{"id":2755,"date":"2019-01-24T01:21:09","date_gmt":"2019-01-24T01:21:09","guid":{"rendered":"http:\/\/www.mtin.net\/blog\/?p=2755"},"modified":"2019-01-24T01:21:09","modified_gmt":"2019-01-24T01:21:09","slug":"basic-ipv6-mikrotik-firewall","status":"publish","type":"post","link":"http:\/\/www.mtin.net\/blog\/basic-ipv6-mikrotik-firewall\/","title":{"rendered":"Basic IPV6 Mikrotik Firewall"},"content":{"rendered":"<p>Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices.\u00a0 This is a good start for customer-facing CPE.<\/p>\n<p>&nbsp;<\/p>\n<pre class=\"p1\"><span class=\"s1\">\n\/ipv6 firewall filter<\/span>\n\n<span class=\"s1\">add chain=forward comment=\"allow forwarding established, related\" connection state=established,related\n<\/span><span class=\"s1\">add chain=forward comment=\"allow forward lan-&gt;wan\" in-interface=lan out-interface=wan<\/span>\n<span class=\"s1\">add chain=forward comment=\"allow ICMPv6 forwarding\" in-interface=wan protocol=icmpv6<\/span>\n<span class=\"s1\">add action=reject chain=forward comment=\"reject every other forwarding request\" reject-with=icmp-port-unreachable<\/span>\n<span class=\"s1\">add chain=input comment=\"accept established, related\" connection-state=established,related<\/span>\n<span class=\"s1\">add chain=input comment=\"allow ICMPv6\" in-interface=wan protocol=icmpv6<\/span>\n<span class=\"s1\">add chain=input comment=\"allow DHCPv6 renew\" dst-address=fc00::\/6 dst-port=546 in-interface=wan protocol=udp src-address=fc00::\/6<\/span>\n<span class=\"s1\">add chain=input comment=\"allow lan\" in-interface=lan<\/span>\n<span class=\"s1\">add action=reject chain=input comment=\"reject everything else\" reject-with=icmp-port-unreachable<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices.\u00a0 This is a good start for customer-facing CPE. &nbsp; \/ipv6 firewall filter add chain=forward comment=&#8221;allow forwarding established, related&#8221; connection state=established,related add chain=forward comment=&#8221;allow forward lan-&gt;wan&#8221; in-interface=lan out-interface=wan add chain=forward comment=&#8221;allow ICMPv6 forwarding&#8221; in-interface=wan protocol=icmpv6 add action=reject chain=forward comment=&#8221;reject every other forwarding request&#8221; reject-with=icmp-port-unreachable [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2163,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[701,24,17],"tags":[457,42,25],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2018\/03\/download.jpg?fit=309%2C163","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-Ir","jetpack-related-posts":[{"id":2165,"url":"http:\/\/www.mtin.net\/blog\/ipv6-firewall-rules-for-mikrotik\/","url_meta":{"origin":2755,"position":0},"title":"IPV6 Firewall rules for Mikrotik","author":"j2sw","date":"March 23, 2018","format":false,"excerpt":"Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=\"\" with your appropriate interface. \/ipv6 firewall filter add chain=input protocol=icmpv6 add chain=input connection-state=established,related add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547 add action=drop chain=input connection-state=invalid add action=drop chain=input connection-state=new in-interface=ether1-wan add chain=forward protocol=icmpv6 add chain=forward connection-state=established,related add chain=forward connection-state=new in-interface=!ether1-wan add action=drop chain=forward\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":297,"url":"http:\/\/www.mtin.net\/blog\/protecting-your-mikrotik-from-dns-amplification\/","url_meta":{"origin":2755,"position":1},"title":"Protecting your Mikrotik from DNS Amplification","author":"j2sw","date":"May 8, 2015","format":false,"excerpt":"There are several reasons and benefits to using your Mikrotik as a DNS caching server. \u00a0Queries to the client are just a tad faster, which makes the overall user experience seem snappier. \u00a0It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.\u2026","rel":"","context":"In \"amplification\"","block_context":{"text":"amplification","link":"http:\/\/www.mtin.net\/blog\/tag\/amplification\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1353,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-router-os-6-36-2\/","url_meta":{"origin":2755,"position":2},"title":"Mikrotik Router OS 6.36.2","author":"j2sw","date":"August 26, 2016","format":false,"excerpt":"To upgrade, click \"Check for updates\" at \/system package in your RouterOS configuration interface, or head to our download page: http:\/\/www.mikrotik.com\/download v6.36.2 forum topic discussion, http:\/\/forum.mikrotik.com\/viewtopic.php?f=21&t=111450 What's new in 6.36.2 (2016-Aug-22 12:54): *) arm - show cpu frequency under resources menu; *) capsman - fixed upgrade policy; *) ccr\/crs -\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2277,"url":"http:\/\/www.mtin.net\/blog\/winbox-brute-force\/","url_meta":{"origin":2755,"position":3},"title":"Winbox brute Force","author":"j2sw","date":"June 1, 2018","format":false,"excerpt":"You really should not have your winbox port open to anything but a management network, but if you need a script to help with brute force on the Mikrotik. add action=drop chain=input comment=\"drop winbox brute forcers\" dst-port=8291 \\ protocol=tcp src-address-list=winbox_blacklist add action=add-src-to-address-list address-list=winbox_blacklist \\ address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \\ protocol=tcp\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1379,"url":"http:\/\/www.mtin.net\/blog\/simple-shut-off-scripting\/","url_meta":{"origin":2755,"position":4},"title":"Simple shut-off scripting","author":"j2sw","date":"September 15, 2016","format":false,"excerpt":"I had a client today who is doing some manual things as they are using Quickbooks for billing and such. \u00a0One thing they kind of struggle with is turning off people for non-payment and such. \u00a0Their current method is adding a que and throttling someone to a low-speed to make\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1333,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-routeros-3-36\/","url_meta":{"origin":2755,"position":5},"title":"Mikrotik RouterOS 3.36","author":"j2sw","date":"July 22, 2016","format":false,"excerpt":"Lots of things fixed in this release. What's new in 6.36 (2016-Jul-20 14:09): *) arm - added Dude server support; *) dude - (changes discussed here: http:\/\/forum.mikrotik.com\/viewtopic.php?f=8&t=110428); *) dude - server package is now made smaller. client side content upgrade is now removed from it and is downloaded straight from\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2755"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=2755"}],"version-history":[{"count":2,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2755\/revisions"}],"predecessor-version":[{"id":2757,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2755\/revisions\/2757"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media\/2163"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=2755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=2755"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=2755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}