Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 1510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about IPv6 and DUID creation

rfcat_vk

Hi,

I have a new IoT device that works with IPv6. It is assigned an FE address if I don't use RA, if enable RA it is assigned an IPv6 address within the RA range but does not appear in the DHCP server listing. None of these addresses appear in the XG DHCP server list. The device is talking to the internet with the IP4 and the IPv6  fe address. I would like to get some visibility of what it is actually doing so I can workout why websites are being blocked when they are in the allowed list.

Now the question is how to create a DUID for it so I can add a static IPv6.

Ian



This thread was automatically locked due to age.
  • 0

    Hi  

    I am not able to follow you on this, could you please share more details on your requirement.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0

    Hi  

    Sophos XG Firewall supports configuration of DHCPv6 options, as defined in RFC 3315.

    So any DUID would be fine but in general if a long-term stable hardware identifier is required then DUID-UUID or DUID Vendor Assigned would be good choice.

    Few command which may be helpful to get UUDI:

    Linux dmidecode | grep UUID
    RHEL6, Fedora cat /sys/devices/virtual/dmi/id/product_uuid
    Windows WMIC CSPRODUCT
    ESXi vsish -e get /hardware/machineUUID

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0

    I understand that the DUID is created by the node/computer/IoT device itself.  I believe that there are 3 types of DUID:

    1. DUID-LLT = link layer address plus timestamp
    2. Vender assigned unique ID based on manufacturer
    3. Link layer address

    I know that the XG does not fully support all IPv6 features.  But the same is true for Android.  Android only supports stateless.  As a result, Android devices on my network cannot connect via IPv6.  It would be great if Android would support stateful, but for some reason people seem to like stateless.

     

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    it is a TV, you do not get access to the OS to run commands.

    The issue being the TV probably self generates a link local address which is stored somewhere on the XG, does appear in reports, so somewhere on the XG the DUID is stored, where?

    If I enable the two options in the IPv6 RA for the specific IPv6 address range the device is assigned two IPv6 addresses that do not appear in any logs, let alone in the DHCP assigned address list. So the next question is how do you manage internet access and security for RA assigned IPv6 addresses when they are not displayed in any of the usual management functions on the XG?

    This is far "from security made simple".

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML