I had a UTM 9.7 device die earlier this week and replaced it with an older unit. The replacement was originally in service at the same location and has been sitting on the shelf for about 9 months as a backup. It dropped in with minimal effort and I'm working on addressing the dead unit now.
The only hitch I'm having after switching back to the older unit is with IPv6. I found I needed to delete /var/chroot-dhcpc/var/db/* in order to pull an IPv6 address for the WAN interface. The leases6 file for the WAN interface is missing the prefix delegation entry (ia-pd). What's the trick to gettint the UTM to request the prefix?
Curiously, after disabling IPv6, deleting the *.lease6 files, and re-enabling IPv6, the web interface is showing a prefix delegation that is out of date. I can't find where that could be coming from.
Need some help please to avoid a wipe and reinstall. I do so dislike the "Microsoft solution"...
I still don't know where UTM is keeping the stale prefix delegation details but when I disable IPv6, delete the lease6 file, and re-enable IPv6, even before the leases file is recreated, the UTM's web…
I still don't know where UTM is keeping the stale prefix delegation details but when I disable IPv6, delete the lease6 file, and re-enable IPv6, even before the leases file is recreated, the UTM's web UI reports the stale prefix delegation.
However... I think I may have a solution but it involves warranty voiding changes on the filesystem. I'm doing this in a home/dev instance, not a system under support. This will likely eat your data and your warranty and your wallet. YMMV, etc.
The idea is to get the UTM to run dhclient with the -P and --prefix-len-hint options. I created a little script named /var/chroot-dhcpc/usr/sbin/dhclient6-p.
#!/bin/bashexec /usr/sbin/dhclient -6 -P --prefix-len-hint 60 $*
All it's doing is adding the options and running dhclient with the passed in options too. Chage the dhclient6 link to point to this.
cd /var/chroot-dhcpc/usr/sbinln -sf dhclient6-p dhclient6
When I re-enable IPv6 now, I'm seeing DHCPv6 rebind requests that include both the the IS-NA and IA-PD blocks.
Related... Running the ipv6_watchdog executable through strings show that it has messages and printf templates that include the -P option but I've never seen it actually run dhclient -P. Well, I've never caught it in ps. Perhaps there's some other scheme that Sophos has for managing the PD. I've never been able to get any feedback from them on this.
This is why I do so love having a firewall that's running Linux underneath. I can fiddle and fix to make it do what I really need. Thanks Sophos!
Wipe your eth0_na.lease6 file or whatever it might be and make the call using dhclient -6 -r -d so that it runs in the foreground. You will see output that the address is being released.