Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.
Added v20 TAG
[edited by: Erick Jan at 4:55 AM (GMT -7) on 12 Apr 2024]
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.
If you use a NAT you can use what ever address you like. You can also use the DHCP server and enable the boxes in the RA settings. The following are my IPv6 settings using delegated addressing.
( The forum is playing havoc with my inserts and adding multiple copies which I have deleted)
The first screenshot is one of my IPv6 DHCP in normal mode, the second screenshot is DHCP IPv6 when using PD. I will post another thread with my RA settings if you are interested?
The last one is a standard DHCP setting using IPv6
Ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Sorry...feeling like we're running around in circles and still not getting it to work. Going to take a break and maybe tackle this again early next week. Thanks.
The any any rule was an IPv6 rule?
ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Started making a new rule for any any and there were no options to select anything related to IPv4 or IPv6.
Here's the rule we have in place:
Top of the firewall page there are tabs .
ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
OK. Found the super obvious IPv6 tab and created a Default IPv6 rule for ANY ANY. It didn't really seem necessary, but we did it so we could log traffic. A PING to Google's IPv6 DNS (2001:4860:4860::8888) was listed in Logviewer as Accept. However, on the Windows Server side the PING didn't respond. Using Sophos Diagnostics the PING to Google's DNS server does respond with zero packet loss if we let it auto select the interface. If we manually tell it to use Port 1 or Port 4 or the Bridge then it can't ping Goolge's DNS.
My team worked with Sophos technical support today and we got it working. The trick was to add an IPv6 NAT rule with SNAT = MASQ and bind it to the IPv6 ANY ANY rule. Supposedly with the 20.0.0. GA-Build222 firmware NAT is not required, but it wouldn't work without it and SNAT had to be MASQ or it also wouldn't work.
Steps:
Hi,
while that has been fixed, I feel there's something with your configuration that is wrong. I have many IPv6 rules and two linked NATs for the NTP function but no general NAT. My IPv6 works fine.
Where did you get your LAN IPv6 address range from? If it is as shown with an FC00 address that will require a NAT to allow traffic out.
Ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
FC00::/7 FC00-FDFF Unique-local (LAN) /7 = 7 bits
https://www.youtube.com/watch?v=oItwDXraK1M
8min 40sec in to the video
A member of my team watched the above video and from what they learned the fc00 was for local LAN IP's. It still doesn't really make sense to them why the NAT required SNAT with MASQ, but it was the only way it worked.
Hi,
the FC00 is a link local address and is only usable between end points, you will find it as the address between your XG and the ISP router but does not go any further. Link local addresses are not routable and you need the NAT to convert it to a routable address eg your WAN address. Does that make sense?
Ian
XG115W - v20.0.1 MR-1 - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.