maybe the answer to my questions is quite obvious and I just don't see the forest for the trees...But I currently don't have a clue and I don't even know how to search for the answer.So please also bear with me if the question was already answered thousands of times and I didn't find it.
My provider provides me with an IPv6 network 2001:db8:1::/48.
My Sophos UTM has the IP address 2001:db8:1::2 on its Internet interface (eth0). The provider's endpoint has the address 2001:db8:1::1.
From an IPv6-enabled host in the Internet, I am able to reach both 2001:db8:1::1 and 2001:db8:1::2. So far so good.
As this is a very large network, I would like to split it up into several smaller ones. I am unsure how to accomplish that. (My provider did not delegate a separate subnet which I could use...)
So I thought, I assign the network 2001:db8:1:100::/64 to eth1 with eth1 having the IP address 2001:db8:1:100::1 and a client in that network having 2001:db8:1:100::2.
I thought, the UTM should receive all the network packets for the /48 subnet and it can decide to which interface the packets are to be forwarded to, i.e. all packets in the network 2001:db8:1:100::/64 should be forwarded to eth1, as the firewall knows this subnet. (Although now, there are two network interfaces in the same network - at least as eth0 understands the networks. The eth1's address (and whole address space) is in the same network where also eth0's IP address lies... So somehow, this seems wrong...)
I cannot reach either 2001:db8:1:100::1 or 2001:db8:1:100::2. Does anyone have an idea what I am doing wrong?
Or isn't that possible at all with the IP address and subnet given from my provider? (But why does my provider give me a /48 network, then?)
Any help would be highly appreciated.
It's my understanding that with ipv6, there's no need for NAT. However, you still need to establish firewall rules to allow the traffic in.
So something like internet ---> 2001:db8:1:100::/64…
So something like internet ---> 2001:db8:1:100::/64. For ports, whatever ports you deem necessary. For starters you can just allow ALL, then fine tune once you've confirmed that works. Internet network_port2 below refers to the entire network (not address or broadcast). The screenshot below is something I used for brief testing few moments ago. You'd want to narrow it down to a specific destination host (server?).
This might shed some more light on ipv6 subnets - https://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting.
Most providers offer must smaller subnets, /56. With att I get /60 which allows for just 16 /64 subnets. You get up to up 65536.
How are you testing if the address is reachable? I used https://www.ipvoid.com/port-scan/ . Firewall log recorded attempts to reach the various ports I tested.
Hi Jay Jay,
thank you for your answer. I am sorry, I forgot to mention that I already have a firewall rule in place allowing me to connect to 2001:db8:1:100::2 on port 443.
But that doesn't work. It's not even possible to receive ping replys from that host.
How did you configure the network interfaces?
Does the Internet interface have to be configured as 2001:db8:1::1/48 or rather as 2001:db8:1::1/64 to prevent overlapping with the network on my internal interface? (But that doesn't make sense to me, either...)
I also forgot to mention, that I have enabled all the ICMP options. Nothing should block ICMP traffic.
Outgoing ping packets are working fine.
Best regards Tom
Any change if you change services to ANY?
In my testing, I didn't try to ping as I didn't have any external ipv6 source to ping from). What I did test was to determine if a particular port was open. I saw the inbound attempts in the firewall log referencing the defined rule.
I suppose it would be worth looking at your firewall log to see if the attempt is even registering.
sorry for my late reply.
Setting the protocol to ANY doesn't work either.
I am really stuck now. I begin to think that it isn't even possible to work with just one network without having an additional routed network from the ISP.
But in your side it seems to work.
And why should the ISP assign a /48 network to me if I cannot use it on any way?
I just noticed on your pic above, position 355. Recall rules are processed top to bottom. If something earlier is blocking, then the packet will never get processed by the later rule.
In general (think I read that here¿?). You want your most specific/granular rules up top, general ones at the bottom. Generally speaking :).
Thanks for your reply!
I understand that you expect that the traffic was blocked by another rule with a lower number?Unfortunately, this is not the case.It doesn't matter where I place the rule. The ping never works.
But I still have another question which I don't really understand.
I have two networks on my two firewall ports:
- network 2001:db8:1::/48 on eth0- network 2001:db8:1:100::/64 on eth1
But the network on eth0 (2001:db8:1::/48) INCLUDES the network on eth1 (2001:db8:1:100::/64), which basically means that the network 2001:db8:1:100::/64 is available on both eth0 and eth1. How does the routing work when there's a network on two network interfaces?
