Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

  • In reply to Duc Le:

    Hi Le,

    i just sent you a PM with all the infos needed for access. Thank you again for the work on this.

    regards,

    Ben

  • In reply to Duc Le:

    Le:

    was this patch tested against HA scenario? i have an older installation in HA, after switching from master to slave the prefix changed, when switched back from slave to master it was the old prefix again (but not working right away) - is the delegated prefix not synced between the machines? Minor issue, but maybe just a small thing that has to be fixed?

  • In reply to Ben:

    Does this release support 6rd or do I need to wait for my ISP to roll out a Dual Stack?

  • In reply to Ben:

    Hi Ben,

       Thanks for head up on the HA scenario. There is no such a thing as minor. Please bring up as you see them. Thanks!

       I am not sure about the requirement for the HA scenario as yet. Let me dig up and see what UTM is supposed to do vs what UTM is currently doing. Will update ASAP.

     

    Note: Sorry I have not been able to use your system since I am stuck with few critical items.

    Can you give me a time slot that I can try the new patch on your system? Thanks Ben!

  • In reply to Duc Le:

    Hi Le,

    thanks for the update and info again! i will play around with HA again, but it seemed it didn't take over the prefix from master to slave. I will test with the production sophos as soon as possible.

    Time slot: all weekends, non-school hours during the week (7.30am to 5pm GMT+1 is school times). So from now 10 hours later you can do what you have to do :) 

     

    Ben

  • In reply to Duc Le:

    Le,

    from now and the next 13 hours would be no problem. Same goes for the next few days.

  • In reply to Ben:

    since i am now on holidays and got a little bit more time on my hands:

    - the IPv6 patch from Le is working great, 12 days of connectivity here on my testbox via ipv6 and pppoe

     

     

    Completly unrelated to IPv6 via PPPoE: Been trying to get IPv6 working on a friends "Deutsche Glasfaser" Connection. They are using 6rd which is kind of evil i think, but we managed to get it working on this WAN Interface, also with additional addresses and WAF/VPN working!. What is not working is his clients getting "out". We tried various things (including using masquarading which normally works), a traceroute would always end at the IPv6 of his internal interface. I suspect an addition route is probably missing. Anybody who can point me in the right direction here please?

  • In reply to Ben:

    In the 9.502 changelog I don't see any IPv6 related changes, so I assume that the patch didn't make it in time?

  • In reply to SanderRutten:

    Hi SanderRutten,

       No it is not yet in the release since currently it is in QA cycle. Will let you know ASAP. Thanks for helping us out!

  • In reply to Duc Le:

    i noticed in 9.503-4 there is a fix:

    [Network] Prefix Delegation does not work correctly during a PPPoE reconnect

    is this the implementation of this patch?

  • In reply to Ben:

    Yes, it is.

    Thanks for your help and patient!

  • In reply to Duc Le:

    Hello Le (And maybe

    I just figured something out, but not sure if it is related to the original problem here.
    I think I can sum it up to: Network definition "Internet IPv6" is unresolved. Therefor I'm unable to create a (working) firewall rule to "Internet IPv6".

    Probably because it is not bound to an interface, but I can't assign an interface. In my WAN's interface defenition it is set as "IPv6 Default GW".
    I found out while trying to thighten my home security, it was quite open from internal network to the outside world. 

    First I had rule #1 and #3 combined, as well rule #2 and #4. But while trying to understand what happened I split them both in an IPv4 and an IPv6 rule. So now I have:

    As you can (hopefully :)) see: The small '6' is not displayed in the Internet IPv6 icon, but it is for "Any IPv6". And for IPv4 it also shows the little 4 in the icon.
    What I expect to happen is while surfing via IPv6, that rule #3 is being used. Instead it always used #4. 
    For IPv4 it works like what I was expecting. 

    When I don't enable the Any IPv6 rule, all traffic is dropped by the default rule.

    Any ideas if I can fix this myself?

  • In reply to SanderRutten:

    Hi SR,

       Good to hear from you.

       OK, I am not sure what the problem is. Here is the what is needed:

       1) I have a script "get-data.sh" which will collect UTM system data. I need, somehow, to give this to you; Please let me know how I can send it to you. Thanks

       2) Do a tcpdump on the interface

       3) ./get-data.sh  ipv6

       4) Collect the data from step 3 and step 2 above

       5) Send me the collected data

     

       Question: Do you know how to turn tracing on Iptables? If yes, please turn it on and capture the iptables trace as well

     

        Good luck!

  • In reply to SanderRutten:

    ipv6 works strange with rules, any ipv6 -> any -> any ipv6 / internet ipv6 will not work as expected.

    Putting an Interface with a /64 IPv6 Subnet will not allow it "per se"

    would still like some extra options to hardlock the prefix gotten, my isp sometimes reboots their router and unfortunitly ipv6 comes up last and the UTM reacts funny (Le has some info on that when he has some time on his hands in the future)

    otherwise i am happy UTM is this far thanks to LE!

  • In reply to Ben:

    Hi Ben,

    according to my daily report IPv6 traffic is passing the UTM.

    Thank you for your assistance.

    Ian

     

    Update. blocks facebook with tunnel fails and fails to fall back correctly, strange when using native and google home page takes considerable time to load. All fixed when ipv6 disabled and dhcp ipv6bon internal interface disabled.