MikroTik RouterOS IPv6 Firewall: Securing the Next Generation Internet

MikroTik RouterOS IPv6 Firewall: Securing the Next Generation Internet

RouterOS Version: 7.x+ (built-in), 6.x (requires ipv6 package) Difficulty: Intermediate Estimated Time: 45 minutes

Overview

IPv6 changes the security model fundamentally. Unlike IPv4 where NAT provides implicit protection by hiding clients behind a single public IP, IPv6 clients receive globally routable addresses and are directly reachable from the internet. This makes proper firewall configuration mandatory, not optional.

The IPv6 firewall in RouterOS provides packet filtering through /ipv6 firewall filter, packet marking through /ipv6 firewall mangle, early-drop processing through /ipv6 firewall raw, and dynamic address management through /ipv6 firewall address-list.

This guide covers the essential differences from IPv4 filtering, the critical role of ICMPv6, and practical configurations to protect both your router and LAN clients.

Why IPv6 Firewall Is Different

The shift from IPv4 to IPv6 requires rethinking security. Here are the critical differences:

Aspect	IPv4	IPv6
Client visibility	Hidden behind NAT	Globally routable, directly reachable
ICMP	Often blocked without consequence	Essential - blocking breaks IPv6
Fast-track	Supported	Not supported
Default protection	NAT provides implicit barrier	None - firewall is your only defense
Link-local	Not applicable	Must permit fe80::/10 for operation
Multicast	Limited use	Essential for Neighbor Discovery

Key insight: With IPv4, you could forget to configure a firewall and NAT would still provide a barrier. With IPv6, forgetting the firewall means every device is exposed to the internet.

Understanding the IPv6 Packet Flow

IPv6 traffic flows through the same three chains as IPv4, but with critical differences in what must be permitted:

Internet ──→ [WAN] ──→ [INPUT Chain] ──→ Router Services
                  └──→ [FORWARD Chain] ──→ [LAN] ──→ LAN Clients
Router Services ──→ [OUTPUT Chain] ──→ Internet

The INPUT Chain

Protects the router itself. For IPv6, you must permit:

• ICMPv6 (essential for operation)
• DHCPv6 client responses (port 546) for prefix delegation
• Established/related connections

The FORWARD Chain

Protects LAN clients. This is critical because IPv6 clients are directly addressable. Without forward chain protection, anyone on the internet can attempt connections to your internal hosts.

The OUTPUT Chain

Controls router-originated traffic. Less commonly configured for IPv6 but useful for restricting what the router itself can access.

ICMPv6: The Protocol You Cannot Block

ICMPv6 is fundamentally different from ICMP in IPv4. Blocking ICMPv6 will break:

• Neighbor Discovery - How IPv6 finds MAC addresses (equivalent to ARP)
• Router Discovery - How hosts find their default gateway
• Path MTU Discovery - How endpoints determine optimal packet sizes
• Address autoconfiguration (SLAAC) - How devices get IPv6 addresses

Essential ICMPv6 Types (RFC 4890)

Type	Name	Required
1	Destination Unreachable	Yes
2	Packet Too Big	Yes (breaks connectivity if blocked)
3	Time Exceeded	Yes
4	Parameter Problem	Yes
128	Echo Request	Optional (but useful for diagnostics)
129	Echo Reply	Optional
133	Router Solicitation	Yes (LAN side)
134	Router Advertisement	Yes (LAN side)
135	Neighbor Solicitation	Yes
136	Neighbor Advertisement	Yes

Critical warning: If you block ICMPv6 type 2 (Packet Too Big), large file transfers and certain websites will fail with timeout errors, not obvious blocking messages.

Configuration Steps

Step 1: Create Interface Lists

First, organize your interfaces into lists for cleaner rules:

/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=ether1 list=WAN
/interface list member add interface=bridge list=LAN

Step 2: Define Bogon Address Lists (RFC 6890)

Create address lists for addresses that should never appear from the internet:

/ipv6 firewall address-list
# Addresses that are never valid as source or destination
add list=bad_ipv6 address=::1/128 comment="Loopback"
add list=bad_ipv6 address=::ffff:0:0/96 comment="IPv4-mapped"
add list=bad_ipv6 address=2001::/23 comment="IETF Protocol"
add list=bad_ipv6 address=2001:db8::/32 comment="Documentation"
add list=bad_ipv6 address=2001:10::/28 comment="ORCHID"
add list=bad_ipv6 address=::/96 comment="IPv4-compatible deprecated"

