RouterOS 路由IPv6 防火墙规则模板

### ✅ IPv6 防火墙基本规则模板

# Input chain: traffic to the router itself
/ipv6 firewall filter
add chain=input connection-state=established,related action=accept comment="Allow established and related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=icmpv6 action=accept comment="Allow ICMPv6 for diagnostics"
add chain=input protocol=udp port=546 in-interface=bridge1 action=accept comment="Allow DHCPv6 client requests"
add chain=input action=drop comment="Drop all other input traffic"

# Forward chain: traffic passing through the router
add chain=forward connection-state=established,related action=accept comment="Allow forwarded established and related connections"
add chain=forward connection-state=invalid action=drop comment="Drop invalid forwarded traffic"
add chain=forward action=drop comment="Drop all other forwarded traffic"

✅ Output chain（路由器向外发出的流量）

# Optional output control
add chain=output connection-state=established,related action=accept comment="Allow outbound established connections"
add chain=output protocol=icmpv6 action=accept comment="Allow outbound ICMPv6"
add chain=output action=drop comment="Drop all other outbound traffic"

✅ 允许受信任的 IP 范围

/ipv6 firewall address-list
add address=2001:db8::/64 list=trusted

/ipv6 firewall filter
add chain=input src-address-list=trusted action=accept comment="Allow traffic from trusted address list"

✅ 放行某些服务（如 SSH、VPN、DNS），在 input 链中按需添加

• 如果你用的接口不是 bridge1，请替换为你实际使用的接口名称。

• 如需放行某些服务（如 SSH、VPN、DNS），可在 input 链中按需添加：

  add chain=input protocol=tcp port=22 action=accept comment="Allow SSH access"

✅防火墙规则注释中英对照表