How to block IPV6 from ISP

ramirez · Fri Aug 06, 2021 6:47 pm

Although I do not have the IPV6 package installed (or to better put it I have it disabled) my cell phone when connected to the WiFi gets an IPV6 address from the ISP. Is there a way to block the phone from receiving one ? My ISP also offers me an IPV4 address and would like to use that one only . On the modem side the area where I can choose between IPV4 or IPV4/IPV6 is grayed out and both are displayed .

rextended · Fri Aug 06, 2021 6:59 pm

Are you "talking" to yourself?
Only you know the details and you talk to yourself, who wins among you?

You don't provide any useful information, such as device used, routeros version, etc.

jvanhambelgium · Fri Aug 06, 2021 7:03 pm

Nope, on Android for example only a rooted phone can be change only to use IPv4 I've read somewhere.
Otherwise, if an IPv6 is available it will gladly receive on.
Don't know for iOS but I guess the same.

On APN's you can control it better and and use IPv4 only. I used that also on my Android.

ramirez · Fri Aug 06, 2021 7:19 pm

Are you "talking" to yourself?
Only you know the details and you talk to yourself, who wins among you?

You don't provide any useful information, such as device used, routerOS version, etc.

Cell phone is a Xiaomi 9T pro , router OS is 6.48.2 on a RB751G-2HnD. What else do you need ?

On APN's you can control it better and and use IPv4 only. I used that also on my Android.

Thank you jvanhambelgium . I run a VPN between 2 locations and use location's (A) IPV4 from/for location (B) as well, but like you said as the provider in location (B) offers IPV6 and Android devices prefer the IPV6 over IPV4 .

rextended · Fri Aug 06, 2021 7:27 pm

What else do you need ?

Where the following information are written on the first post?
You thought it and you said it to yourself?

I run a VPN between 2 locations and use location's (A) IPV4 from/for location (B) as well,
but like you said as the provider in location (B) offers IPV6 and Android devices prefer the IPV6 over IPV4

If it is not the smartphone that instaurates the VPN connection, but
if it is the RouterBOARD that instaurates the VPN connection,
enable the IPv6 packet on the RouterBOARD, reboot, and on the /ipv6 firewall filter add a rule to drop all on forward chain

ramirez · Fri Aug 06, 2021 7:54 pm

You thought it and you said it to yourself?

I am sure that are better ways to phrase the above...

As I don't understand the grammar of this : "If is not the smartphone than instaurate the VPN connection, but is the RouterBOARD, "

Do you mean : "if it's not the smartphone (I assume, the problem?), then instaurate the VPN connection (disable and then enable?), and then enable on RouterBoard IPv6 packet, reboot, and on /ipv6 firewall filter add a rule to drop all on forward chain " ?

rextended · Fri Aug 06, 2021 8:03 pm

You thought it and you said it to yourself?
I am sure that are better ways to phrase the above...

No.

As I don't understand the grammar of this : "If is not the smartphone than instaurate the VPN connection, but is the RouterBOARD, "

Ah, is something missing? I probably just thought and told myself ...

What I mean is clear, "it" & "the" or not.

If it is not the smartphone that instaurates the VPN connection, but
if it is the RouterBOARD that instaurates the VPN connection,
enable the IPv6 packet on the RouterBOARD, reboot, and on the /ipv6 firewall filter add a rule to drop all on forward chain

ramirez · Sat Aug 07, 2021 10:25 am

chain=forward action=drop connection-state=established,related log=no log-prefix=""

is this above correct ?

rextended · Sat Aug 07, 2021 10:34 am

chain=forward action=drop connection-state=established,related log=no log-prefix=""

is this above correct ?

I do not see any "connection-state" (or "log-prefix") on what I wrote, did you imagine it with yourself?

/ipv6 firewall filter
add chain=forward action=drop

ramirez · Sat Aug 07, 2021 10:45 am

tried this first :

/ipv6 firewall filter
add chain=forward action=drop

and didn't see any counters (they are at 0) . From my android phone an IPV6 check still comes positive .

rextended · Sat Aug 07, 2021 10:52 am

if this other rules do not drop all IPv6 traffic on the smartphone,
the IPv6 traffic directed to the phone can't be blocked from routerboard.

