Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to implement IPv6 from my ISP

Hi community,

I would like to configure my Sophos firewall with IPv6 WAN and LAN.
My ISP has provided me with the addresses for this, and I have had a go at getting this to work but with no luck so wondering if someone can help me please.

I am using SFOS 20.0.0 GA-Build222.

Here is the message from my ISP on what they have provided...

For IPv6 for Broadband we will supply a single /56 prefix. We support two assignment methods for this.
  1. DHCPv6 Prefix Delegation - This is our preferred method that customers use to get their prefix. Your router will need to request the delegated prefix and then assign it to your LAN interface(s). DNS is provided through this method.

  2. Static configuration - If a customer’s router does not request a DHCPv6-PD assignment a static route for the /56 assignment will be installed on the connected Broadband Gateway. This enables customers to statically configure the assigned prefix in whatever manner they want.

We also assign a /64 address that if chosen to be used will be assigned to the router’s "WAN" interface. This /64 assignment is handed out through SLAAC from the connected Broadband Gateway. IPv6 doesn't require intermediate hops to have a global address as routing can occur on only a link-local address but for things like traceroute this can sometimes not be ideal. This assignment is handed out purely so that if used the customer will have end to end GUA addresses.

They have then listed a /56 and /64 subnets that are assigned to me.



This thread was automatically locked due to age.
  • Hi,

    what have you tried to enable IPv6 on your XG. A word of warning, the current version of XG (v20 GA) requires a NAT for IPv6, no NAT no IPv6 external access.

    1/. Enable IPv6 on your WAN link using DHCP and enable Prefix delegation. You will be assigned your IPv6 /64 and link local address. The link local address is between your XG and the ISPs first point, usually a router.

    2/. on the LAN you want to assign IPv6 addresses to, enable IPv6 and tick the PD box, the router advertisement and the DHCP IPv6 server boxes.

    3/.in the RA tab, you will see an automatically generated entry, tick the the three boxes, even for v20 GA the first two functions are there but not enabled fully, hopefully v20.0.1 MR-1 or MR-2 will add the features.

    4/. Once you have enabled th above you will need to creat firewall rules and a NAT. Warning current version of XG V20 GA does not support FQDNs in destinations.

    5/. you can add items to the IPv6 automatically created DHCP server eg DHCP option, default DNS.

    6/. you can enable IPv6 on your network devices.

    I have been assigned a /48 your /56 will have additional value before the :: and you will only need two 0s. There is a little trap when filling out the interface ID, it needs the format as shown.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry I believe that in this case, me trying to remember what I have tried and then repeating it here will make solving this harder for you or anyone else trying to help. I tried many things previously.

    Just some extra background for this, in case it matter to this issue..
    I have a fibre internet connection which to get working properly with IPv4 with my ISP I had to use the PPPoE(DSL) option and set VLAN tag in DSL settings as this method will correctly set the ISPs required MTU and MSS on the interface. Sophos would not let me set the correct MTU or MSS when using a sub VLAN interface method.

    I have followed those instructions as best as I can and not seeing the IPv6 address come from the ISP to the WAN.

    1. I have ticked IPv6 on my WAN and set IP assignment to DHCP option. Mode is left as Auto. DHCP prefix delegation is ON. I also had to give the Gateway a name.

    2. I have ticked IPv6 on my LAN bridge interface that I want this for.
      I have set Delegated option for IP assignment, and set the Upstream interface as my WAN that we are trying to configure IPv6 on which is Port4. I have left IPv6 address fields as default (Subnet ID and Interface ID) and beside this there is a orange warning symbol that also says "ISP hasn't delegated the IPv6 prefix"
      I have turned on Router advertisement and DHCPv6 server.

    3. Set the RA as follows...


    4. I also created the IPv6 firewall rule and NAT but IPv6 not working. Would the rules not being configured properly cause issue with not getting the DHCPv6 PD from the ISP?
  • Hi,

    no, the answer is very simple, XG does. Or support IPv6 with pppoe.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I'm not quite sure I understand your reply.
    Do you have any suggestions from here?

  • Very simple it does not work with your connection mode. 

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Are you saying this does not work with PPPoE?

    Is this just a Sophos limitation?

  • Just sophos XG v20 IPv6 does not work with pppoe. It used to work with the utm, which is now eol.

    ian

    Add missing IPv6 .

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Your responses seem to be missing words.

    Sophos does work with pppoe, I would know I'm using it

  • XG v20 does not work with PPPOE and IPv6. The IP4 functions correctly.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Same here, my ISP also provides me a /48 via prefix delegation, but with my PPPoE connection I cannot get any IPv6 address no matter what setting I use on the WAN interface. Other customers of same ISP have had success using opnsense and pfsense.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.