Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPv6 - Two addresses being issued by XG Firewall DHCPv6 server?

I've been looking at a strange issue on my devices regarding IPv6 addressing (at least an issue I think is strange).  I am not using SLAAC.  I have a Sophos XG acting as a DHCPv6 server issuing a private IPv6 prefix, let's call it AAAA:AAAA:AAAA:AAAA:.  All of my devices have that address, but they also have another address with a completely different prefix, let's call it  fdc9:BBBB:BBBB:BBBB:.  The fdc9:BBBB:BBBB:BBBB: prefix is not a link-local address.  It is listed as a separate second IPv6 address that is the same across all my devices in addition to the link-local address.  I've gone through all the firewall settings and there is no reference to this second IPv6 prefix anywhere.

Could there be a "hidden" configuration file on the XG that is sending out this prefix?  It is not part of my router advertisement where I also have the "autonomous" flag cleared (unchecked).

A new Windows vNext server install also has this fdc9:BBBB:BBBB:BBBB: prefix, so it doesn't seem to be a legacy item on the devices/computers.

Since the prefix is the same for all the devices, it seems to me that the Sophos XG DHCPv6 server is issuing it unless I am missing something obvious.

Thanks.



This thread was automatically locked due to age.
Parents
  • To close the loop on this...  

    I had been using a "smart" switch since I expected that I would have control over the actions of my network devices when I created it years ago (how naive of me).  Obviously, that has now changed with the discovery that the newer model AppleTVs set up a "rogue" IPv6 network.  This, as it turns out, has caused a number of issues with my network as the router advertisements sent by the AppleTV are sent with higher priority than the Sophos XG router advertisements.  Servers on my network were very confused.  I managed to filter out the "rogue" router advertisements using the Windows firewall, but that does NOT work on Server 2025 which appears to always accept router advertisements.  So I needed a much better solution as this could only be done on Windows machines (does not apply to Apple computers or tablets).

    This also created problems with IPv6 connectivity for my iPad since it prioritized the "rogue" IPv6 address over the one sent by the Sophos XG.  My iPad would attempt to connect via the "rogue" IPv6 which has no internet access then fail.  It would then attempt IPv4 and succeed.  This destroyed the IPv6 connectivity reliability with the iPads.

    In any case, I purchased a managed switch and blocked router advertisements from the ports where the AppleTVs are connected and voila, everything works perfectly.  Servers are functioning absolutely perfectly and the iPad has regained reliable IPv6 internet access.  If only I could keep the "Private IP Address" toggle in the off position on the iPad, but that's yet another struggle with Apple hardware.

Reply
  • To close the loop on this...  

    I had been using a "smart" switch since I expected that I would have control over the actions of my network devices when I created it years ago (how naive of me).  Obviously, that has now changed with the discovery that the newer model AppleTVs set up a "rogue" IPv6 network.  This, as it turns out, has caused a number of issues with my network as the router advertisements sent by the AppleTV are sent with higher priority than the Sophos XG router advertisements.  Servers on my network were very confused.  I managed to filter out the "rogue" router advertisements using the Windows firewall, but that does NOT work on Server 2025 which appears to always accept router advertisements.  So I needed a much better solution as this could only be done on Windows machines (does not apply to Apple computers or tablets).

    This also created problems with IPv6 connectivity for my iPad since it prioritized the "rogue" IPv6 address over the one sent by the Sophos XG.  My iPad would attempt to connect via the "rogue" IPv6 which has no internet access then fail.  It would then attempt IPv4 and succeed.  This destroyed the IPv6 connectivity reliability with the iPads.

    In any case, I purchased a managed switch and blocked router advertisements from the ports where the AppleTVs are connected and voila, everything works perfectly.  Servers are functioning absolutely perfectly and the iPad has regained reliable IPv6 internet access.  If only I could keep the "Private IP Address" toggle in the off position on the iPad, but that's yet another struggle with Apple hardware.

Children
No Data