Remember to change the in-interface to suit your LAN
Note that this is all the firewall rules I have as I removed all the default rules

In my use case, IPv6 traffic is 4.73x more than IPv4. You should get full 1Gbps even on ancient Mikrotik device. The improvement is substantial.

This post has been edited by kwss: Feb 2 2025, 05:54 AM

IPv6 means every device get their own Global Unique Address (GUA). They can have both a GUA and also a Unique Local Address (ULA). They can have special address like ORCHIRD too. Or Segment Routing v6. You cannot use IPv4 knowledge to understand IPv6. You must unlearn IPv4 and learn IPv6 fresh! This is why old dog in the industry has a hard time with IPv6. It is a paradigm shift.

1) Yes firewall in Mikrotik is still very important. Yes router route traffic. You need to understand the packet flow diagram of RouterOS first: https://wiki.mikrotik.com/Manual:Packet_Flow
2) Computer know it is lan traffic from the configured subnet mask.

Yes IPv6 is faster than IPv4 if they both go the same route. hap ac2 can definitely get 1Gbps with fasttrack.
I removed all the default firewall rules and yes there are only 3. I can do that because I disabled all services on my router. Not running codes in the first place means zero chance of security issue.

Anytime you modify firewall rules, you need to nmap yourself, from your LAN and also the Internet.

This post has been edited by kwss: Feb 2 2025, 09:44 PM

Ok, here is the problem with TM IPv6.
1. It is only /64
2. It is dynamic and not tied to DUID at all

Which means it is useless if you have more than 1 VLAN that needs IPv6. You can assign it to one of your VLAN while other VLAN continue without IPv6.
If you are not using Android device, you can try using DHCPv6 and slice a smaller subnet from the /64.

Regarding your firewall security question, my opinion:
Endpoint security is superior to perimeter security.

If you can have all your device operate properly in hostile network, nobody can touch you. Basically it comes down to only a few thing:
1. Audit all the port that accept traffic, both TCP and UDP
2. Use SELinux on all services with open port. Or limit them with constrained SELinux user. Or container runtime like Firecracker.
3. Do not do anything unencrypted and unauthenticated. This means using NTS instead of NTP. Using DoH instead of plain DNS. Enforce HTTPS instead of allowing HTTP fallback. Disable all captive service (from OS and browser).
4. Practice security hygiene.

As you can see, even without firewall on your endpoint, you are pretty much untouchable if you know what you are doing.
For development, bind to ::1 or 127.0.0.1.

Even if your subnet don't have global IPv6 address, you can bind to ULA for all your local services, like fc00::/64. This means all the IPv6 traffic is local subnet only. You don't even need firewall rule as the routing table will prevent your LAN traffic from leaking, ever!
The same cannot be said for IPv4.

I will offer my perspective from running infrastructure and also address your security hygiene issue.

IPv6 will replace IPv4 whether you like it or not:
1. IPv4 routing table is getting excessively large and fragmented they require hardware with serious amount of TCAM or HBM
2. For dual stack to work, I need 2 copy of routing table, one for IPv4, another for IPv6. For the simplest BGP setup of dual upstream, that's a minimum of 4 routing tables.
4. IPv6 don't need to calculate checksum since it doesn't have one. This is not just about end-user speed, it is about scalability. Very few routing SOC can saturate a port with single stream. The only one I know is Cisco One Silicon and Nokia FP5. This is a deep topic to discuss here. Research run to completion network silicon.
5. It prevent new player from coming into the market. If I decide to start a new ISP, I cannot get anymore new IPv4 address. Even if I am able to get IPv4 address, it will only be a /24 and it cost a fortune. It prevent competition, and network design that does IPv4 simply sucks from this point of view.
6. Running CGNAT cost money. Money in term of hardware and scaling. Money in term of licensing fees. "Money" in term of hardware choice.
7. IPv4 requires all kind of hack like ALG, STUN and firewall hole punching.

Addressing your security hygiene:
The last point above is directly related to why games will give you firewall prompt. They are performing hole punching for you to get a an end-to-end connection. Same happens to any app that makes and receive calls like WhatsApp. If it happen in your web browser, you firewall already allows it.

Not practicing security hygiene will eventually get you pwned. It is not even APT level sophistication.
1. Attack of known patched security vulnerability. Not performing Windows Update falls under this.
2. End user clicking on things. Clicking on unknown thing falls under this. Also include clicking links and running unknown codes. Your kids clicking on prompt to literally disable security. Rightly includes plugging in thumb drive you picked up outside.

Your whole argument with using IPv4 comes down to depending on NAT to protect you. All the IPv6 firewall rules in Mikrotik is to emulate this exact behavior in IPv6. The reason is a legacy one. All RouterOS before 7.2 (Don't remember exact version) do not support NAT66.

If you want to have this exact behavior, a more effective way it still to remove the rules and do NAT66 properly. By doing this, you will also requires all the NAT hack to make your app work. If your app backend don't do STUN and hole punching in IPv6, it will stop working.

Depending on your Mikrotik to secure your family with zero security hygiene is a terrible idea. It is not even an IDS / IPS. It is just a router with very basic firewall capability.

Security hygiene starts with education.
No product can save you from ignorance. Not even IPS.
Same goes to sex education and religion. Refusal to talk about it won't save you.

This post has been edited by kwss: Feb 6 2025, 05:44 PM

Maybe just don't overthink it?
I believe as long as you are not running additional service that listen on a port, there is not much to deal with from networking point of view, at least for a home user.
Yes sure Windows has it's set of problem, with exposed port by default, which is really uniquely Microsoft. If you go to public wifi with your laptop and nmap the network, you can gather a lot of information on those machine. Username, domain name of those device, etc. All the user need to do is click Private Network when they connect to the wifi.
The last time I use Windows was version 7, maybe this has changed, but the naming is still stupid. Private network is supposed to be secure, but in Windows term, if you are on a Private Network, the firewall will expose all ports as it is supposed to be your home or office or whatever.

There are many 0-click 0-day that don't involve IPv6 stack. This kind of security vulnerability is nothing new. Let's not single out one CVE and refuse to use IPv6. If this is the case, you might as well stop using Windows, or everything in general.

I have known big corp, including banks that disable Windows Update and depend purely on perimeter security. But it comes at a heavy price. Not only they cannot install anything, they cannot even surf net. They can only access the Intranet with the browser. This kind of use case makes no sense for a home user. However, what if their perimeter security is breached? Everything in the internal network will be vulnerable. With so many VPN appliances or even IDS/IPS like Fortigate having 0-day, you can't be certain your network won't be breached.

Don't forget that on mobile network, IPv6 is enabled by default. By the same account, all your mobile are "unprotected". In reality, that is not the case as these device don't listen to any port, other than mDNS.

I mean sure games do open port but let's face it, if you want to play the game, it is what it is.

What I mean by security hygiene is probably more about awareness and conscious action at individual level. It is unrealistic to expect home user to have Security Operation Center with SIEM and all. Remember, every additional service you run means potentially vulnerable code, including VPN, IDS, SIEM or whatever database that is required for all your telemetry to function.

Regarding endpoint address scanning, IPv6 actually provides a benefit here. IPv4 space is small and they have been scanned many times over. However, scanning IPv6 address is difficult. All endpoint by default will use IPv6 privacy address extension, which means they are randomly generated, and they will periodically change. Try scanning the whole 64-bit subnet with IP address changing every 2 days. It is not going to work. Now this is assuming the attacker already know your subnet. If they don't, they have to scan 125-bit of address space (currently only top 3-bit of IPv6 address is assigned: 2000;/3).
If the person is dumb, then he will need to scan the whole 128-bit space. If the day this becomes an issue, a lot of encryption will be broken.

This post has been edited by kwss: Feb 7 2025, 05:25 AM

Massive MikroTik router botnet has been spreading malware – here’s how to stay safe
https://www.tomsguide.com/computing/online-...ow-to-stay-safe

Attacker compromised all these routers by scanning the IPv4 address space. No way they can effectively scan an IPv6 address space.

Actually in a lot of countries, their ISP made things very simple. No VLAN. No PPPoE. No nothing.
Plug in anything and they just works, including no name Wi-Fi repeater.

My friend bought a Mikrotik for his NBN in Australia. Just plug it in and works. Literally do not need to know anything at all.
In all of these countries, there is also no contract and also no router provided. You can change ISP weekly.

go626201
In 7.18 beta 6:


Not sure what's the performance but it is finally here.

