Basic IPV6 Mikrotik Firewall

Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices.  This is a good start for customer-facing CPE.

 


/ipv6 firewall filter

add chain=forward comment="allow forwarding established, related" connection state=established,related
add chain=forward comment="allow forward lan->wan" in-interface=lan out-interface=wan
add chain=forward comment="allow ICMPv6 forwarding" in-interface=wan protocol=icmpv6
add action=reject chain=forward comment="reject every other forwarding request" reject-with=icmp-port-unreachable
add chain=input comment="accept established, related" connection-state=established,related
add chain=input comment="allow ICMPv6" in-interface=wan protocol=icmpv6
add chain=input comment="allow DHCPv6 renew" dst-address=fc00::/6 dst-port=546 in-interface=wan protocol=udp src-address=fc00::/6
add chain=input comment="allow lan" in-interface=lan
add action=reject chain=input comment="reject everything else" reject-with=icmp-port-unreachable

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!

IPV6 Firewall rules for Mikrotik

Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=”” with your appropriate interface.

/ipv6 firewall filter
add chain=input protocol=icmpv6
add chain=input connection-state=established,related
add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-wan
add chain=forward protocol=icmpv6
add chain=forward connection-state=established,related
add chain=forward connection-state=new in-interface=!ether1-wan
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-wan

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!

Interesting Mikrotik GUI behavior

While bringing up a BGP session for a client I kept trying to add our side of a /126.  It kept reverting to the network address.  The video shows what happens when I tried to add ::12/126 to the IPV6 addresses.

After some second-guessing and then some Facebook chatting I decided to do a terminal /ipv6 address print.  Sure enough the proper IP shows up.  Must be a GUI bug.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!

Netflix, IPv6, and queing

While trying to get my Playstation to download the latest “No Man’s Sky” download quicker I figured I would share a little torch action.  This is showing my wife’s Ipad talking to Netflix while she is watching a streaming TV show. Keep in mind this is just an Ipad, not some 4k TV.

Some things to note as you watch this (no sound).

1.Uncapped the connection bursts to 50-60+ megs.
2.The slower your que the connection the more time it spends downloading data.  At slower ques the bursts last longer.
3.If you are handing out IPv6 to customers you should be queing them as well.

Just something to quick and dirty to keep in mind.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!

Arin announces new fee schedule

https://www.arin.net/fees/2016_fee_schedule.html

Service Categories and Fees
Service Category Fee IPv4 Block Size IPv6 Block Size
3X-Small * $250 /24 or smaller /40 or smaller
2X-Small $500 Larger than /24,
up to and including /22
Larger than /40,
up to and including /36
X-Small $1,000 Larger than /22,
up to and including /20
Larger than /36,
up to and including /32
Small $2,000 Larger than /20,
up to and including /18
Larger than /32,
up to and including /28
Medium $4,000 Larger than /18,
up to and including /16
Larger than /28,
up to and including /24
Large $8,000 Larger than /16,
up to and including /14
Larger than /24,
up to and including /20
X-Large $16,000 Larger than /14,
up to and including /12
Larger than /20,
up to and including /16
2X-Large $32,000 Larger than /12,
up to and including /10
Larger than /16,
up to and including /12
3X-Large $64,000 Larger than /10,
up to and including /8
Larger than /12,
up to and including /8
4X-Large $128,000 Larger than /8,
up to and including /6
Larger than /8,
up to and including /4
5X-Large $256,000 Larger than /6 Larger than /4

 

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!

Mac GeekLet for Network Info

As a network person running a Mac I find it hand to know what IP my various connections have, in addition to some other info.  In order to do this, I use a program called Geektool . Once you have GeekTool up and going you can add the following code into a new Geeklet.

!/bin/bash
varSSID1=`system_profiler SPAirPortDataType | grep -A 2 -e "Current Network Information:" | tr '\n' ' ' | tr ':' ' ' | awk '{print $4}'`
varCHAN1=`system_profiler SPAirPortDataType | grep -e "Channel: " | awk '{print $2}'`
varEXTERNAL1=`curl --connect-timeout 5 -s http://checkip.dyndns.org/ | grep "Current IP Address" | awk '{print $6}' | cut -f 1 -d "<"`
varEXTERNALv6=`curl --connect-timeout 5 -s http://checkipv6.dyndns.org/ | grep "Current IP Address" | awk '{print $6}' | cut -f 1 -d "<"`
varWIRED1=`ifconfig en0 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`
varWIREDv6=`ifconfig en0 | grep "inet6 " | grep -v 127.0.0.1 | awk '{print $2}'`
varWIRELESS1=`ifconfig en1 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`
varWIRELESSv6=`ifconfig en1 | grep "inet6 " | grep -v 127.0.0.1 | awk '{print $2}'`
varSSL1=`ifconfig jnc0 | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}'`

if [ “$varEXTERNAL1” != “” ]
then
echo “External : $varEXTERNAL1”
else
echo “External : INACTIVE”
fi

if [ “$varEXTERNALv6” != “” ]
then
echo “External : $varEXTERNALv6”
else
echo “External : INACTIVE”
fi

if [ “$varWIRED1” != “” ]
then
echo “Wired : $varWIRED1”
else
echo “Wired : INACTIVE”
fi

if [ “$varWIREDv6” != “” ]
then
echo “WiredV6 : $varWIREDv6”
else
echo “WiredV6 : INACTIVE”
fi

if [ “$varWIRELESS1” != “” ]
then
echo “AirPort : $varWIRELESS1 SSID: $varSSID1”
else
echo “Airport : INACTIVE”
fi

if [ “$varWIRELESSv6” != “” ]
then
echo “AirPortV6 : $varWIRELESSv6”
else
echo “AirportV6 : INACTIVE”
fi

geektool

As you can see in the above screenshot it displays IP addresses (both IPv4 IPv6),external IP, and the Wireless SSID.

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!

IPv6 Security tidbits

/127’s for point to point links (RFC 6164) instead of /64’s

New security problems with IPV6
-Extension header chains
-Packet/Header fragmentation
-Predictable fragment headers
-Atomic Fragments (RFC 6946)

Most of these type of attacks are very complicated.

Avoid EUI-64

---
MTIN Family of Sites
https://indycolo.net
https://j2sw.com
https://startawisp.info
Become a Patron!