# Bad as source only
add list=bad_src_ipv6 address=ff00::/8 comment="Multicast"

# Not globally routable (should not arrive from WAN)
add list=not_global_ipv6 address=100::/64 comment="Discard-only"
add list=not_global_ipv6 address=2001::/32 comment="TEREDO"
add list=not_global_ipv6 address=2001:2::/48 comment="Benchmarking"
add list=not_global_ipv6 address=fc00::/7 comment="Unique-local"
add list=not_global_ipv6 address=fe80::/10 comment="Link-local"

Step 3: Configure RAW Firewall for Early Drops

RAW rules process packets before connection tracking, reducing CPU load for obvious bad traffic:

/ipv6 firewall raw
# Drop bogon addresses before connection tracking
add chain=prerouting action=drop src-address-list=bad_ipv6 comment="Drop bad source addresses"
add chain=prerouting action=drop dst-address-list=bad_ipv6 comment="Drop bad destination addresses"
add chain=prerouting action=drop src-address-list=bad_src_ipv6 comment="Drop invalid source addresses"

# Drop non-global addresses from WAN
add chain=prerouting action=drop in-interface-list=WAN src-address-list=not_global_ipv6 comment="Drop spoofed addresses from WAN"

# Accept link-local multicast (essential for ND)
add chain=prerouting action=accept dst-address=ff02::/16 comment="Accept link-local multicast"

# Drop other multicast from WAN
add chain=prerouting action=drop in-interface-list=WAN dst-address=ff00::/8 comment="Drop WAN multicast"

Step 4: Configure INPUT Chain (Router Protection)

Protect the router itself:

/ipv6 firewall filter
# Accept established and related connections
add chain=input action=accept connection-state=established,related comment="Accept established/related"

# Drop invalid connections
add chain=input action=drop connection-state=invalid comment="Drop invalid"

# Accept ICMPv6
add chain=input action=accept protocol=icmpv6 comment="Accept ICMPv6"

# Accept DHCPv6 client replies (for prefix delegation)
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="Accept DHCPv6-Client"

# Accept UDP traceroute
add chain=input action=accept protocol=udp dst-port=33434-33534 comment="Accept traceroute"

# Drop all other traffic from WAN
add chain=input action=drop in-interface-list=WAN comment="Drop all from WAN"

Step 5: Configure FORWARD Chain (LAN Client Protection)

This is the critical chain - it prevents unsolicited connections to your LAN clients:

/ipv6 firewall filter
# Accept established and related connections
add chain=forward action=accept connection-state=established,related comment="Accept established/related"

# Drop invalid packets with logging
add chain=forward action=drop connection-state=invalid log=yes log-prefix="ipv6-invalid: " comment="Drop invalid"

# Accept ICMPv6
add chain=forward action=accept protocol=icmpv6 comment="Accept ICMPv6"

# Accept traffic from LAN
add chain=forward action=accept in-interface-list=LAN comment="Accept from LAN"

# Drop all other traffic (this blocks unsolicited inbound)
add chain=forward action=drop comment="Drop all else"

Step 6: Add MSS Clamping for PPPoE/Tunnels

If using PPPoE or tunnels, clamp TCP MSS to prevent fragmentation issues:

/ipv6 firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn passthrough=yes comment="Clamp MSS for IPv6"

Advanced Configuration: Granular ICMPv6 Filtering

For environments requiring strict ICMPv6 control per RFC 4890:

/ipv6 firewall filter
# Create ICMPv6 chain
add chain=input action=jump jump-target=icmpv6 protocol=icmpv6

# ICMPv6 chain - error messages (required)
add chain=icmpv6 action=accept icmp-options=1:0-255 comment="Destination unreachable"
add chain=icmpv6 action=accept icmp-options=2:0-255 comment="Packet too big"
add chain=icmpv6 action=accept icmp-options=3:0-1 comment="Time exceeded"
add chain=icmpv6 action=accept icmp-options=4:0-2 comment="Parameter problem"

# Echo with rate limiting
add chain=icmpv6 action=accept icmp-options=128:0 limit=5,10:packet comment="Echo request limited"
add chain=icmpv6 action=accept icmp-options=129:0 limit=5,10:packet comment="Echo reply limited"

