Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPv6 enviroment on XGS

Kinda stupid question:

Is there any "how-to doc" to setup a simple IPv6 dual-stack enviroment on XGS?
Maybe the "right and secure" way to implement from v4 only to dual-stack? Nothing special need, just that a IPv6 client can reach the WAN via IPv6...

For example:

- WAN-GW on firewall is now IPv4 only -> IPv4 + IPv6
- SSL VPN is now leasing IPv4 + IPv6 to clients (but of course it drops any paket from/to IPv6)



Added TAGs
[edited by: Raphael Alganes at 12:29 PM (GMT -7) on 22 May 2024]
Parents
  • When you say "dual stack" and mention the WAN GW, I assume your ISP offers IPv6 and you're not just doing dual-stack internally and IPv4 externally, correct?

    One thing to think about is how your ISP offers IPv6. Does it do IPv6-PD, or do they assign you a static IPv6 or something else? (Keep in mind that you'll get a /64 IPv6 for your XGS and ALSO a /56 (or whatever) for the PD that you then allocate amongst your subnets.)

    If you're using SLAAC internally, IPv6 addresses will change and you have no control over them, so you might want to think through subnets -- since they're much easier and lower opportunity cost in IPv6. For example, the AppleTV is on its own subnet (and VLAN) so that you can have different TLS decryption and other policies/rules for it. It's much more difficult in IPv6 to aim specific things at specific clients than it is in IPv4 (with DHCP and reserved IPs). Unless you do DHCP6, which eliminates some of the benefits of SLAAC.

    You might also turn on IPv6 segment-by-segment. Maybe on one VLAN/interface and not others, and so on, to build a comfort level. There are two separate firewall rules tables (IPv6 and IPv4) and the thrust of IPv6 is to be more subnet-centric and less client-centric than IPv4.

    Also, if you're doing DDNS -- this would apply if you're trying to reach your home network from the internet --  make sure your DNS service supports simultaneous IPv4 and IPv6. (Google DNS did not. They sold recently to Squarespace, which doesn't do DDNS at all.)

Reply
  • When you say "dual stack" and mention the WAN GW, I assume your ISP offers IPv6 and you're not just doing dual-stack internally and IPv4 externally, correct?

    One thing to think about is how your ISP offers IPv6. Does it do IPv6-PD, or do they assign you a static IPv6 or something else? (Keep in mind that you'll get a /64 IPv6 for your XGS and ALSO a /56 (or whatever) for the PD that you then allocate amongst your subnets.)

    If you're using SLAAC internally, IPv6 addresses will change and you have no control over them, so you might want to think through subnets -- since they're much easier and lower opportunity cost in IPv6. For example, the AppleTV is on its own subnet (and VLAN) so that you can have different TLS decryption and other policies/rules for it. It's much more difficult in IPv6 to aim specific things at specific clients than it is in IPv4 (with DHCP and reserved IPs). Unless you do DHCP6, which eliminates some of the benefits of SLAAC.

    You might also turn on IPv6 segment-by-segment. Maybe on one VLAN/interface and not others, and so on, to build a comfort level. There are two separate firewall rules tables (IPv6 and IPv4) and the thrust of IPv6 is to be more subnet-centric and less client-centric than IPv4.

    Also, if you're doing DDNS -- this would apply if you're trying to reach your home network from the internet --  make sure your DNS service supports simultaneous IPv4 and IPv6. (Google DNS did not. They sold recently to Squarespace, which doesn't do DDNS at all.)

Children
No Data