Orangian/gist:3b13852fa5aae69f620bbae81e3c1e6c Secret

## gistfile1.txt
/ipv6 address
add address=::1 disabled=yes from-pool=general-pool6 interface=ether1
add address=::1 from-pool=general-pool6 interface=local

/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 request=address,prefix script="if (1=\$\"pd-valid\") do={\r\
    \n    /delay 2\r\
    \n    /system script run dynamic_prefix_update;\r\
    \n};"

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=yes list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=yes list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=yes list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=ether1 passthrough=yes protocol=tcp tcp-flags=syn

/ipv6 nd
set [ find default=yes ] disabled=yes interface=ether1 ra-interval=20s-1m
add interface=local ra-interval=20s-1m

/ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
 #    ADDRESS                                     FROM-POOL INTERFACE    ADVERTISE
 0 XG ::1/64                                      genera... ether1       yes
 1  G 2605:a601:a699::1/64                        genera... local        yes
 2 DG 2605:a600:1d02:bc08::1/64                             ether1       no
	/ipv6 address
	add address=::1 disabled=yes from-pool=general-pool6 interface=ether1
	add address=::1 from-pool=general-pool6 interface=local

	/ipv6 dhcp-client
	add add-default-route=yes interface=ether1 pool-name=general-pool6 request=address,prefix script="if (1=\$\"pd-valid\") do={\r\
	\n /delay 2\r\
	\n /system script run dynamic_prefix_update;\r\
	\n};"

	/ipv6 firewall address-list
	add address=::/128 comment="defconf: unspecified address" disabled=yes list=bad_ipv6
	add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6
	add address=fec0::/10 comment="defconf: site-local" disabled=yes list=bad_ipv6
	add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes list=bad_ipv6
	add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6
	add address=100::/64 comment="defconf: discard only " disabled=yes list=bad_ipv6
	add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=bad_ipv6
	add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6
	add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6

	/ipv6 firewall filter
	add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
	add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
	add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
	add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
	add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
	add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
	add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
	add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
	add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
	add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
	add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
	add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
	add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
	add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
	add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
	add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
	add action=accept chain=forward comment="defconf: accept HIP" protocol=139
	add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
	add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
	add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
	add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
	add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

	/ipv6 firewall mangle
	add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=ether1 passthrough=yes protocol=tcp tcp-flags=syn

	/ipv6 nd
	set [ find default=yes ] disabled=yes interface=ether1 ra-interval=20s-1m
	add interface=local ra-interval=20s-1m

	/ipv6 address print
	Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
	# ADDRESS FROM-POOL INTERFACE ADVERTISE
	0 XG ::1/64 genera... ether1 yes
	1 G 2605:a601:a699::1/64 genera... local yes
	2 DG 2605:a600:1d02:bc08::1/64 ether1 no