Open IPv6 Issues / questions

Hi Ben, please see my answers inline below:

Ben said:

- will the fix for issue NUTM-7187 be included with 9.5?

 [BL]: The fix for NUTM-7187 is not included in this current UTM 9.5 beta version. We are actively working on the fix right now though, so as soon as we have a confirmed fix it will be included in a subsequent release.

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

[BL]: This should be supported today, unless the ISP is doing both stateless & stateful. Is that the case for you? If so, we are fixing that as part of NUTM-7187 as well.

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

[BL]: Unfortunately this isn't part of this 9.5 release.

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

[BL]: Lets Encrypt is on our current roadmap, but it's mainly planned as a WAF feature. As for 6tunnel integration, it's currently not planned for any specific release.

 

thank you in advance.

 

three things i forgot to ask:

- RED (sophos to sophos, red device to sophos) over IPv6 only?  - pleaassseee! :-) 

- Ability/Option to disable IPv6 for the SMTP Proxy -> When enabling IPv6, E-Mails beeing sent out will go over IPv6 if the Target MX Entry has an AAAA entry. We only want to use IPv6 for Websurfing, VPN etc. not for SMTP yet until it is properly assigned and managed

- On our main business UTM we received a static IPv6 and Prefix from our Provider. The UTM does not have the ability/option to manually enter a Prefix that is statical assigned, if addresses out of the static prefix pool are "just" used, they won't have a route. Is this feature possible or non-standard? 

three things i forgot to ask:

- RED (sophos to sophos, red device to sophos) over IPv6 only?  - pleaassseee! :-) 

- Ability/Option to disable IPv6 for the SMTP Proxy -> When enabling IPv6, E-Mails beeing sent out will go over IPv6 if the Target MX Entry has an AAAA entry. We only want to use IPv6 for Websurfing, VPN etc. not for SMTP yet until it is properly assigned and managed

- On our main business UTM we received a static IPv6 and Prefix from our Provider. The UTM does not have the ability/option to manually enter a Prefix that is statical assigned, if addresses out of the static prefix pool are "just" used, they won't have a route. Is this feature possible or non-standard? 

Hi Ben,

your last statement is correct for this version, something in 9.5 IPv6 is broken. DHCP does not work because it wants a setting which worked in 9.4. In 9.5 using advertisment my wifi card is assigned two IPv6 addresses from my /64 range.

Maybe I should start a bug report on DHCP and IPv6?

Hi rfcat_vk:

Are you saying something was working in 9.4 (e.g. 9.411), but is now broken in 9.5? That's definitely not our intention, so I would like to better understand what's not working.

You mentioned there's a setting which worked in 9.4, which setting is that exactly? Were you not getting 2 IPv6 addresses using the same setup in 9.4?

Any additional info you can provide will really help us track down if something indeed changed in 9.5 or not.

Thanks!

Let me try to explain.

Under 9.4 you needed advertisment as well as DHCP to have control over your IPv6 address allocations.

Under 9.5 you can have DHCP which does not assign an address but gives you a warning that a flag needs to be set, but there is no option to set the flag.

Or you use advertisment which does not allow you control over your address assignments. I have a /48 which I have used a /64 for one interface. Instead of getting one address (real IPv6) per interface I get two within the /64 range. I am using a home licence with a limit of 50 IP addresses so I quite concerned if suddenly all my devices get two additional addresses instead of 1. While I am not near my limit it is disturbing that each device is assigned 3 IP addresses, so 16 devices takes you to your licence limit.

Is that plain enough or do you need more details?

on ipv6 prefix advertisement set prefered lifetime to 15 min, valid lifetime to 1 hour (or other way around)

that way the leases won't count for too long.

also +1 on removing the user limit on ipv6 connections for home user licence, its not practicable, neither for business uses (1x ipv4, 2-4x ipv6)

i use stateless only and deactive privacy extension on the endpoints, ubuntu linux for example always pulls the same ipv6 via SLAAC. 

Hi rfcat_vk,

Are you referring to the “DHCP server” and “IPv6 prefix advertisement” features on the UTM?

If yes, I want to clarify that there hasn’t been any change in behavior for this feature between 9.4 and 9.5. Also, you could (as already suggested by Ben) set the appropriate values for valid and preferred lifetimes for the advertised prefixes.

If not, I apologize for not having understood you clearly. Would be great if you could capture and share the screenshots that show the warning message that you observed regarding the flag that needs to be set. Also, any other screenshots that would show the difference in behavior between 9.4 and 9.5 would be of great help for us to be able to isolate/debug unforeseen issues in 9.5.

Thanks,

-Prakash

Ben, I never asked or even implied I was suggesting removing the home licence IP limit, not sure how you worked that out from my post?

I was commenting using advertisement very quickly adds addresses to the count.

I just fixed the IPv6 DHCP and advertisement issue, now I will change the lease time as you suggested because my IP6v devices now have 3 addresses.

Hi Prakash,

the issue arose because the advertisement does not show the additional boxes to be ticked if you want to use a DHCP server.

Also there is no warning as to where to enable the feature except in the UTM.

I have ticked the box and now have 3 IPv6 addresses per device and as only one will age off because it comes under the DHCP server control. I suppose I could change the range to the full /64, wait until the unused addresses age off then reset the assignable range.

Brilliant idea, but fell at the first post.

" I am using a home licence with a limit of 50 IP addresses so I quite concerned if suddenly all my devices get two additional addresses instead of 1. While I am not near my limit it is disturbing that each device is assigned 3 IP addresses, so 16 devices takes you to your licence limit."

didn't want to imply anything, but this problem of yours is exactly why the IPv6 Adress count vs. licence doesn't make sense as a single windows machine will quickly use up your IP licences since it will change around IPv6 adresses unless you deactive privacy extension and do some other mumbo jumbo. 

Hi Ben,

I got the addressing back under control with dhcp and advertisment. Back to one IPv6 address per device.

I would like to see the address count issue addressed for the licencing purpose. A small business might buy a 10 usr licence (have does this) and suddenly they blow their licence due to double counting.