We have Sophos UTM 9.2 with IPv6 enabled. We have 2A02:****:****:400::/56 subnet
Wan interface: 2a02:****:****:401::2/64 Wan gateway: 2a02:****:****:401::1/64 (Mikrotik router to ISP)
Lan interface: 2a02:***x:****:402::1/64
IPv6 works when I assign a static IPv6 address to a Windows 7 client on the lan segment of the UTM. The UTM will route it and I have internet connectivity.
But I want the clients to get the IPv6 address by them self, so I enabled the prefix advertisement on the lan interface. This however isn't working for me.
I can see the clients do router advertisements with wireshark but the UTM doesn't respond. Also when I do a multicast ping to FF02::2 (the all ipv6 routers address) the UTM doesn't respond.
I have also tested this with a Mikrotik router, it does respond to the FF02::2 ping and immediately delegates prefixes.
What can I do to make the IPv6 prefix advertisement to work? And shouldn't the UTM respond to the FF02::2 ping because it's a router?
First question that I can see, do have utm responds to ping enabled? Please provide a screenshot or prefix advertisement setup.
Ian
Hi,
Under Network Protection > Firewall > ICMP these are enabled:
Allow ICMP on Gateway
Allow ICMP through Gateway
Gateway is Ping visible
Ping from Gateway
Gateway forwards Pings
Does a ping on FF02::2 work for you? (ping6 -I eth0 ff02::2)
Prefix advertisement: Interface: Internal DNS 1: 2a02:22a0::1 (provider) DNS 2: 2a02:22a0:ffff:ffff::1 (provider) Domain: empty Valid Lifetime: 30 days Preferred Lifetime: 7 days Other config: checked
The UTMs should reply to ff02::2 pings, and does in our network. I'm getting response of both cluster nodes.
Haven't done anything special. Only difference to our setup seems to be that we use DHCPv6 instead of RA, because, back then when we started to use IPv6, (i think it was) Mac OS X which didn't supported RA back then yet.
Hi Whity, this UTM configuration is wifi only eg no switch. WIFI (Sophos AP10) connects directly to the UTM port, it is the only internal physical connection.
Ian
XGS118 - v21.5.0
XG115 converted to software licence v21.5.0
If a post solves your question please use the 'Verify Answer' button.
I have a MacBook Pro, Wireless (AP 10) and UTM V9.1. Works fine...
Ah, wait. I just remember right now that i made a manual rule for ICPMv6. But that was because i wasn't able to ping IPv6 hosts from outside. Should not affect incoming packages to the UTM, but you can give it a try:
Any > ICMPv6 (T129/C00 Ping Echo Request) > Any Any > ICMPv6 (T128/C00 Ping Echo Reply) > Any
Or, have a look whats going on with tcpdump: # sudo tcpdump -nn icmp6
Quote