Page 1 of 1
IPv6 WAN to LAN block rule stops traffic.
Posted: Fri Aug 16, 2024 3:55 pm
by BobbyMcgee
Hello.
Have a Mikrotik router with working IPv6.
If I create a rule that blocks traffic from WAN to LAN, the router is not working with IPv6.
From WAN to LAN
Taught that the router should only care about where the traffic is initialised from?
add action=drop chain=forward comment="IPv6 WAN to LAN" in-interface=WAN out-interface=LAN
Re: IPv6 WAN to LAN block rule stops traffic.
Posted: Fri Aug 16, 2024 10:21 pm
by dang21000
Maybe because you kill icmp traffic... and without icmp, nothing work.
Re: IPv6 WAN to LAN block rule stops traffic.
Posted: Sat Aug 17, 2024 10:14 am
by BobbyMcgee
This is NOT working
add action=drop chain=forward comment="IPv6 WAN to LAN" in-interface=WAN out-interface=LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
This is working
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="IPv6 WAN to LAN" in-interface=WAN out-interface=LAN
Re: IPv6 WAN to LAN block rule stops traffic. [SOLVED]
Posted: Sat Aug 17, 2024 1:02 pm
by tdw
Rules are evaluated in strict order, if you drop any packets arriving from an interface in the WAN list destined for an interface in the LAN list before other rules then bidirectional communication will always fail.
With the not working example replies to connections initiated from LAN devices will also be dropped by the first rule in addition to attempted connections initiated from WAN devices.
With the working example replies to connections initiated from LAN devices are permitted as the initial outbound packet from the LAN device creates a connection table entry so the reply matches established. Only then will packets which have not been matched by the first rule be processed by the second rule.