Paste this on terminal

/ipv6 firewall raw
add chain=prerouting action=drop
add chain=output action=drop
/ipv6 firewall filter
remove [find]
add chain=input action=drop
add chain=forward action=drop
add chain=output action=drop

jvanhambelgium · Sat Aug 07, 2021 10:54 am

Your phone is connected to the Wifi of the ISP modem, so its received indeed (also) a IPv6 and will go out to Internet via the ISP-device right ?
This IPv6 traffic is not passing through your Routerboard I guess, it would not be possible anyway since the IPv6 package is disabled. So you will not see anything in the "connection" table on the Mikrotik.
Please make a simple schematic WHAT IS CONNECTED WHERE because your post is very confusing to say the least, especially with the "VPN" on top of this all.

rextended · Sat Aug 07, 2021 11:02 am

This IPv6 traffic is not passing through your Routerboard I guess
it would not be possible anyway since the IPv6 package is disabled.

On what basis do you write such a thing?
Disabling the IPv6 packet does not disable IPv6 traffic passing through the RouterBOARD.

the IPv6 package is disabled

Has just set and used a rule, and the package is disabled?

ramirez · Sat Aug 07, 2021 11:25 am

This rule :

/ipv6 firewall raw
add chain=prerouting action=drop

Did return counters but none of the others, so probably IPV6 like you said cannot be blocked towards the phone . I appreciate the input ! ! !

jvanhambelgium · Sat Aug 07, 2021 11:27 am

This IPv6 traffic is not passing through your Routerboard I guess
it would not be possible anyway since the IPv6 package is disabled.
On what basis do you write such a thing?
Disabling the IPv6 packet does not disable IPv6 traffic passing through the RouterBOARD.
the IPv6 package is disabled
Has just set and used a rule, and the package is disabled?

Ah did not know that. I was under the impression that if you disable your IPv6 package there would not be any IPv6 communications possible through the router.
I have a RB3011 here with the IPv6 package installed but disabled and also under IPv6/Settings unchecked "IPv6 forwarding". I think its safe to say no IPv6 should/would be allowed to "passthrough" ? Because that would be a serious security issue ?!
Apart from all the postings, all is still very confusing, especially when the phone receives an IP directly from the ISP apparently in my understanding.
A simple schematic would help.

rextended · Sat Aug 07, 2021 11:32 am

For disable IPv6 traffic, also you can paste last set of firewall rule I posted.
But if you disable IPv6 packet, how can you access to "IPv6 forwarding" settings?

rextended · Sat Aug 07, 2021 11:34 am

Did return counters but none of the others, so probably IPV6 like you said cannot be blocked towards the phone . I appreciate the input ! ! !

At this point, if IPv6 are not dropped, disable IPv6 package and reboot.

jvanhambelgium · Sat Aug 07, 2021 12:22 pm

For disable IPv6 traffic, also you can paste last set of firewall rule I posted.
But if you disable IPv6 packet, how can you access to "IPv6 forwarding" settings?

In my case I might have explained it incorrect. My RB3011 has the IPV6 package installed & enabled.

IPv6/Settings => IPv6 "forwarding" is not ticked , so I assume no IPv6 packets could get through my RB3011 (not from the outside>in, not from the inside>out)

Znevna · Sat Aug 07, 2021 12:29 pm

How about we start with a config from that device?
And a network diagram.

rextended · Sat Aug 07, 2021 12:44 pm

IPv6/Settings => IPv6 "forwarding" is not ticked , so I assume no IPv6 packets could get through my RB3011 (not from the outside>in, not from the inside>out)

The IPv6 forward simply enable or disable the automatic forwarding of packet between internal lan/ vlan, etc.
Can be used to separate internal networks without the use of firewall rules.
BUT it still permit the IPv6 traffic from WAN to the LANs

jvanhambelgium · Sat Aug 07, 2021 1:06 pm

IPv6/Settings => IPv6 "forwarding" is not ticked , so I assume no IPv6 packets could get through my RB3011 (not from the outside>in, not from the inside>out)
The IPv6 forward simply enable or disable the automatic forwarding of packet between internal lan/ vlan, etc.
Can be used to separate internal networks without the use of firewall rules.
BUT it still permit the IPv6 traffic from WAN to the LANs

Really ? I'm learning new things on RouterOS every day still

Thanks for pointing that out.
Now I have an extensive IPv6 FW-policy anyway on input and forward chains so I'm never too concerned.
(eg. I drop any IPv6 in ingress not originated from the LAN/Bridge side)

Kamaz · Sat Jul 23, 2022 4:58 pm

/ipv6 firewall filter
add chain=forward action=drop

I have a question, but not completely sure is this correct topic.
How can I disable ipv6 on MT with ROS 7.3 ? I want to block it totally (in, out, forwarding packets).

rextended · Sat Jul 23, 2022 5:00 pm

You have simply used the forum search function?

