Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 38 subscribers
  • Views 17957 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPv6 configuration

DavidRa

I've been trying to get this sorted out in my head, and it's not working (OK not working well, at least).

I've configured my he.net tunnel on the router and it's routing traffic fine. I've configured various /64's from the /48 allocation on XG interfaces, like so (slightly sanitised):

Interface (Purpose) Interface IP Addresses
PortA (LAN)

10.14.6.130/24
2001:----:f51e:ae60::a0e:601/64
PortB (Internet)

203.---.19.178/28
2001:----:f51e:1::2/64
PortC (DMZ 1)

192.168.0.1/24
2001:----:f51e:64::c0a8:1/64
PortD (DMZ 2)

10.8.5.1/24
2001:----:f51e:c8::a08:501/64

There are no static routes defined for IPv6, and PortB has a default gateway defined (2001:----:f51e:1::1).

I've configured a simple IPv6 firewall rule - LAN to Internet, Any source, Any destination, Any service, Accept, with a content policy of No Ads (of my own creation obviously)

I've also configured router advertisements (though I'm not sure from the documentation whether it's required that the advertisements contain any prefixes; I think it's relevant that I'm using DHCPv6 from a Windows 2012 R2 host in order to hand out DNS configuration rather than trying to work out SLAAC).

Interface Advertisement Time Managed Flag Gateway Flag Gateway Lifetime Prefix
PortA 198 - 600 On On 1800 2001:470:f51e:ae60::/64
PortB 198 - 600 Off Off --
PortC 198 - 600 On On 1800
PortD 198 - 600 On On 1800

I can ping PortA's IPv6 address, and PortB's gateway IPv6 address. I can't ping PortB's address, but I'm not too fussed about that. The router can ping ipv6.google.com, and so can XG, but I cannot do so from a workstation. My reading of the documentation and the legacy beta forum has been .... unhelpful in troubleshooting.

So can anyone poke some holes in this configuration so I can get it working?



This thread was automatically locked due to age.
  • 0
    I think you have a problem with your subnetting. Have a look at your 4th and 5th groups, they don't align with the advertisment.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Yeah this is where I find the XG doco unclear. I don't know if I need to be specifying any prefix given it's DHCPv6, and I have already seen that you can't advertise the default route (::/0) at all.

    All the subnets appear to be from the same /48 though - the tunnel config is shown, as you can see all the interfaces are /64's within the assigned /48:

  • 0 in reply to DavidRa
    So I don't setup a prefix on mine, or set the "managed" flag.

    Just keep in mind as you change these options, you will have to release/renew your adapter on the machines. (or disable/enable, burn, extinguish. your choice.)

    I do however keep the static route in the XG of ::/0 to the ip tunnel interface. That isn't what the clients see though, that is just for the XG. (just in response to you saying you have no static routes.)

    Good luck!
Unfiltered HTML