Seems like a lot of hoops to jump through to achieve something simple. Other systems has already identified this need, and even so, doesn't routerOS rely in iptables underneath the hood anyway, so it should basically already support it I reckon.You may want to approach the question differently in RouterOS currently. Have a look at @Sob 's sample code of NPTv6 however keep in mind that there are some caveats some of which can be handled. If this solution fits the bill for you than the next step is using scripting to handle the change of the ISP provided prefix by changing the dst-prefix= value in the postrouting chain and dst-address= and src-prefix= values in the prerouting chain in the above referenced sample code.
Some people also suggest not actually using the firewall for IPv6, just enable firewalls on the hosts. I could do that, but I then have the inverted problem, how do I enable all local prefix-ranges to connect to my server, but not from WAN. Everything is just a workaround for a lack of addressing.
I guess it would be much easier for me to create a host based address-list instead since I already have dynamic DNS running for this specific host. I hadn't thought about that, and this also seems to resolve automatically nowadays (no scripting necessary).
Statistics: Posted by jishi — Tue Jan 09, 2024 2:55 pm