Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I have just installed Sophos XG using the home license. And I have problems using IPv6 with it.
Why? Because my UTM installation was hanging up from time to time.
I have used Sophos UTM when it was still Astaro, and have been using UTM with a home license for years now. My ISP provides Dual Stack IPv4 and IPv6, and this was no problem at all with the UTM. However, I can't even get an IP address on my WAN interface with the XG.
What is going wrong? UTM -> PPPoE, DHCP, and finished. It just worked.
I read somewhere that XG is not "ready" yet for IPv6, but I still remember that Sophos told everybody on the home license to use the XG and not the UTM anymore because of the 50 IP limit of the UTM in a home setup. They said the "fix" to it would be using the XG. If now the XG can not even correctly support IPv6, than this this just bs.
IPv6 cycles through several IP addresses per machine, so the 50 IP limit is reached within minutes for 6 devices. So the answer can't be "use the XG.
If this sounds a little "raged" then that might be the case. I am annoyed, to be honest. (although I always loved Sophos UTM...)
Any idea how to get it up and running?
All the best,
First of all, please clear your thoughts and post what the problem exactly is.
If I understand correct, your provider gives you IPv4 & IPv6 via PPPoE. Unfortunately at this point PPPoE on IPv6 is not supported. Only if it gets an IP on DHCP, but it's a long shot. You could get an IPv4 without problems though.
If you do get an IP but don't have access from any pc, remember that the XG's IPv4 and IPv6 are considered as different interfaces, so you will have to duplicate the rules for both of them.
My opinion though, the UTM is the Hardcore motherf#@ of the series but it's way too complicated. You could do everything you want, if you can find it. On the XG everything is so extremely simplified that anyone with basic knowledge can find his way on it.
In reply to Panagiotis Vakerlis:
thanks for the response. My thoughts are clear, although I do admit, my post was not. It was written with some emotion and an only partially working firewall.
However, to the topic. My setup:
Yes, Telekom gives the IPv6 address and advertises the /56 network dynamic, and sometimes they give you another network (at least after a reboot, but sometimes once a day, sometimes just every few weeks). UTM supports renumbering, so this works like a charm. However, there is this 50 IP limit in the home version.
For now, I have ditched the XG after you said that it does not support it.
Background for my post above:
For 8 years or so I have been installing Astaro and then Sophos UTMs for customers and have been quite happy. 5 years ago, my ISP switched my connection to Dual Stack, and I have been using it with Sophos UTM Home for years. However, the problem was, that clients tend to get several temporary IPv6 addresses and cycle through them for new connections. So, my wife and I, with just 2 smartphones, 2 computers and 2 tablets have been using up the 50 IPs within minutes.
There was a feature request at ideas.sophos.com to remove the 50 IP limit from the home UTM because of IPv6, and several Germans have described precisely my setup here. It is fairly standard and Telekom is the biggest ISP in Germany, so, millions of homes have this setup. A sophos engineer closed the request as fixed, answering that it will never be removed from UTM, but that anybody that uses IPv6 should instead go and use the XG firewall.
I never came around to do that, as I work 100% and then started a masters degree on the side. So, my setup stayed the way it was for all these years.
Now, since the last updates, my UTM became quite unstable, so I decided to go for the XG. We have been testdriving UTM and XG at work for quite some time.
If what you say is true and the XG does not support the setup we in Germany have in millions of homes, the sophos engineer should have not closed the feature request and writing something that can't work with the XG. So this feels a little bit like a slap in the face. Working with Sophos, getting to know the engineers personally on some roadshows, installing UTMs at so many customers and selling a load of Sophos stuff for years. And then they just dismiss a feature request saying we should use something that does not support the setup. Have they even read the request?
In reply to Thomas Zimmermann:
So if you have a proper modem before the Sfos, why don't you put it in DHCP and DMZ the sfos? It's not a by-the-book solution, but for me at several companies I've done, it works normally. Of course I did that because I didn't have any other solution(the modem also has voip and if I bridge it, the company loses telephony) but you get the point. Only problem I had was with a particular provider who couldn't bridge it and the company had an internal asterisk server which couldn't register with it's provider(caused by the dual-NAT). Changed VoIP provider with different authentication, problem solved.
Edit: If your provider has PPPoE for IPv6, the XG does not support. If it just leases addresses(like a DHCP), then it should work
you will need to have IP4 working and then enable IPv6 on the external interface. Your external interface will be assigned an IPv6 address. I suggest you do a search of the forums, because there is a thread that covers this in quite some detail.
IPv6 on the XG is very limited and is treated as a second firewall eg you have to duplicate your IP4 rules and not all features work.
My recommendation for home users is stick with the UTM unless you have run out of address space.
IPv6 over PPPoE has limited functionality because SFOS still doesn't support DHCPv6-PD.
Upvote the feature request here - https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11546439-add-options-for-ipv6-dhcpv6-pd
In the meantime if you want a reasonable level of protection beyond just changing your xDSL modem from bridge to routed mode, try pfSense.