IPv6 - Two addresses being issued by XG Firewall DHCPv6 server?

Question

I've been looking at a strange issue on my devices regarding IPv6 addressing (at least an issue I think is strange). I am not using SLAAC. I have a Sophos XG acting as a DHCPv6 server issuing a private IPv6 prefix, let's call it AAAA:AAAA:AAAA:AAAA:. All of my devices have that address, but they also have another address with a completely different prefix, let's call it fdc9:BBBB:BBBB:BBBB:. The fdc9:BBBB:BBBB:BBBB: prefix is not a link-local address. It is listed as a separate second IPv6 address that is the same across all my devices in addition to the link-local address. I've gone through all the firewall settings and there is no reference to this second IPv6 prefix anywhere. 
 Could there be a "hidden" configuration file on the XG that is sending out this prefix? It is not part of my router advertisement where I also have the "autonomous" flag cleared (unchecked). 
 A new Windows vNext server install also has this fdc9:BBBB:BBBB:BBBB: prefix, so it doesn't seem to be a legacy item on the devices/computers. 
 Since the prefix is the same for all the devices, it seems to me that the Sophos XG DHCPv6 server is issuing it unless I am missing something obvious. 
 Thanks.

Casual_User · Accepted Answer

Ok, figured this out. 
 I did a tcpdump command from my iMac terminal and found two IPv6 link-local addresses sending router advertisements. I looked through the arp table on Sophos, but didn't not find the link-local addresses listed. 
 I then used netsh command on my windows server to list its arp table. It had the link-local addresses with MAC addresses. One address was the Sophos XG, the other one of my AppleTVs. I have a few AppleTVs and the other ones don't do this. I have no idea why this one wants to send clutter. 
 Now the task of disabling/blocking the router advertisements from the AppleTV.

Casual_User · Answer

To close the loop on this... 
 I had been using a "smart" switch since I expected that I would have control over the actions of my network devices when I created it years ago (how naive of me). Obviously, that has now changed with the discovery that the newer model AppleTVs set up a "rogue" IPv6 network. This, as it turns out, has caused a number of issues with my network as the router advertisements sent by the AppleTV are sent with higher priority than the Sophos XG router advertisements. Servers on my network were very confused. I managed to filter out the "rogue" router advertisements using the Windows firewall, but that does NOT work on Server 2025 which appears to always accept router advertisements. So I needed a much better solution as this could only be done on Windows machines (does not apply to Apple computers or tablets). 
 This also created problems with IPv6 connectivity for my iPad since it prioritized the "rogue" IPv6 address over the one sent by the Sophos XG. My iPad would attempt to connect via the "rogue" IPv6 which has no internet access then fail. It would then attempt IPv4 and succeed. This destroyed the IPv6 connectivity reliability with the iPads. 
 In any case, I purchased a managed switch and blocked router advertisements from the ports where the AppleTVs are connected and voila, everything works perfectly. Servers are functioning absolutely perfectly and the iPad has regained reliable IPv6 internet access. If only I could keep the "Private IP Address" toggle in the off position on the iPad, but that's yet another struggle with Apple hardware.

IPv6 - Two addresses being issued by XG Firewall DHCPv6 server?

Top Replies