/ipv6 settings set disable-ipv6=yes

Chipburn · Sat Sep 10, 2022 2:03 am

Every advice here is missleading and gives the impression to the reader that by disabling ipv6 in mikrotik or by dropping the packets in firewall you are blocking the ipv6 = WRONG.

If there is a connected router in then network OTHER than mikrotik and this rogue router has enabled RA advertising all the capaple ipv6 devices will "get" a public ipv6 from this router and go to internet by this rogue router.

This is a terrible security threat and it has been handled by Cisco with the "ipv6 RA guard" blocking RA traffic in Layer 2 level per interface port.

In windows and linux you mostly have ipv6 disabled that why you dont face this problem but every mobile device has ipv6 enabled by default and of cource there is no easy way to closed it. Even if you could you can't inform every possible client to block ipv6 "because im running on mikrotik" and i can't secure you.

A good read: https://www.rfc-editor.org/rfc/rfc6105

jvanhambelgium · Sat Sep 10, 2022 12:42 pm

Every advice here is missleading and gives the impression to the reader that by disabling ipv6 in mikrotik or by dropping the packets in firewall you are blocking the ipv6 = WRONG.
If there is a connected router in then network OTHER than mikrotik and this rogue router has enabled RA advertising all the capaple ipv6 devices will "get" a public ipv6 from this router and go to internet by this rogue router.
This is a terrible security threat and it has been handled by Cisco with the "ipv6 RA guard" blocking RA traffic in Layer 2 level per interface port.
A good read: https://www.rfc-editor.org/rfc/rfc6105

Euh .... if you introduce ROUGE routers on your network with their own Internet connectivty offcourse there is a huge issue! Nothing to do with Mikrotik itself.
However, IF your Mikrotik is the only device with ISP-connectivity AND you disable "IPv6 forwarding" & configuration I would be very , very surprised if some public IPv6 could creep into your network.
THAT would be a big Mikrotik security issue.

pe1chl · Sat Sep 10, 2022 1:04 pm

It can always be that any device on your network sets up a IPv6-over-IPv4 tunnel and uses it to access IPv6. It can even forward IPv6 traffic for others.

jvanhambelgium · Sat Sep 10, 2022 1:29 pm

It can always be that any device on your network sets up a IPv6-over-IPv4 tunnel and uses it to access IPv6. It can even forward IPv6 traffic for others.

Sure, dozens of possibilities to still slip/sneek through since no Mikrotik has no true UTM/IDP-capabilities that could detect & block various tunneling/evasive tooling/protocols (eg. Teredo or other 6-in-4)
But I think it is important to state that IF you disable IPv6 on your Mikrotik (forwarding,package) no native IPv6 will sneek through! and no single endpoint on your network will ever be able to access (or be accessed!) using native IPv6.

pe1chl · Sat Sep 10, 2022 2:00 pm

That is only true when you run the router in a routing configuration. When it is bridging, it will happily pass IPv6 without IPv6 support installed or -enabled.

StubArea51 · Sun Sep 11, 2022 8:45 pm

my cell phone when connected to the WiFi gets an IPV6 address from the ISP. Is there a way to block the phone from receiving one ?

Why do you want to disable IPv6?

Jotne · Sun Sep 11, 2022 11:53 pm

Why do you want to disable IPv6?

A better question, what can i do with IPv6 that are so good that I need to enable it?
I have an ISP with IPv6, but does not use it. From how I do see it:
No faster internet.
More complex firewall setup.

huntermic · Mon Sep 12, 2022 3:36 am

You will be able to use ipv6 only services….

Jotne · Mon Sep 12, 2022 6:20 am

That gives me what? (as a normal user)
Faster internet?
More websites?

pe1chl · Mon Sep 12, 2022 12:23 pm

You can solve some problems that occur due to NAT.
The firewall is not more complicated, the default settings are about the same (allow established/related, allow new traffic going outside).

How to block IPV6 from ISP

How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Re: How to block IPV6 from ISP

Who is online