Aplicar em todos os roteadores.
Os prefixos públicos do cliente devem ser adicionados na lista REDE-GLOBAL. As redes de gerência do cliente devem ser adicionadas na lista REDE-SUPORTE.
/ipv6 firewall address-list add address=99:70::/32 comment=!::PREFIXO-GLOBAL disabled=yes list=REDE-GLOBAL
#
/ipv6 firewall address-list add address=fd00:1::/32 comment=!::SMART-LAYER list=REDE-SUPORTE
/ipv6 firewall address-list add address=2804:4368:6000:f0::/60 comment=!::SMART-LAYER list=REDE-SUPORTE
/ipv6 firewall address-list add address=esc-gyn.smartlayer.net.br comment=!::SMART-LAYER list=REDE-SUPORTE
#
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-ESTABLISHED/RELATED connection-state=established,related
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-REDE-SUPORTE src-address-list=REDE-SUPORTE
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-BGP-PEERS port=179 protocol=tcp src-address-list=BGP-PEERS
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-ICMPV6 limit=100,5:packet protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-OSPFV3 dst-address-list=REDE-GERAL protocol=ospf src-address-list=REDE-GERAL
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-RIPNG dst-address-list=REDE-PRIVADA port=520,521 protocol=udp src-address=fe80::/10 disabled=yes
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-WINBOX dst-port=8291 protocol=tcp src-address-list=REDE-GLOBAL
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-OVPN-UDP disabled=yes dst-port=20124 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment=!::ACCEPT-OVPN-TCP disabled=yes dst-port=20124 protocol=tcp
/ipv6 firewall filter add action=drop chain=input comment=!::DROP-GERAL disabled=yes
#
/ipv6 firewall raw add action=notrack chain=output comment=!::NOTRACK-OSPFV3 protocol=ospf
/ipv6 firewall raw add action=notrack chain=output comment=!::NOTRACK-RIP port=520,521 protocol=udp
/ipv6 firewall raw add action=notrack chain=output comment=!::NOTRACK-BGP dst-port=179 protocol=tcp
#
/ipv6 firewall raw add action=drop chain=prerouting comment=!::DROP-OSPFV3-LOCAL dst-address-type=multicast protocol=ospf src-address-type=local
#
/ipv6 firewall raw add action=add-src-to-address-list address-list=PORTKNOCKING-FASE-1 address-list-timeout=9s chain=prerouting comment=!::PORT-KNOCKING-FASE-1 dst-address-type=local dst-port=2412 protocol=tcp
/ipv6 firewall raw add action=add-src-to-address-list address-list=PORTKNOCKING-FASE-2 address-list-timeout=9s chain=prerouting comment=!::PORT-KNOCKING-FASE-2 dst-address-type=local dst-port=1224 protocol=tcp src-address-list=PORT-KNOCKING-FASE-1
/ipv6 firewall raw add action=add-src-to-address-list address-list=REDE-SUPORTE address-list-timeout=3h chain=prerouting comment=!::PORT-KNOCKING-FASE-3 dst-address-type=local dst-port=1147 protocol=tcp src-address-list=PORT-KNOCKING-FASE-2
#
/ipv6 firewall nat add action=accept chain=srcnat comment=!::BYPASS-NAT disabled=yes dst-address-list=BYPASS-NAT
#