I'd been thinking for while about putting my modem into pure bridge mode and using something smarter to do routing and firewall duties, and with the addition of some new networking kit to our home environment, now was the time to make it happen.
Our existing AP is another Mikrotik unit, the 5-port RB951G-2HnD (also purchased via Duxtel), and we've been really happy with its performance sitting in the loungeroom under the tv. Ok, when I say "we" I mean "me" because it's been absolutely rock solid and very high performance. That makes for a happy userbase.
Back to the new kit. The first thing I did was to set up the pppoe client
(easy) running on port
ether1. Then I proceeded to port mapping, so that
my public services (like the one you're reading this on) were appropriately
mapped to my dmz host. Certain useful firewall rules were added, and then I
tried to get IPv6 setup, and managed to muck things up. Boo.
I'm not exactly sure what I got wrong, but it took me until just a few days ago to get it right. In that time I've read quite a few blog and forum posts, all of which helped me get to the right place. I don't recall specifically whether any one was more useful than another, so I'll just offer a general thankyou to everybody who posted in any form about their problems and solutions.
Here's my solution.
Firstly, I've got a bridge, comprised of all the ports except
allports-1. Secondly, I run the IPv6 dhcp client on the virtual
interface for the pppoe connection. This is not asking for an address, only
a prefix delegation. Until I turned off asking for an address as well, I
couldn't get the client to bind. That feeds into my local pool, which is
providing a prefix hint of ::/64, and a prefix length of 64. (I get a /56 from
Internode, which I think is more than I'm ever going to need, even if I IoT
all the things under this roof).
Thirdly, while I could run an IPv6 server on one of my Solaris systems, I
choose not to, using the Mikrotik's server instead. This is running on
ether2-master, and serving out from the local pool.
Fourth, addresses. It was this bit which caused me all the grief. In the
config which now works, I have assigned an address to my bridge
and an address to my gateway port
ether1. The address I assigned to
ether1 is in fact that of my /56 from Internode.
Finally, firewalling. I'm using the standard set of rules here; accept icmpv6 and https, drop telnet.
I've found the serial console to be indispensable, especially since I managed to muck up the IPv4 routing a few times. The ability to send sniffed packets to a different system for capture using wireshark is incredibly useful. Just remember that your wireshark session needs to listen on udp port 37008.
Here's the config export; I hope it's useful to you:
/interface bridge add name=allports-1 protocol-mode=none /interface ethernet set [ find default-name=ether2 ] name=ether2-master set [ find default-name=sfp1 ] disabled=yes master-port=ether2-master /interface wireless set [ find default-name=wlan1 ] disabled=yes /interface pppoe-client add add-default-route=yes default-route-distance=1 disabled=no interface=ether1 keepalive-timeout=disabled name=node-pppoe password=YOURPASSWORD service-name=node \ use-peer-dns=yes user=YOURUSERNAME /ip neighbor discovery set ether1 discover=no /interface ethernet switch set use-cvid-in-one2one-vlan-lookup=no /ipv6 dhcp-server add address-pool=localpool interface=allports-1 name=localserver /interface bridge port add bridge=allports-1 interface=ether2-master add comment=defconf interface=wlan1 add bridge=allports-1 interface=ether3 add bridge=allports-1 interface=ether5 add bridge=allports-1 interface=ether6 add bridge=allports-1 interface=ether7 add bridge=allports-1 interface=ether8 add bridge=allports-1 interface=ether4 /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes /ip settings set accept-redirects=yes accept-source-route=yes /ipv6 settings set accept-router-advertisements=yes /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid interface=ether1 /ip dns set allow-remote-requests=yes /ip firewall filter add action=drop chain=input dst-port=23 in-interface=all-ppp log=yes log-prefix=drop23- protocol=tcp add action=fasttrack-connection chain=forward connection-state=established,related,new in-interface=!all-ppp add chain=input connection-state=established,related,new add action=drop chain=input connection-state=invalid add action=fasttrack-connection chain=input in-interface=!all-ppp add chain=forward connection-state=established,related,new add chain=forward in-interface=!all-ppp /ip firewall nat add action=dst-nat chain=dstnat dst-port=25 protocol=tcp to-addresses=DMZHOST to-ports=25 add action=dst-nat chain=dstnat dst-port=53 in-interface=all-ppp protocol=udp to-addresses=DMZHOST to-ports=53 add action=dst-nat chain=dstnat dst-port=443 in-interface=all-ppp protocol=tcp to-addresses=DMZHOST to-ports=443 add action=dst-nat chain=dstnat dst-port=80 in-interface=all-ppp protocol=tcp to-addresses=DMZHOST to-ports=80 add action=masquerade chain=srcnat out-interface=node-pppoe /ip route add distance=1 dst-address=192.168.0.0/16 gateway=ether2-master pref-src=192.168.1.2 add distance=1 dst-address=192.168.10.0/24 gateway=allports-1 add distance=1 dst-address=192.168.10.0/24 gateway=ether2-master /ipv6 address add address=2001:44b8:2188:f001:: from-pool=localpool interface=allports-1 add address=2001:44b8:2188:f000:: from-pool=localpool interface=ether1 /ipv6 dhcp-client add add-default-route=yes interface=node-pppoe pool-name=localpool prefix-hint=::/64 request=prefix /ipv6 firewall filter add action=drop chain=forward dst-port=23 in-interface=node-pppoe protocol=tcp add chain=input port=443 protocol=udp add chain=forward port=443 protocol=udp add chain=input port=443 protocol=tcp add chain=forward port=443 protocol=tcp add action=drop chain=forward in-interface=node-pppoe add chain=input in-interface=node-pppoe protocol=icmpv6 add chain=input dst-port=546 in-interface=node-pppoe protocol=udp add action=drop chain=input in-interface=node-pppoe add action=drop chain=input in-interface=ether1 add chain=forward in-interface=node-pppoe log=yes port=9876 protocol=tcp /ipv6 nd set [ find default=yes ] advertise-dns=yes hop-limit=64 managed-address-configuration=yes mtu=9000 other-configuration=yes ra-lifetime=10m reachable-time=10s \ retransmit-interval=10s /ipv6 nd prefix add interface=ether2-master /system clock set time-zone-name=Australia/Brisbane /system ntp client set enabled=yes primary-ntp=18.104.22.168 secondary-ntp=22.214.171.124
In a while, once work has quietened down a bit, I'm going to play around with mac-address based VLANs. Because they seem cool, and a really neat thing. Who knows, they might even be useful someday!