# Neighbor Discovery (link-local only, hop-limit=255 for security)
add chain=icmpv6 action=accept icmp-options=133:0 hop-limit=equal:255 in-interface-list=LAN comment="Router solicitation"
add chain=icmpv6 action=accept icmp-options=134:0 hop-limit=equal:255 in-interface-list=LAN comment="Router advertisement"
add chain=icmpv6 action=accept icmp-options=135:0 hop-limit=equal:255 in-interface-list=LAN comment="Neighbor solicitation"
add chain=icmpv6 action=accept icmp-options=136:0 hop-limit=equal:255 in-interface-list=LAN comment="Neighbor advertisement"

# Drop all other ICMPv6
add chain=icmpv6 action=drop comment="Drop other ICMPv6"

Verification

Confirm your IPv6 firewall is working correctly:

Check 1: Verify Filter Rules Are in Place

/ipv6 firewall filter print

Expected Output:

Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN     ACTION    CONNECTION-STATE    IN-INTERFACE-LIST    COMMENT
 0    input     accept    established,related                      Accept established/related
 1    input     drop      invalid                                  Drop invalid
 2    input     accept                                             Accept ICMPv6
 3    input     accept                                             Accept DHCPv6-Client
 4    input     drop                          WAN                  Drop all from WAN
 5    forward   accept    established,related                      Accept established/related
 6    forward   drop      invalid                                  Drop invalid
 7    forward   accept                                             Accept ICMPv6
 8    forward   accept                        LAN                  Accept from LAN
 9    forward   drop                                               Drop all else

Check 2: Monitor Rule Hit Counters

/ipv6 firewall filter print stats

Expected Output: The established/related rules should show high packet counts. The drop rules should show some activity from blocked traffic.

Check 3: Verify ICMPv6 Rules

/ipv6 firewall filter print where protocol=icmpv6

Expected Output: Should show accept rules for ICMPv6 protocol.

Check 4: Check Address Lists

/ipv6 firewall address-list print

Expected Output: Should show bad_ipv6, bad_src_ipv6, and not_global_ipv6 lists populated with bogon addresses.

Check 5: Test External Connectivity

/tool traceroute 2001:4860:4860::8888

Expected Output: Successful traceroute to Google’s IPv6 DNS server.

Check 6: Verify Connection Tracking

/ipv6 firewall connection print

Expected Output: Should show active IPv6 connections with proper state tracking.

Troubleshooting

Problem: “IPv6 connectivity completely broken after adding firewall rules”

Cause: ICMPv6 is being blocked, breaking Neighbor Discovery.

Solution:

1. Verify ICMPv6 accept rule exists: /ipv6 firewall filter print where protocol=icmpv6
2. If missing, add: /ipv6 firewall filter add chain=forward action=accept protocol=icmpv6
3. Ensure rule is placed before any drop rules

Problem: “Large file downloads fail or websites partially load”

Cause: ICMPv6 type 2 (Packet Too Big) is blocked, breaking Path MTU Discovery.

Solution:

1. Check if ICMPv6 is broadly accepted
2. Add MSS clamping as a workaround:

/ipv6 firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn

Problem: “DHCPv6 prefix delegation not working”

Cause: DHCPv6 client traffic (UDP port 546) is being blocked.

Solution:

1. Check INPUT chain rules: /ipv6 firewall filter print where chain=input
2. Ensure DHCPv6 rule exists: add chain=input action=accept protocol=udp dst-port=546
3. Note: Some relays use non-link-local sources, so you may need to remove the src-address=fe80::/10 restriction

Problem: “LAN clients are reachable from the internet”

Cause: FORWARD chain is missing or has an overly permissive rule.

Solution:

1. Check forward chain: /ipv6 firewall filter print where chain=forward
2. Look for rules like chain=forward action=accept in-interface=WAN which allow all inbound
3. Ensure new connections from WAN are blocked:

/ipv6 firewall filter add chain=forward action=drop in-interface-list=WAN connection-state=new

Problem: “SLAAC not working - devices don’t get IPv6 addresses”

Cause: RAW firewall is blocking ICMPv6 from unspecified address (::/128).

