我写这篇文章的目的是,记录配置方法,方便后期忘记时查阅。
感谢sagit提供的视频教学
感谢狐狸大佬提供的IPv6防火墙配置
为什么要配置NATv6?
- 方便做我们做DDNS。
- 所有外部IPV6流量都会先经过RouterOS防火墙。
- 简化对外服务的配置流程。
一,开启RouterOS IPV6
打开winbox客户端,找到IPv6设置。
检查Disable IPv6是否处于未勾选的状态,如果勾选了,请取消勾选。
检查pppoe使用的是否是default配置,如果不是请切换为default。
二,配置IPv6地址和ND通告、DHCPv6 Server
1,创建IPv6地址池
- 创建一个公网地址池名为pub
- 创建一个私有地址池名为DHCPV6
ps:你自己想取什么名字就取什么名字,不用跟我完全一样。
2,获取运营商下发的ipv6公网地址
- 打开IPv6 DHCPv6 Client
- Pool Name选中pub,也就是之前创建的公网地址池
- Apply应用更改,然后关闭窗口
3,为接口配置IPv6地址
- 打开IPv6 Address List设置
- 为PPPoe接口配置公网地址,Address填::1/64,From Pool选择pub,Interface选择pppoe-outx
- 为bridge接口分配私有IPv6地址,用于内部网络设备之间的通信,Address填fd00::1/64,From Pool选择DHCPV6,Interface选择bridgex
ps:这里的私有IPv6地址(ULA )我是以fd00::1/64作为演示的,你可以查阅以下引用内容自行配置。
根据 RFC4193 – Unique Local IPv6 Unicast Addresses 中给出的定义,IPv6 ULA 地址前缀为
FC00::/7
。该前缀包含
FC00::/8
和FD00::/8
两个部分,严格意义上 ULA 目前应该使用FD00::/8
。对于 IPv6 ULA 地址,在以下使用场景中可考虑创建并分配:
- 仅路由器本身具有 IPv6 GUA 地址,内网环境需使用 IPv6 ULA 地址并搭配 NPTv6 进行公网访问的场景
- 内网环境中的部分服务,需使用某固定的 IPv6 地址,且 IPv6 LLA 地址无法满足使用需求的场景
- 内网环境中需使用 IPv6 ULA 地址进行跨路由器组网的场景
在实际使用场景下,建议使用类似 RFC4193 IPv6 Generator 的工具来生成符合规范的 IPv6 ULA 地址。
该工具只需要输入接口(例如 RouterOS 的
bridge1
)的 MAC 地址即可。
4,配置ND通告或DHCPV6 Server,二选一
1,配置DHCPV6 Server,Name自己想,Interface选择bridge,Address Pool6选私有地址池。
2,配置ND通告,Interface选bridge,其他的请自行决定。
三,配置IPv6防火墙
1,配置源地址伪装
- General设置中选择srcnat链
- Out Interface List 选择WAN
- Action设置中选择masquerade
2,完整防火墙规则配置
请参考狐狸 Nomad大佬的配置文件
## Filter 规则 21 条
## NAT 规则 6 条
## Mangle 规则 1 条
## Raw 规则 49 条
## Address-list 规则 22 条
/ipv6 firewall address-list
add address=fd00::/64 comment="lanconf: local LAN IPv6 ULA" list=local_lan_ipv6
add address=fe80::/10 comment="defconf: RFC6890 - link local" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 - Loopback" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 - TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 - unique local" list=not_global_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=not_global_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=bad_src_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_dst_ipv6
add address=::/128 comment="ddosconf: DDoS" list=ddos_targets_ipv6
add address=::/128 comment="ddosconf: DDoS" list=ddos_attackers_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp dst-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=jump chain=forward comment="ddosconf: DDoS SYN-ACK" protocol=tcp tcp-flags=syn,ack jump-target=detect-syn-ack
add action=return chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" dst-limit=128,128,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_targets_ipv6 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[sa-flood-ipv6]"
add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=640,640,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv6 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[ddos-ipv6]"
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="lanconf: masquerade IPv6 ULA" out-interface-list=WAN src-address-list=local_lan_ipv6
/ipv6 firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv6 src-address-list=ddos_attackers_ipv6
add action=drop chain=prerouting comment="defconf: drop IPv6 extension headers types 0,43" headers=hop,route:contains
add action=accept chain=prerouting comment="defconf: accept local Loopback" in-interface=lo
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop bad DST IPv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
add action=accept chain=icmp6 comment="defconf: rfc4890 DST unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 time exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 parameter problem" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo request" icmp-options=128:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo response" icmp-options=129:0-255 protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6 log=yes log-prefix="[ipv6-hop-limit]"
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener query only LAN" src-address=fe80::/10 icmp-options=130:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report only LAN" src-address=fe80::/10 icmp-options=131:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener done only LAN" src-address=fe80::/10 icmp-options=132:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report v2 only LAN" src-address=fe80::/10 icmp-options=143:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path solicitation only LAN" hop-limit=equal:255 icmp-options=148:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path advertisement only LAN" hop-limit=equal:255 icmp-options=149:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router advertisement only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=151:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router solicitation only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=152:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router termination only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=153:0-255 in-interface-list=LAN protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop all other ICMPv6" protocol=icmpv6