This is the main part I do not understand. All the rules and so on seem to be pretty clear to me. I think I have a more fundamental problem...
But I am not sure how the UTM has to be configured in such a scenario. (Currently completely besides all the firewall rules and so on.)
Eth0 is wan, eth1 is lane?
The /48 is the prefix delegation. You then can carve up the 16 bits (64-48) however you choose.
When I first started with ipv6, I made sure outbound worked properly before focusing on anything inbound.
Got to https://browserleaks.com/ip, see what it reveals about your ipv6 address(es). That might shed some light on where to look.
Both of the ipv6 addresses match below and are the same as reported by windows as my ipv6 "temporary address"
I posted a reply but the forum software found it to be "abusive". Hopefully one of the mods will fix it. Otherwise we may have to continue this discussion on twitter..
I am still not sure if we are talking about the same thing.
Basically, my question is:
Do i need to have two IPv6 addresses/blocks in order to be able to connect my network to the Internet using Sophos UTM or is it sufficient to just have one?
On this connection I have the block aaaa:bbbb:cccc::/48. That's it. They say that their endpoint is aaaa:bbbb:cccc::1 and I can use every address in that address space.
Other providers also give me an IPv6 address (aaa:bbbb:cccc::1) and also a delegated prefix (dddd:eeee:ffff::/48).These configurations work perfectly fine.
But that one configuration does not.So, the only question I would like to be answered is if both configurations can be used to assign public IPv6 addresses to all clients behind the UTM.
Realistically speaking, one is sufficient as there is no nat going on with ipv6. Your isp gives you a block of up to 2^16 (65536) routable ipv6 subnets. It's up to you how you choose to divvy it up.
Do you have vlans? If so, I'd assign one /64 ipv6 subnet to each. ie a:b:c:1::/64, a:b:c:2::/64, etc..
One of the things I learned when allocation subnets is: think big
You have multiple sites / locations? Reseve one digit just for the site: Routing a /50 or /52 is much easier than enumerating single /64 in case you just coutnted them up.
Different network types (management / office / production / DMZ / visitors)? Reserve a digit. It makes firewall zones mich easier.
For the last, sinche we user RFC1918 nets internally (192.168.x.y) we reserve the last byte before the /64 for the x. So you simply see, which IPv4 space belongs to which IPv6. With 172.16.x.y the same, just other zone.
Our border gateway is also a sohos utm (actually a HA pair) with a /48 from Deutsche Telekom, several Site2Site tunnels, VPN and all that stuff. Works well.
Thanks for your answers.Please bear with me, I still don't fully understand what's going wrong here.Maybe you can explain some basic IPv6 principles to me. Maybe I found how to summarize my problem.
I have one Sophos UTM.Three network interfaces are connected:- eth0 (Internet)- eth1 (LAN 1)- eth2 (LAN 2)
The network space I receive from my provider is 2001:db8:1::/48.As this is the network that is connected to eth0, I assign the IPv6 address 2001:db8:1::2 to eth0 and the prefix length is /48.The provider told me they have the IPv6 address 2001:db8:1::1. So, everything is fine on that interface. (hopefully...)On eth1, I want to have a subnet of this big network, let's say I want to have 2001:db8:1:100::/64 on eth1, with eth1 having the IPv6 address 2001:db8:1:100::1.
On eth2, I want to have another subnet of this big network. The network there is 2001:db8:1:200::/64. The IPv6 address on eth2 is 2001:db8:1:200::1.
A client in the LAN2 network (e.g. 2001:db8:1:200::5) now wants to send a packet to 2001:db8:1:100::39.
The question now is: To which network interface should the UTM send that packet?The destination IPv6 address is part of both the networks on eth0 and eth1.
Or (in other words): the network 2001:db8:1:100::/64 is available both on eth1 (as is) and on eth2 (as part of the bigger network from the provider). Is this a valid configuration? Is it okay that multiple network interfaces take care of the same IP network?
I think, this pretty much summarizes what is unclear to me.With all the other providers, where I get a delegated prefix in addition to my IPv6 IP address and a remote gateway address, the connection is working perfectly fine (as the delegated network is part of another network as the UTM's IPv6 address).
I definitely think that there's some point where I am wrong, but I don't know where that point is. Which part of my setup is wrong? How to solve the issue with the same IP network on multiple interfaces?
Any help or hint would be highly appreciated.