feb 10, 2023 10:46 pm

Thank you both.
I completly reworked firewall rules on all of my Mikrotik routers with dedicated chains (which makes more sense if you know this nice feature).

So far everything works well and I haven't seen any issues.
Top
Post Reply

Who is online

Users browsing this forum: abbio90, ahteran, brakkenjan, jaclaz and 80 guests
  4. RouterOS
  5. General