Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

Parents Reply
  • Hi Ben,

       Thanks for head up on the HA scenario. There is no such a thing as minor. Please bring up as you see them. Thanks!

       I am not sure about the requirement for the HA scenario as yet. Let me dig up and see what UTM is supposed to do vs what UTM is currently doing. Will update ASAP.

     

    Note: Sorry I have not been able to use your system since I am stuck with few critical items.

    Can you give me a time slot that I can try the new patch on your system? Thanks Ben!

Children
  • Hi Le,

    thanks for the update and info again! i will play around with HA again, but it seemed it didn't take over the prefix from master to slave. I will test with the production sophos as soon as possible.

    Time slot: all weekends, non-school hours during the week (7.30am to 5pm GMT+1 is school times). So from now 10 hours later you can do what you have to do :) 

     

    Ben

    ---

    Sophos UTM 9.3 Certified Engineer

  • Le,

    from now and the next 13 hours would be no problem. Same goes for the next few days.

    ---

    Sophos UTM 9.3 Certified Engineer

  • since i am now on holidays and got a little bit more time on my hands:

    - the IPv6 patch from Le is working great, 12 days of connectivity here on my testbox via ipv6 and pppoe

     

     

    Completly unrelated to IPv6 via PPPoE: Been trying to get IPv6 working on a friends "Deutsche Glasfaser" Connection. They are using 6rd which is kind of evil i think, but we managed to get it working on this WAN Interface, also with additional addresses and WAF/VPN working!. What is not working is his clients getting "out". We tried various things (including using masquarading which normally works), a traceroute would always end at the IPv6 of his internal interface. I suspect an addition route is probably missing. Anybody who can point me in the right direction here please?

    ---

    Sophos UTM 9.3 Certified Engineer

  • In the 9.502 changelog I don't see any IPv6 related changes, so I assume that the patch didn't make it in time?

  • Hi SanderRutten,

       No it is not yet in the release since currently it is in QA cycle. Will let you know ASAP. Thanks for helping us out!

  • i noticed in 9.503-4 there is a fix:

    [Network] Prefix Delegation does not work correctly during a PPPoE reconnect

    is this the implementation of this patch?

    ---

    Sophos UTM 9.3 Certified Engineer

  • Yes, it is.

    Thanks for your help and patient!

  • Hello Le (And maybe

    I just figured something out, but not sure if it is related to the original problem here.
    I think I can sum it up to: Network definition "Internet IPv6" is unresolved. Therefor I'm unable to create a (working) firewall rule to "Internet IPv6".

    Probably because it is not bound to an interface, but I can't assign an interface. In my WAN's interface defenition it is set as "IPv6 Default GW".
    I found out while trying to thighten my home security, it was quite open from internal network to the outside world. 

    First I had rule #1 and #3 combined, as well rule #2 and #4. But while trying to understand what happened I split them both in an IPv4 and an IPv6 rule. So now I have:

    As you can (hopefully :)) see: The small '6' is not displayed in the Internet IPv6 icon, but it is for "Any IPv6". And for IPv4 it also shows the little 4 in the icon.
    What I expect to happen is while surfing via IPv6, that rule #3 is being used. Instead it always used #4. 
    For IPv4 it works like what I was expecting. 

    When I don't enable the Any IPv6 rule, all traffic is dropped by the default rule.

    Any ideas if I can fix this myself?

  • Hi SR,

       Good to hear from you.

       OK, I am not sure what the problem is. Here is the what is needed:

       1) I have a script "get-data.sh" which will collect UTM system data. I need, somehow, to give this to you; Please let me know how I can send it to you. Thanks

       2) Do a tcpdump on the interface

       3) ./get-data.sh  ipv6

       4) Collect the data from step 3 and step 2 above

       5) Send me the collected data

     

       Question: Do you know how to turn tracing on Iptables? If yes, please turn it on and capture the iptables trace as well

     

        Good luck!

  • ipv6 works strange with rules, any ipv6 -> any -> any ipv6 / internet ipv6 will not work as expected.

    Putting an Interface with a /64 IPv6 Subnet will not allow it "per se"

    would still like some extra options to hardlock the prefix gotten, my isp sometimes reboots their router and unfortunitly ipv6 comes up last and the UTM reacts funny (Le has some info on that when he has some time on his hands in the future)

    otherwise i am happy UTM is this far thanks to LE!

    ---

    Sophos UTM 9.3 Certified Engineer