Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPv6 Configuration and to NAT or not

We have been allocated an IPv6 /48 from our ISP. I plan on using Global/Public IPv6 addresses for my clients utilizing /64 networks from that /48. Kinda one of the main goals for IPv6 to not have to NAT behind a public address. I am able to successfully get web traffic to flow when I create a NAT with a MASQ, however I can't get it to flow from it's original IPv6 address. I was informed, by my ISP that my /64 networks have been added to the routing tables, but it seems like my traffic stops at the interface on the ISP's equipment out. From the XGS, I can ping both the internal and external address, both in the same network, but cannot ping out to ipv6.google.com. As a test I have configured at NAT rule for 1 Windows client with a Global configured address and it can ping all the way up to my inside WAN interface. Not sure why it works with a MASQ and not with it's original IP. This is what has me thinking maybe the ISP routing is not properly set up. I know those /64 network are with the allocated /48 and I expect they are not routing the whole address space.

I guess my question here, is there any specific things I need to do to allow a device within my network to access the Internet via IPv6 with it's originating Global IPv6 address.

My IPv6 Rule is
Source = My Client
Destination = WAN
What = HTTP, HTTPS, UDP, PING6, ICMPv6
Action = Accept

My only IPv6 NAT rule currently is
Original Source = My Client - Translated Source SNAT (Original)
Original Destination = ANY - Translated Destination DNAT (Original)
Original Service = ANY - Translated Service PAT (Original)
Inbound Interface = Internal Interface
Outbound Interface = Outside WAN interface

Any Help is Appreciated



This thread was automatically locked due to age.
Parents
  • Hi,

    please post a copy of your firewall rule. Also does your WAN interface have an address assigned outside of your /48 range.

    When setup with your ISP WAN /64 and your internal using addresses from the /48 range you will not need a NAT, works well. If you are using the SSL/TLS (DPI) the UDP traffic will not be processed.

    Finally, please try a tracert without the NAT from your PC to see where it fails.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you  for the information. How did you go with the tracert from you PC?

    The rule looks okay, though the UDP will not be processed by DPI, I would suggest the web proxy for your testing or not even use the web policy until you resolve your routing issue.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • A tracert from my PC goes all the way to the inside (LAN) interface of my firewall and then stops. I can however ping the Inside WAN Interface IP address which is why it seems like maybe it is not traversing the LAN to WAN for Internet.

  • Hi Tom,

    which version of XG firmware are you running? V20 GA does not require a IPv6 NAT, v19.5.3 does require and IPv6 NAT.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Tom,

    which version of XG firmware are you running? V20 GA does not require a IPv6 NAT, v19.5.3 does require and IPv6 NAT.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data