Thanks but why the question mark?

maxiscool Is this how you tested yours?

This rule did it. Not sure why you keep harping on iptable. How Mikrotik did it delivers what I described.

I did it for hyperscaler, not eyeball network. But I am sure the same method works with CGNAT, where they get their address via IPv4 as a service. CPE side continue as its with dual stack.

See, you quickly say my method don't work for you without any context, as if I don't know Steam don't work with NAT64 or XLAT464.

I glossed over because you are blaming one security issue on IPv6, plus you lie about Shodan.

So many IPv4 network get hacked everyday yet nobody call it the IPv4 problem. Everything that showed up in Shodan is very well IPv4 problem, or is it?
When the term "IPv6" appear, suddenly it's all IPv6 fault.
Is it a Layer 3 protocol problem or is it a general security issue?

Don't tell me that you did not know that the firewall rule is just a wrapper for an iptables command, or ip6tables to be exact. That's why I mentioned iptables directly instead of routerOS firewall.

When I talk about Shodan, I am talking about client-level security in general, not IPv6 only to be exact. The devices you see in Shodan are all devices with lousy client-level security implementations, but you assume that all devices out there has stellar client-level security implementations, at least for IPv6. You rely too much on the hope that device manufacturers will implement robust security on their IPv6-supporting devices, but not all will do so, just like Sony.

I am gonna suggest something you hate. Can you netinstall your RouterOS and reconfigure again?

Thanks but why the question mark?

maxiscool Is this how you tested yours?

Probably that the option, the last I did was just factory reset, perhaps can give this a try when I have more free time to do this.
I did not test speed in particular but I have no issue for 500Mbps on default Speedtest,believedjust using IPv4.

You can try this first:
System > Packages > Check Installation

If it says no error I am not really sure if netinstall will solve it. I am just suggesting it as nuclear option as I have no idea why toggling IGMP Snooping will give you an IPv6 prefix even with nothing connected to the router. It just sounds impossible.

Did you remember anything you changed manually the last time you factory reset it?

Also can you screenshot me Bridge > Ports?

Here you go, I have even try disable all the bridge to test it out.

Yes, this is Mikrotik and TM problem with IPv6, therefore disabling IPv6 is a perfectly valid option. You don't lose anything by doing that, and there is no need to chuck out a perfectly working Mikrotik RB750Gr3. And if Quanta is still hell-bent on having good IPv6 functionality with the RB750Gr3, nuking routerOS and installing OpenWRT is another viable option.

It is an option if the user decide that's the way forward, given the full context and list the actual problem.

I already gave him the option to disable IPv6 Firewall and never buy another Mikrotik again if his use case don't need it.

However I have a problem with people wording it as IPv6 is not mature, blah blah and disable until 2025.

It's time to move away from dual-stack network. It's double the work, double the trouble and it didn't solve IPv4 exhaustion problem.

People who insist to stay on IPv4 is clearly incompetent and lazy. Everyone who run dual-stack are appeasing to them.

RB5009 should be enough. (But with 1.X-2X price compare to AX2 or AX3)

If not urgent use,just wait for another 1-2 years for next gen of RB5009 which should be having more 2.5G port. (My guess only)
And disable ipv6 until 2025,now ipv6 still not suitable for wide usage.

Disabled all IPv6 filter rules and not helping. Able to max out to 320Mbps and CPU is still 100% when speedtesting.

If you enable Fast Forward, you need to reboot for it to take effect.

Can you double check if "Fast Forward" is enabled inside your bridge setting?

Just to confirm IPv6 > Firewall - NAT, Mangle, Raw and Address List are all disabled too right?

If you enable Fast Forward, you need to reboot for it to take effect.

RB5009 should be enough. (But with 1.X-2X price compare to AX2 or AX3)

If not urgent use,just wait for another 1-2 years for next gen of RB5009 which should be having more 2.5G port. (My guess only)
And disable ipv6 until 2025,now ipv6 still not suitable for wide usage.

Probably that the option, the last I did was just factory reset, perhaps can give this a try when I have more free time to do this.
I did not test speed in particular but I have no issue for 500Mbps on default Speedtest,believedjust using IPv4.

I also have ax2 and ax3. Maybe one day will do a test. Currently both using as AP.

HAP AX3

Hi, it's Bridge > Ports
Second tab on top ya