As per my previous post about setting up guest WiFi with untagged and VLAN tagged bridged networks between a CCR boundary router an ax2 AP and Audience WiFi extender viewtopic.php?t=203304
IPv4 routing works perfectly with the firewall set to block any access to my local network
I can route IPv4 using NAT to the internet from both networks, and on the guest network any attempt to login to the router is dropped.
I have the same configuration for IPv6 but it doesn't work unless i allow input to my boundary router ???
If I try to ping www,he.net with rule 6 enabled I get no answer, but if I disable it then I get a response, but rule 6 is an input rule not a forward rule, so what on earth is going on?
How do I allow the router to route IPv6 traffic to the internet whilst at the same time blocking any attempt to connect to the router itself?
IPv4 routing works perfectly with the firewall set to block any access to my local network
Code:
[admin@boundary] > /ip firewall filter print 3 ;;; block guest from private LAN chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/16 6 ;;; block guest from this router chain=input action=drop src-address=10.0.0.0/24 [admin@boundary] > /ip route printFlags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 2 ADS 0.0.0.0/0 XXXXXXX 1 [admin@ax2] > /ip route printFlags: D - DYNAMIC; A - ACTIVE; c - CONNECTColumns: DST-ADDRESS, GATEWAY, DISTANCE DST-ADDRESS GATEWAY DISTANCEDAc 10.0.0.0/24 guest-bridge 0DAc 192.168.180.0/24 bridge 0I have the same configuration for IPv6 but it doesn't work unless i allow input to my boundary router ???
Code:
[admin@boundary] > /ipv6 firewall filter print 2 ;;; block guest from private LANs chain=forward action=drop src-address=XXXX:XXXX:XXXX:200::/64 dst-address=XXXX:XXXX:XXXX:0::/56 6 X ;;; block guest from this router chain=input action=drop src-address=XXXX:XXXX:XXXX:200::/64 [admin@boundary] > /ipv6 route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable # DST-ADDRESS GATEWAY DISTANCE 0 ADS ::/0 fe80::XXXX:XXXX:XXXX... 1 [admin@ax2] > /ipv6 route print Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADEDColumns: DST-ADDRESS, GATEWAY, DISTANCE# DST-ADDRESS GATEWAY DISTANCE DAc XXXX:XXXX:XXXX:1::/64 bridge 0 DAc XXXX:XXXX:XXXX:200::/64 guest-bridge 0 DAc fe80::%bridge/64 bridge 0 DAc fe80::%guest-bridge/64 guest-bridge 0How do I allow the router to route IPv6 traffic to the internet whilst at the same time blocking any attempt to connect to the router itself?
Statistics: Posted by ojnab — Thu Jan 18, 2024 12:16 am