Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG 136 Firewall SFOS 20.0.0 GA-Build222 IPv6 No Internet

Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.

ABCDC01:  Role = Windows Server 2019 Domain Controller
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
ABCSVR01:  Role = Windows Server 2019 member server
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:20/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
Sophos Firewall 01: Local (Home)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 =
Port #2:  Role = WAN IPv6 = 2600:6c4e:7007:600:2919:f1db:ea13:990f/64 DHCP from Spectrum
Sophos Firewall 02: Remote (Remote)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 =
Port #2:  Role = WAN IPv6 =2600:6c4e:7000:101:6d68:f6ae:db55:9984/64 DHCP from Spectrum
1.  Good - ABCDC01 can ping ABCSVR01 and vice versa
2.  Good - MacBook (IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:30/64) can ping6 from terminal to both ABCDC01 and ABCSVR01
3.  Good - ABCDC01 and ABCSVR01 can both ping gateway fc00:2222:3333:4444:cccc:dddd:eeee:ffff
4.  Good - ABCDC01 and ABCSVR01 can both ping internal WAN interface 2600:6c4e:7007:600:2919:f1db:ea13:990f
5.  Good - Sophos is able to ping ABCDC01 and ABCSVR01
6.  Good - Sophos is able to ping using Sophos Diagnostics
7.  Good - Sophos is able to complete traceroute to using Sophos Diagnostics
8.  Fail - ABCDC01 and ABCSVR01 cannot ping
Not sure if configuration is correct as we needed to manually assign IPv6 IP’s to our Windows Server devices as Link-Local IP can’t ping Gateway or WAN IP’s.  Not sure if we read this properly, but it seems there’s no IPv6 DHCP server and that they’re stateless.
On another note, we tried to getting a preferred delegated prefix from our ISP and it wouldn't do it following the following Sophos video:
Some IP's have been deliberately modified and we know that there's no such thing as an IPv4 with a .999

Added v20 TAG
[edited by: Erick Jan at 4:55 AM (GMT -7) on 12 Apr 2024]