firewallipv6routerossecurity
IPv6 Default Firewall for RouterOS v6 and v7
Address List — Bad IPv6 Addresses
Blocks reserved and problematic IPv6 ranges:
| Range | Description |
|---|---|
| ::/128 | Unspecified |
| ::1 | Loopback |
| fec0::/10 | Site-local |
| ::ffff:0:0/96 | IPv4-mapped |
| ::/96 | IPv4-compatible |
| 100::/64 | Discard-only prefix |
| 2001:db8::/32 | Documentation |
| 2001:10::/28 | ORCHID |
| 3ffe::/16 | 6bone |
Input Chain Rules
Accepts:
- Established and related connections
- ICMPv6 traffic
- UDP traceroute (ports 33434-33534)
- DHCPv6 prefix delegation
- IKE and IPsec protocols
Non-LAN traffic dropped by default.
Forward Chain Rules
- Drops packets with bad source/destination IPv6 addresses
- Enforces IPsec policies
- Permits ICMPv6 and established connections
Purpose
This configuration provides sensible defaults to secure IPv6 traffic on RouterOS installations, filtering malicious and reserved address ranges while maintaining necessary protocol functionality.