IPv6 + PD + Sophos DNS Protection (IPv4)

I'm slowly enabling IPv6 on various VLANs to test things out. Two questions:

1. I use Sophos DNS Protection, which only provides IPv4 addresses, though these addresses evidently accept and answer IPv6 queries (i.e. AAAA records, etc). How would I set up the firewall to handle this for IPv6 clients? I'm thinking I could either: a) not give out any IPv6 DNS info to any clients, and lean on them being dual-stack, or b) tell IPv6 clients to use the firewall as their DNS server and set the firewall up to answer IPv6 queries but upstream query only IPv4 Sophos DNS Protection servers.

Are recent dual-stack devices able to figure out they can try IPv6 DNS queries to IPv4 DNS servers and get back IPv6 addresses? Or would option (a) essentially neuter IPv6 on my LAN?

If I try option (b), what IPv6 address do I advertise as the DNS server? I'm using IPv6 DHCP PD, so I guess I would need to use the link-level IPv6 of the connected firewall port? I can't seem to find this in the GUI. (To add some detail: the VLAN in question comes off of an AP6 SSID, and is then bridged with another appliance port. But I also have another VLAN that originates from a different SSID on the same AP6 that is not bridged.)

2. Could Sophos consider allowing Clientless Users by MAC address in addition to IPv4 address? In a small installation, I think it's common to use Clientless Users for almost every device because of the convenient displays and the ability to have rules to require a known User. Clientless users are IPv4 so they don't have to be directly connected to the appliance, and that's good. But IPv6 has so many address moving parts that it would be super-nice to use MAC address to group all the activity of one device.

P.S I hadn't thought of it before, but my ISP changes the PD multiple times a day. The IPv4 address is stable, even though it's DHCP, but the PD changes often. Good for anonymity, I guess, but I wasn't expecting that behavior.

0 rfcat_vk 1 day ago

Hi Wayne,

clienteles users can have IPv6 addressing, the issue is using PD where the address changes often and is not linked to the client user. If you are using NAT for your IPv6 traffic rather than PD you can use your own IPv6 address and DHCP assignments. The current version of XG (V21) does not allow DHCP in the PD environment.

Ian

A later thought, you might like to check with your ISP/RSP as to why the IPv5 address changes so often?

XGS118 - v21.0.1 MR1

XG115 converted to software licence v21.0.1 MR-1

If a post solves your question please use the 'Verify Answer' button.

added comment about ISP/RSP address changing
[edited by: rfcat_vk at 10:11 PM (GMT -7) on 15 Mar 2025]
- 0 Wayne Folta 7 hours ago in reply to rfcat_vk
  
  Unfortunately, contacting the ISP (a name you'd recognize) would not be helpful. Their customer service reps lie and deceive routinely and basically exist to try to upsell you. When I look at a Delegated VLAN, it indicates that the lifetime is 120 minutes, and I think that's handed down from the Gateway DHCP (you just don't see it in the GUI at that level), so my guess is the ISP is changing PD every two hours and is not accepting renewal requests.
  
  Clientless users can have IPv6 addresses, but as far as I can understand, that's not helpful with PD or with SLAAC. The only way to make it work would be to use DHCPv6 and assign every address manually. Even then, the iPv6 address will be reserved on the basis of UUID and I believe that can change -- there are three kinds of UUIDs, as I understand it, and at least one of them isn't consistent across client reboots.
  
  What we really need, I guess, is in the IPv6 "NAT", we need an "NPT" option alternative to MASQ, which would invoke NPTv6 instead of NATv6. (Network Prefix Translation is stateless and replaces the internal prefix with the PD prefix, so it's very different from NAT, which is stateful.