Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 24 replies
  • Answers 2 answers
  • Subscribers 38 subscribers
  • Views 3992 views
  • Users 0 members are here
Options
Suggested

Sophos XG 136 Firewall SFOS 20.0.0 GA-Build222 IPv6 No Internet

Erika Koelle

Need some help getting our Sophos XG 136 (LAB) Firewall working with IPv6.

ABCDC01:  Role = Windows Server 2019 Domain Controller
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
 
ABCSVR01:  Role = Windows Server 2019 member server
IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:20/64
IPv4 = Not Enabled
Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
 
Sophos Firewall 01: Local (Home)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 = 24.205.107.999
Port #2:  Role = WAN IPv6 = 2600:6c4e:7007:600:2919:f1db:ea13:990f/64 DHCP from Spectrum
 
Sophos Firewall 02: Remote (Remote)
Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff IPv4 = 174.83.134.999
Port #2:  Role = WAN IPv6 =2600:6c4e:7000:101:6d68:f6ae:db55:9984/64 DHCP from Spectrum
 
Tests:
1.  Good - ABCDC01 can ping ABCSVR01 and vice versa
2.  Good - MacBook (IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:30/64) can ping6 from terminal to both ABCDC01 and ABCSVR01
3.  Good - ABCDC01 and ABCSVR01 can both ping gateway fc00:2222:3333:4444:cccc:dddd:eeee:ffff
4.  Good - ABCDC01 and ABCSVR01 can both ping internal WAN interface 2600:6c4e:7007:600:2919:f1db:ea13:990f
5.  Good - Sophos is able to ping ABCDC01 and ABCSVR01
6.  Good - Sophos is able to ping ipv6.google.com using Sophos Diagnostics
7.  Good - Sophos is able to complete traceroute to ipv6.google.com using Sophos Diagnostics
8.  Fail - ABCDC01 and ABCSVR01 cannot ping ipv6.google.com
 
Not sure if configuration is correct as we needed to manually assign IPv6 IP’s to our Windows Server devices as Link-Local IP can’t ping Gateway or WAN IP’s.  Not sure if we read this properly, but it seems there’s no IPv6 DHCP server and that they’re stateless.
On another note, we tried to getting a preferred delegated prefix from our ISP and it wouldn't do it following the following Sophos video:
Some IP's have been deliberately modified and we know that there's no such thing as an IPv4 with a .999


Added v20 TAG
[edited by: Erick Jan at 4:55 AM (GMT -7) on 12 Apr 2024]
  • 0 in reply to Erika Koelle

    If you use a NAT you can use what ever address you like. You can also use the DHCP server and enable the boxes in the RA settings. The following are my IPv6 settings using delegated addressing.

    ( The forum is playing havoc with my inserts and adding multiple copies which I have deleted)

    The first screenshot is one of my IPv6 DHCP in normal mode, the second screenshot is DHCP IPv6 when using PD. I will post another thread with my RA settings if you are interested?

    The last one is a standard DHCP setting using IPv6

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Sorry...feeling like we're running around in circles and still not getting it to work.  Going to take a break and maybe tackle this again early next week.  Thanks.

  • 0 in reply to Erika Koelle

    The any any rule was an IPv6 rule?
    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Started making a new rule for any any and there were no options to select anything related to IPv4 or IPv6.

    Here's the rule we have in place:

  • 0 in reply to Erika Koelle

    Top of the firewall page there are tabs .

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    OK.  Found the super obvious IPv6 tab and created a Default IPv6 rule for ANY ANY.  It didn't really seem necessary, but we did it so we could log traffic.  A PING to Google's IPv6 DNS (2001:4860:4860::8888) was listed in Logviewer as Accept.  However, on the Windows Server side the PING didn't respond.  Using Sophos Diagnostics the PING to Google's DNS server does respond with zero packet loss if we let it auto select the interface.  If we manually tell it to use Port 1 or Port 4 or the Bridge then it can't ping Goolge's DNS. 

  • 0

    My team worked with Sophos technical support today and we got it working.  The trick was to add an IPv6 NAT rule with SNAT = MASQ and bind it to the IPv6 ANY ANY rule.  Supposedly with the 20.0.0. GA-Build222 firmware NAT is not required, but it wouldn't work without it and SNAT had to be MASQ or it also wouldn't work.

    Steps:

    Sophos Firewall:
    Port #1:  Role = LAN IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:ffff
    Port #2:  Role = WAN IPv6 = 2600:6c4e:7007:600:2919:f1db:ea13:990f/64 DHCP from Spectrum
    IPv6 router advertisement: Not needed
    IPv6 ANY ANY rule with IPv6 NAT rule SNAT = MASQ
    Windows Server:
    IPv6 = fc00:2222:3333:4444:cccc:dddd:eeee:10/64
    DNS =  fc00:2222:3333:4444:cccc:dddd:eeee:ffff
    Gateway = fc00:2222:3333:4444:cccc:dddd:eeee:ffff/64
    PING fc00:2222:3333:4444:cccc:dddd:eeee:ffff (Default Gateway)
    PING 2600:6c4e:7007:600:2919:f1db:ea13:990f (WAN Interface)
    PING 2001:4860:4860::8888 (Google DNS)
    PING ipv6.google.com
    PING google.com
    PING yahoo.com
    PING nasa.gov
    PING amazon.com (Name resolution fails for IPv6)
    PING msn.com (Name resolution fails for IPv6)
    PING aws.amazon.com
    PING windows.com
    Windows updates downloaded purely via IPv6
    Internet Explorer able to browse google.com and yahoo.com but not too much else
  • 0 in reply to Erika Koelle

    Hi,

    while that has been fixed, I feel there's something with your configuration that is wrong. I have many IPv6 rules and two linked NATs for the NTP function but no general NAT. My IPv6 works fine.

    Where did you get your LAN IPv6 address range from? If it is as shown with an FC00 address that will require a NAT to allow traffic out.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    FC00::/7 FC00-FDFF Unique-local (LAN) /7 = 7 bits

    https://www.youtube.com/watch?v=oItwDXraK1M

    8min 40sec in to the video

    A member of my team watched the above video and from what they learned the fc00 was for local LAN IP's.  It still doesn't really make sense to them why the NAT required SNAT with MASQ, but it was the only way it worked.  

  • 0 in reply to Erika Koelle

    Hi,

    the FC00 is a link local address and is only usable between end points, you will find it as the address between your XG and the ISP router but does not go any further. Link local addresses are not routable and you need the NAT to convert it to a routable address eg your WAN address. Does that make sense?

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML