Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.
Added v20 TAG
[edited by: Erick Jan at 4:55 AM (GMT -7) on 12 Apr 2024]
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.
Turned on RA and deleted static IPv6 from ABCDC01. Based on that:
Both addresses are in the same /64. Are you using a bridge between the WAN and the LAN?
Ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Negative. WAN and LAN are not bridged.
What IPv6 do you suggest is used on Port 1? Previously fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64 had been used when we statically assigned IP's on the Windows 2019 server.
If you use a NAT you can use what ever address you like. You can also use the DHCP server and enable the boxes in the RA settings. The following are my IPv6 settings using delegated addressing.
( The forum is playing havoc with my inserts and adding multiple copies which I have deleted)
The first screenshot is one of my IPv6 DHCP in normal mode, the second screenshot is DHCP IPv6 when using PD. I will post another thread with my RA settings if you are interested?
The last one is a standard DHCP setting using IPv6
Ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
If you use a NAT you can use what ever address you like. You can also use the DHCP server and enable the boxes in the RA settings. The following are my IPv6 settings using delegated addressing.
( The forum is playing havoc with my inserts and adding multiple copies which I have deleted)
The first screenshot is one of my IPv6 DHCP in normal mode, the second screenshot is DHCP IPv6 when using PD. I will post another thread with my RA settings if you are interested?
The last one is a standard DHCP setting using IPv6
Ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Sorry...feeling like we're running around in circles and still not getting it to work. Going to take a break and maybe tackle this again early next week. Thanks.
The any any rule was an IPv6 rule?
ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Started making a new rule for any any and there were no options to select anything related to IPv4 or IPv6.
Here's the rule we have in place:
Top of the firewall page there are tabs .
ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
OK. Found the super obvious IPv6 tab and created a Default IPv6 rule for ANY ANY. It didn't really seem necessary, but we did it so we could log traffic. A PING to Google's IPv6 DNS (2001:4860:4860::8888) was listed in Logviewer as Accept. However, on the Windows Server side the PING didn't respond. Using Sophos Diagnostics the PING to Google's DNS server does respond with zero packet loss if we let it auto select the interface. If we manually tell it to use Port 1 or Port 4 or the Bridge then it can't ping Goolge's DNS.