Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG 136 Firewall SFOS 20.0.0 GA-Build222 IPv6 No Internet

Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.

ABCDC01:  Role = Windows Server 2019 Domain Controller
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
 
ABCSVR01:  Role = Windows Server 2019 member server
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:20/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
 
Sophos Firewall 01: Local (Home)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 = 24.205.107.999
Port #2:  Role = WAN IPv6 = 2600:6c4e:7007:600:2919:f1db:ea13:990f/64 DHCP from Spectrum
 
Sophos Firewall 02: Remote (Remote)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 = 174.83.134.999
Port #2:  Role = WAN IPv6 =2600:6c4e:7000:101:6d68:f6ae:db55:9984/64 DHCP from Spectrum
 
Tests:
1.  Good - ABCDC01 can ping ABCSVR01 and vice versa
2.  Good - MacBook (IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:30/64) can ping6 from terminal to both ABCDC01 and ABCSVR01
3.  Good - ABCDC01 and ABCSVR01 can both ping gateway fc00:2222:3333:4444:cccc:dddd:eeee:ffff
4.  Good - ABCDC01 and ABCSVR01 can both ping internal WAN interface 2600:6c4e:7007:600:2919:f1db:ea13:990f
5.  Good - Sophos is able to ping ABCDC01 and ABCSVR01
6.  Good - Sophos is able to ping ipv6.google.com using Sophos Diagnostics
7.  Good - Sophos is able to complete traceroute to ipv6.google.com using Sophos Diagnostics
8.  Fail - ABCDC01 and ABCSVR01 cannot ping ipv6.google.com
 
Not sure if configuration is correct as we needed to manually assign IPv6 IP’s to our Windows Server devices as Link-Local IP can’t ping Gateway or WAN IP’s.  Not sure if we read this properly, but it seems there’s no IPv6 DHCP server and that they’re stateless.
On another note, we tried to getting a preferred delegated prefix from our ISP and it wouldn't do it following the following Sophos video:
Some IP's have been deliberately modified and we know that there's no such thing as an IPv4 with a .999


Added v20 TAG
[edited by: Erick Jan at 4:55 AM (GMT -7) on 12 Apr 2024]
Parents
  • My team worked with Sophos technical support today and we got it working.  The trick was to add an IPv6 NAT rule with SNAT = MASQ and bind it to the IPv6 ANY ANY rule.  Supposedly with the 20.0.0. GA-Build222 firmware NAT is not required, but it wouldn't work without it and SNAT had to be MASQ or it also wouldn't work.

    Steps:

    Sophos Firewall:
    Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff
    Port #2:  Role = WAN IPv6 = 2600:6c4e:7007:600:2919:f1db:ea13:990f/64 DHCP from Spectrum
    IPv6 router advertisement: Not needed
    IPv6 ANY ANY rule with IPv6 NAT rule SNAT = MASQ
    Windows Server:
    IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64
    DNS =  fc00:2222:3333:4444:cccc:dddd:eeee:ffff
    Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
    PING fc00:2222:3333:4444:cccc:dddd:eeee:ffff (Default Gateway)
    PING 2600:6c4e:7007:600:2919:f1db:ea13:990f (WAN Interface)
    PING 2001:4860:4860::8888 (Google DNS)
    PING ipv6.google.com
    PING google.com
    PING yahoo.com
    PING nasa.gov
    PING amazon.com (Name resolution fails for IPv6)
    PING msn.com (Name resolution fails for IPv6)
    PING aws.amazon.com
    PING windows.com
    Windows updates downloaded purely via IPv6
    Internet Explorer able to browse google.com and yahoo.com but not too much else
  • Hi,

    while that has been fixed, I feel there's something with your configuration that is wrong. I have many IPv6 rules and two linked NATs for the NTP function but no general NAT. My IPv6 works fine.

    Where did you get your LAN IPv6 address range from? If it is as shown with an FC00 address that will require a NAT to allow traffic out.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • FC00::/7 FC00-FDFF Unique-local (LAN) /7 = 7 bits

    https://www.youtube.com/watch?v=oItwDXraK1M

    8min 40sec in to the video

    A member of my team watched the above video and from what they learned the fc00 was for local LAN IP's.  It still doesn't really make sense to them why the NAT required SNAT with MASQ, but it was the only way it worked.  

  • Hi,

    the FC00 is a link local address and is only usable between end points, you will find it as the address between your XG and the ISP router but does not go any further. Link local addresses are not routable and you need the NAT to convert it to a routable address eg your WAN address. Does that make sense?

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Curious about something else.  Have a Windows 2019 server and IPv6 shows no Internet connectivity.  Able to access the Internet from CLI, Internet Explorer reaches google.com over IPv6 and was able to download Windows updates without any issues.  

    BTW...when is the next Sophos firmware update coming out that supports an IPv6 DHCP server?

  •  Next update is expected by the end of April, more likely early may from comments passed by support staff.

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply Children