From 833abdfbd0363212a0619822d3fdd6e18ed24c9e Mon Sep 17 00:00:00 2001
From: Andy Chiang <AndyChiang_git@outlook.com>
Date: Mon, 27 Oct 2025 08:40:27 +0700
Subject: [PATCH] config: add dest addr restrictions for DHCPv6 rules

Some ISPs may use a GUA or other non-LLA as the source addr for the DHCPv6 response, but the destination addr is always LLA (fe80::/10).
Therefore, adding a dest addr restriction improves security.
See https://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/10

Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
---
 root/etc/config/firewall | 1 +
 1 file changed, 1 insertion(+)

diff --git a/root/etc/config/firewall b/root/etc/config/firewall
index 48b2440..d2d76e4 100644
--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
@@ -59,6 +59,7 @@ config rule
 	option name		Allow-DHCPv6
 	option src		wan
 	option proto		udp
+	option dest_ip		fe80::/10
 	option dest_port	546
 	option family		ipv6
 	option target		ACCEPT