Monday, June 26, 2017

Enabling IPv6 for Internode ISP on a Mikrotik router

A little background

There's been plenty of posts on this topic but having struggled through a couple of them myself, I figured I'd put up my own results.

Enabling IPv6 support on a Mikrotik router when using the Australian ISP "Internode" requires a couple of settings and is best performed in sequence.  You can of course do all of this via the GUI or via the CLI.  In our case I'm showing you the code for the CLI


Getting an IPv6 prefix from Internode


/ipv6 dhcp-client
add add-default-route=yes interface=Internode-PPPoE pool-name=internode pool-prefix-length=56 request=prefix use-peer-dns=no

The above code will get your prefix allocated to you from Internode.  It adds the prefix into a "pool" and allows for other interfaces on the router to add addresses using the prefix in the pool.  The DHCP client is running on the virtual PPPoE interface - in this case called "Internode-PPPoE" but yours will naturally be different.

Note I am also not using the DNS settings from Internode.  This is because I use the Cisco Umbrella (OpenDNS) servers for all name resolution and don't want the DNS servers provided by Internode in their DHCP response to be used by my router.

Allocate an address from the prefix to your inside interface of the router


/ipv6 address
add from-pool=internode interface=LAN

The above code will dynamically allocate an address from the available pool to the named interface.  In my case my internal interface is called "LAN".  It's a VLAN interface in my case but yours might just as easily be "ether01-master-local" or something.

Advertise the router to your internal network

/ipv6 nd
set [ find default=yes ] interface=LAN

The above code advertises the router to your internal network via the internal interface of your router (in my case the VLAN interface named "LAN").   

Note that advertising of the prefix (basically telling your internal network what IPv6 address to use for the first 64 bits of the address) happens dynamically and we don't need to set this value.

Define your Firewall rules

With IPv4, most people don't realise that they are (somewhat) relying on the Network Address Translation (NAT) of their router to secure their computers against certain types of attacks.

As IPv6 does not use Network Address Translation (NAT), you cannot rely on this modicum of security that NAT provides, and must create Firewall rules to match this small amount of security which the IPv4 NAT solution provides.  Our firewall rules need to:
  • Only permit connections made from our internal network to the Internet
  • Block connections made from the Internet to our internal network
  • Permit DHCPv6 packets from Internode
  • In the MikroTik router, the IPv6 firewall is separate to the IPv4 firewall, so you must add the firewall rules to this dedicated IPv6 firewall.

/ipv6 firewall filter
add action=accept chain=input comment="Permit DHCPv6 connections to router external interface" dst-port=546 in-interface=Internode-PPPoE \
    protocol=udp
add action=accept chain=forward comment="Permit all outbound IPv6 from LAN" in-interface=LAN out-interface=Internode-PPPoE
add action=accept chain=forward comment="Permit and forward established sessions when inbound" connection-state=established,related \
    in-interface=Internode-PPPoE
add action=drop chain=forward comment="Drop all attempts to route to inside when not part of established session" in-interface=Internode-PPPoE
add action=drop chain=input comment="Drop all other connections to outside interface of router " connection-state="" in-interface=\
    Internode-PPPoE

 The code above adds the firewall rules and applies them to the interfaces of the router.  Note again that my interfaces are named "LAN" and "Internode-PPPoE".  Yours will of course be different.




No comments:

Post a Comment