Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

Parents Reply
  • since i am now on holidays and got a little bit more time on my hands:

    - the IPv6 patch from Le is working great, 12 days of connectivity here on my testbox via ipv6 and pppoe

     

     

    Completly unrelated to IPv6 via PPPoE: Been trying to get IPv6 working on a friends "Deutsche Glasfaser" Connection. They are using 6rd which is kind of evil i think, but we managed to get it working on this WAN Interface, also with additional addresses and WAF/VPN working!. What is not working is his clients getting "out". We tried various things (including using masquarading which normally works), a traceroute would always end at the IPv6 of his internal interface. I suspect an addition route is probably missing. Anybody who can point me in the right direction here please?

    ---

    Sophos UTM 9.3 Certified Engineer

Children
  • In the 9.502 changelog I don't see any IPv6 related changes, so I assume that the patch didn't make it in time?

  • Hi SanderRutten,

       No it is not yet in the release since currently it is in QA cycle. Will let you know ASAP. Thanks for helping us out!

  • i noticed in 9.503-4 there is a fix:

    [Network] Prefix Delegation does not work correctly during a PPPoE reconnect

    is this the implementation of this patch?

    ---

    Sophos UTM 9.3 Certified Engineer

  • Yes, it is.

    Thanks for your help and patient!

  • Hello Le (And maybe

    I just figured something out, but not sure if it is related to the original problem here.
    I think I can sum it up to: Network definition "Internet IPv6" is unresolved. Therefor I'm unable to create a (working) firewall rule to "Internet IPv6".

    Probably because it is not bound to an interface, but I can't assign an interface. In my WAN's interface defenition it is set as "IPv6 Default GW".
    I found out while trying to thighten my home security, it was quite open from internal network to the outside world. 

    First I had rule #1 and #3 combined, as well rule #2 and #4. But while trying to understand what happened I split them both in an IPv4 and an IPv6 rule. So now I have:

    As you can (hopefully :)) see: The small '6' is not displayed in the Internet IPv6 icon, but it is for "Any IPv6". And for IPv4 it also shows the little 4 in the icon.
    What I expect to happen is while surfing via IPv6, that rule #3 is being used. Instead it always used #4. 
    For IPv4 it works like what I was expecting. 

    When I don't enable the Any IPv6 rule, all traffic is dropped by the default rule.

    Any ideas if I can fix this myself?

  • Hi SR,

       Good to hear from you.

       OK, I am not sure what the problem is. Here is the what is needed:

       1) I have a script "get-data.sh" which will collect UTM system data. I need, somehow, to give this to you; Please let me know how I can send it to you. Thanks

       2) Do a tcpdump on the interface

       3) ./get-data.sh  ipv6

       4) Collect the data from step 3 and step 2 above

       5) Send me the collected data

     

       Question: Do you know how to turn tracing on Iptables? If yes, please turn it on and capture the iptables trace as well

     

        Good luck!

  • ipv6 works strange with rules, any ipv6 -> any -> any ipv6 / internet ipv6 will not work as expected.

    Putting an Interface with a /64 IPv6 Subnet will not allow it "per se"

    would still like some extra options to hardlock the prefix gotten, my isp sometimes reboots their router and unfortunitly ipv6 comes up last and the UTM reacts funny (Le has some info on that when he has some time on his hands in the future)

    otherwise i am happy UTM is this far thanks to LE!

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

    according to my daily report IPv6 traffic is passing the UTM.

    Thank you for your assistance.

    Ian

     

    Update. blocks facebook with tunnel fails and fails to fall back correctly, strange when using native and google home page takes considerable time to load. All fixed when ipv6 disabled and dhcp ipv6bon internal interface disabled.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    You can send it to me via PM or mail: sander [some @ sign ] rutten [a dot here] me ;-)
    I'm not sure how to do iptable traces, but I can run some command's if you have them available for me.

    For the rest is IPv6 working great. Since your patches it has been running smooth for me.

  • I have one standing issue with Prefix Delegation over PPPoE on the current Sophos UTM version. Every few weeks when my ISP is updating their stuff or doing maintance the following happens where the sophos UTM will change the delegated IPv6 Prefix:

    - ISP reboots their Edgerouters

    - Reboot completes, PPPoE Authentication works again

    - IPv4 comes back up

    - Sophos UTM reconnects, IPv4 works and tries to rebind IPv6 Prefix

    (ISP Router not done rebooting, IPv6 not back up yet)

    - Sophos fails to rebind to IPv6 Prefix a few times

    - Sophos gives up and asks ISP Router for a new IPv6 Prefix

    (ISP Router is fully back up again including IPv6)

    - Sophos gets a new IPv6 Prefix and everything works again, old prefix lost

     

    remarks: old IPv6 Prefix will work again if files in /var/chroot-dhcpc/var/db/ppp0* will be replaced with old files and UTM rebooted. So the old prefix is -not- invalid, the Sophos UTM just "gave up" on it due to getting to ISP Router reply on the rebind to it.

    possible solutions (that i can think of): give the IPv6 Script more time to rebind the IPv6, let the user "lock" the IPv6 via GUI so it will not change, dont let the Sophos UTM request a new ipv6 prefix "just" because the ISP Router is not replying to rebind. THere should be an error on a unsuccessfull rebind from the ISP Router i assume.

    ---

    Sophos UTM 9.3 Certified Engineer