From:
https://help.mikrotik.com/docs/spaces/ROS/p...areacceleration

Comparing rb5009 (88F7040) and hex refresh (EN7562CT), you lose sha512 and aes-gcm.
Not sure what is your use case but just sharing it for your consideration.

Whenever you use rb5009, your packet loss will be very high, even to rb5009.
This is from your PC to router, before they even reach your ONU.

Looks like your Windows PC is missing IPv6 for rb5009 as well? Or this is an IPv4 test on purpose?

From your youtube video, I cannot really tell for sure if the port is flapping just from the way it blinks.
So regardless which ONU the rb5009 will still dc right? Just depends on how long you need to wait?

And this is all without using UPS, all with their own original power brick? + new network cable?

Not exactly ping plotter but I think we can compare the difference between packet loss





This post has been edited by kwss: Feb 14 2025, 05:51 PM

Can you keep your torrent client on while doing the test?
I wonder if generating more traffic will make you dc faster.

That day you left it and went sleep it is on for 6 hours straight right? That was with a quiet network?

Ok. If you say so. I have no idea and cannot spot any pattern of dc.
How about you just test each setup for at least 3 days from now instead of changing everyday.
It is really hard to tell which one is more stable given that frequency of your disconnect is not fixed.

But from your ping plotter I can definitely tell if you are using rb5009 or hex.

You means purposely dc to change setup or randomly dc again?

Well, if you can dc yourself just by starting a torrent client then I think it is a good news?
You can officially report to TM, wait for them to come and test till they fix it.

1000x better than some random dc that need few hours to show up.

I think I will catch you tomorrow again. Gotta off already.

Sharing my 8.8.8.8 result for you to compare later:

Remember to borrow all their ONU, login and check the error rate while they are here.
Check the error statistic for fiber too. You had a small number of them.

Can you post the full ONU log showing the port flapping? Save a copy.
Show them your 2 Tik + 1 TP-Link as device under test too. This should save both party a lot of time.

Also ask them for the password and VoIP PIN.
See if they can swap your old ONU with another model from Huawei or ZTE?
Perhaps ask them what OLT are you using now.
Plus if there's another optical splitter that can connect you to a different line card.

This post has been edited by kwss: Feb 15 2025, 01:18 AM

Read the log file. It's not timeout. The server send you terminate request even immediately after a successful lcp-echo lcp-reply pair.
Did you sold off any of your old router?
I would try to request a PPPoE password change. I suspect someone is trying to use your 1gig password.
If it happen right after FSU, could be that technician.

But this didn't discount the fact you still get tons of Ethernet error on the ONU

This post has been edited by kwss: Feb 15 2025, 07:14 AM

Can you try connect your PC directly to the Mikrotik and run ping plotter again? Bypass the switch.

You don't get spike while using HEX. Probably because with HEX you cannot use the DAC. So that might be the problem. Look at the massive amount of packet loss with your router.

I'm confident you have more than one issue with your network. None of the problems you are facing is mutually exclusive.

The high error is one.
PPPoE disconnect is another.
Latency spike is the third one.

It's normal for a lot of ASIC data plane to throttle or filter TTL Time Exceeded packet because they need to software process them in the control plane.

rb5009 is not one of them. You also get a small loss with Hex, which is also not one of them. I tested with mtr which mimic ping plotter and as you can see all zero loss.

But er .. if you say no problem then just ignore it.

This post has been edited by kwss: Feb 15 2025, 11:09 AM

Actually for this question, I think only those senior people in TM knows the answer.
I tested mine extensively and don't have this problem. Maybe because my area no longer have local congestion.
I did face this issue last time when local congestion is a daily affair.

It's the same as all the mobile network where they use deep buffer to keep link utilization high.

But I found it weird to only happen for IPv6 as the configuration should be protocol agnostic.

EDIT:
Did you actually use packet mark inside RouterOS? I have a suspicion you match ipv4 address list and mark only ipv4 packet. Hence the behavior

This post has been edited by kwss: Feb 15 2025, 11:26 AM

I updated my previous reply while you posted lol.
Can you revisit it? Maybe describe a bit how you use mangle and address list?