Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 136 Firewall SFOS 20.0.0 GA-Build222 IPv6 No Internet

Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.

ABCDC01:  Role = Windows Server 2019 Domain Controller
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
 
ABCSVR01:  Role = Windows Server 2019 member server
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:20/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
 
Sophos Firewall 01: Local (Home)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 = 24.205.107.999
Port #2:  Role = WAN IPv6 = 2600:6c4e:7007:600:2919:f1db:ea13:990f/64 DHCP from Spectrum
 
Sophos Firewall 02: Remote (Remote)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 = 174.83.134.999
Port #2:  Role = WAN IPv6 =2600:6c4e:7000:101:6d68:f6ae:db55:9984/64 DHCP from Spectrum
 
Tests:
1.  Good - ABCDC01 can ping ABCSVR01 and vice versa
2.  Good - MacBook (IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:30/64) can ping6 from terminal to both ABCDC01 and ABCSVR01
3.  Good - ABCDC01 and ABCSVR01 can both ping gateway fc00:2222:3333:4444:cccc:dddd:eeee:ffff
4.  Good - ABCDC01 and ABCSVR01 can both ping internal WAN interface 2600:6c4e:7007:600:2919:f1db:ea13:990f
5.  Good - Sophos is able to ping ABCDC01 and ABCSVR01
6.  Good - Sophos is able to ping ipv6.google.com using Sophos Diagnostics
7.  Good - Sophos is able to complete traceroute to ipv6.google.com using Sophos Diagnostics
8.  Fail - ABCDC01 and ABCSVR01 cannot ping ipv6.google.com
 
Not sure if configuration is correct as we needed to manually assign IPv6 IP’s to our Windows Server devices as Link-Local IP can’t ping Gateway or WAN IP’s.  Not sure if we read this properly, but it seems there’s no IPv6 DHCP server and that they’re stateless.
On another note, we tried to getting a preferred delegated prefix from our ISP and it wouldn't do it following the following Sophos video:
Some IP's have been deliberately modified and we know that there's no such thing as an IPv4 with a .999


This thread was automatically locked due to age.
  • Hi,

    please post your WAN configuration in expanded mode. Also please post your IPv6 firewall rule and your IPv6 delegation setting for your internal network.

    The IPv6 DHCP server will be added to the v20.0.1 MR-1.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Haven't made any IPv6 rules yet.  Figured the ANY ANY Default Network Policy would cover it.

  • Are you using delegate for internal addressing? if so until v20.0.1 is released you will need to enable RA to get addresses assigned. If you disable PD you will be able to use DHCP addressing.

    The default any any rule should work and you don't need a NAT rule for IPv6 networks. Does logviewer show any traffic on the any any rule?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • ABCDC01:  Role = Windows Server 2019 Domain Controller
    IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64 (Static assignment)
    Gateway on Port 1 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
    This machine is able to ping Port 1 on our Sophos Firewall.  It's also able to ping the internal IP of the WAN interface on Port 2: 2600:6c4e:7007:600:2919:f1db:ea13:990f
    We tried to getting a preferred delegated prefix from our ISP and it wouldn't do it.  Seems like Spectrum in our area doesn't do it.
    No IPv6 traffic in logviewer.
    Seems like the only way is to enable RA, but my team isn't exactly sure how to go about that.
  • Hi,

    I think I see the issue, you are trying to use a bridge mode? Has your isp assigned you an address range for your internal network eg /56 or /48?

    if not a bridge you need a different ipv6 /64 address range for your interfaces.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Turned on RA and deleted static IPv6 from ABCDC01.  Based on that:

  • Both addresses are in the same /64. Are you using a bridge between the WAN and the LAN?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Port 1 & Port 4 are in a bridge mode with an IPv6 of fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64

    This is where the server we are trying to get to connect to the Internet via IPv6 is.  What IPv6 should I use for the Port 1 & Port 4 bridge?  We don't think our ISP isn't giving out IP's, but then we're not sure how the IPv6 on ABCDOM01 was obtained automatically and since it starts with the 2600: it would appear to be from our ISP Spectrum.  By the way, now with the new automatically obtained IPv6 we are no longer able to get a reply from the internal WAN interface.

    If we enter fe80::7e5a:1cff:fe82:7215%3 on Port 1 for the IPv6 is says invalid.  Sorry, we just aren't well versed in IPv6 yet and don't know how to translate the %3.

  • Negative.  WAN and LAN are not bridged.  

    What IPv6 do you suggest is used on Port 1?  Previously fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64 had been used when we statically assigned IP's on the Windows 2019 server.