Solution: Allow SLAAC Neighbor Solicitation from unspecified address:

/ipv6 firewall raw add chain=prerouting action=accept src-address=::/128 dst-address=ff02:0:0:0:0:1:ff00::/104 protocol=icmpv6 icmp-options=135 comment="SLAAC NS from unspecified"

Common Pitfalls

1. Copying IPv4 Firewall Rules Without Modification

Wrong: Assuming IPv4 patterns work identically for IPv6

# Missing ICMPv6 - will break IPv6
/ipv6 firewall filter add chain=forward action=drop

Right: Always include ICMPv6 acceptance

/ipv6 firewall filter add chain=forward action=accept protocol=icmpv6
/ipv6 firewall filter add chain=forward action=drop

2. Relying on “Security Through Address Space”

Wrong: Assuming the large IPv6 address space provides security

# No firewall - clients exposed even if addresses are hard to guess

Right: Proper firewall regardless of address space

/ipv6 firewall filter add chain=forward action=drop in-interface-list=WAN connection-state=new

3. Blocking Link-Local Multicast

Wrong: Blocking all multicast breaks Neighbor Discovery

/ipv6 firewall filter add chain=input action=drop dst-address=ff00::/8

Right: Accept link-local multicast

/ipv6 firewall filter add chain=input action=accept dst-address=ff02::/16

4. Using REJECT Instead of DROP for Default Deny

Wrong: Reject generates responses, increasing load and revealing firewall presence

/ipv6 firewall filter add chain=forward action=reject

Right: Use DROP for default deny rules

/ipv6 firewall filter add chain=forward action=drop

5. Forgetting to Update Firewall When Prefix Changes

Wrong: Static prefix in firewall rules with dynamic DHCPv6 prefix

/ipv6 firewall address-list add list=my_lan address=2001:db8:1234::/48
# This breaks when ISP assigns new prefix

Right: Use DHCPv6 client script to update address lists dynamically

/ipv6 dhcp-client set [find interface=ether1] script=":local prefix [/ipv6 dhcp-client get [find interface=ether1] prefix]; :if (\$prefix != \"\") do={ /ipv6 firewall address-list remove [find list=my_prefix]; /ipv6 firewall address-list add list=my_prefix address=\$prefix }"

Security Best Practices

1. Default Deny Policy

Always end chains with explicit drop rules:

/ipv6 firewall filter add chain=input action=drop comment="Default deny INPUT"
/ipv6 firewall filter add chain=forward action=drop comment="Default deny FORWARD"

2. Log Suspicious Activity

Monitor dropped traffic for security analysis:

/ipv6 firewall filter add chain=forward action=drop log=yes log-prefix="IPv6-DROP: "

3. Rate Limit Echo Requests

Prevent ping floods:

/ipv6 firewall filter add chain=input action=accept protocol=icmpv6 icmp-options=128:0 limit=5,10:packet

4. Use RAW for Early Drops

Drop obviously bad traffic before connection tracking:

/ipv6 firewall raw add chain=prerouting action=drop src-address-list=bad_ipv6

Performance Considerations

No Fast-Track for IPv6

Unlike IPv4, RouterOS does not support fast-track for IPv6 traffic. All IPv6 packets are processed through the CPU. On high-throughput connections, this means:

• IPv6 may have lower throughput than IPv4 fast-tracked connections
• Firewall rule optimization is more important
• Consider hardware with better CPU for high IPv6 throughput

Rule Optimization

1. Accept established first: Most traffic matches this rule
2. Drop invalid early: Prevents wasting cycles on bad packets
3. Use address lists: More efficient than multiple individual rules
4. Minimize rule count: Each rule adds processing overhead

Related Topics

Prerequisites

• IPv6 Addresses - IPv6 addressing fundamentals
• Firewall Basics - IPv4 firewall concepts

IPv6 Services to Protect

• IPv6 DHCP Server - DHCPv6 service
• IPv6 Neighbor Discovery - ND and SLAAC

Related Topics

• NAT Masquerade - IPv4 NAT (IPv6 doesn’t use NAT)
• Firewall Mangle - IPv6 mangle rules

References

• MikroTik IPv6 Firewall Filter Documentation
• Building Advanced Firewall
• RFC 4890 - Recommendations for Filtering ICMPv6
• RFC 6890 - Special-Purpose IP Address Registries