Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 32 replies
  • Subscribers 8 subscribers
  • Views 49474 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPv6 broken

dms

I run a UTM and have had stable, native ipv6 across 3 internal vlans for quite some time. However, after some of the recent firmware updates, the UTM now refuses to connect the wan interface via ipv6. Nothing else has changed, my utm config has been stable for some time, but after any reconnection of the wan interface for any reason (manual reconnect, reboot, reboot after firmware update, ISP blip, etc) I lose all internet connectivity.

Looking at my interfaces, all Lan interfaces show ipv6 addresses correctly but the wan interface simply won't pick up its address....to the point where the interface is shown as DOWN and there is no connectivity whatsoever across ipv6 or ipv4.

A combination of black magic, wearing yellow underpants and chanting seems to bring it back....seriously it's some unknown combination of forcing the connection to reset, rebooting the UTM and disabling/enabling ipv6 will bring it back. But only until the connection resets and then boom, no internet again.

I've been forced to disable ipv6 permanently on my network because this is a massive issue. Other similar sounding posts talk about having to rebuild the wan interface but that's a massive job, isn't it?

Does anyone have any suggestions? Should I start from scratch, clean install UTM and then reload my current config or will that not help? Any help would be appreciated as it's a real pain as it currently stands.



This thread was automatically locked due to age.
Parents
  • 0

    Great updates, glad to see it's not just me! Am I right in reading that all versions of Sophos home software doesn't do PPPoE based IPv6 anymore....i.e. it's broken on UTM and XG? I was toying with the idea of upgrading to the XG but if it doesn't work there either then there's not much point.

Reply
  • 0

    Great updates, glad to see it's not just me! Am I right in reading that all versions of Sophos home software doesn't do PPPoE based IPv6 anymore....i.e. it's broken on UTM and XG? I was toying with the idea of upgrading to the XG but if it doesn't work there either then there's not much point.

Children
  • 0 in reply to dms

    its not broken on XG, its just not implemented as far as i understand.

    on UTM its working for me, i had a developer putting much effort into it, only minor stuff that sometimes breaks, ymmv

    ---

    Sophos UTM 9.3 Certified Engineer

  • 0 in reply to dms

    I'm on PPPoE with Zen, and can connect with IPv6, as said above the only issue I have at the moment is IPv6 needing a bounce once the firewall has been rebooted.

     

    Tim Grantham

    Enterprise Architect & Business owner

  • 0 in reply to dms

    Hi,

    there is no difference between the home use and the commercial software there are both installed from an ISO. The difference being in what the home licence allows you to do.

    IPv6 was working for me before I changed the hardware to run the beta XG and now having rebuilt the UTM twice I cannot get the PPPoE IPv6 to pass traffic. I mean it does not pass either 4 or 6 and nothing shows in the logs that I can see other than large quantities of DNS requests.

     

    @Ben, are you using NAT for your IPv6 on PPPoE?

     

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Same here. I've been playing this morning and the only way I can now get IPv6 working is to drop my modem back into router mode and double NAT IPv4 and NAT IPv6, which is far from ideal. Enabling IPv6 via the UTM just hangs my WAN connection and I get no link out to the internet across IPv4 or IPv6. That properly sucks given that it all used to work perfectly; I'm massively disappointed.

  • 0 in reply to rfcat_vk

    @no NAT nessesary since the IPv6 fix 2 month ago and the private patches before.

    ---

    Sophos UTM 9.3 Certified Engineer

  • 0 in reply to Ben

    It has to be a configuration issue as I have no issues with PPPoE and IPv6 working on my setup.

     

    Can you provide more details of your configuration please?

     

    Here's some screenshots of how I have my UTM configured.

     

     

     

     

     

    Tim Grantham

    Enterprise Architect & Business owner

  • 0 in reply to BLS

    Hi guys,

    some deep and meaningful investigation has found the cause of the failure after enabling IPv6.

    I found the ntp test would work, but nothing else, then the log being full of dns requests finally hit me. Did a test from the UTM of the traceroute function and one of the interfaces that was offered was one of my ISPs mail server, strange as that is not configured on my utm. So disabled the 'use ISP DNS' and added google 4/6 DNS entries and I am back online with ipv6 enabled.

    I suspect the failure has to do with dns selection order regardless of how they are displayed because my ISP provides an fe80:: dns and gateway.

    Hope this information helps.

    testing ipv6 still fails

     

    Ian

    some of the logic is slightly flawed but the end results are correct.

    more information. The fe80 which is the ISP gateway is also the ISP DNS6 entry. So not sure how or why the UTM pulls the DNS6 value from?

    More stuff. Telstra's DNS6 routers fail DNSEC, so i have disabled that on the DNS tab.

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to BLS

    So previously I wasn't using dynamic IP assignment on the WAN so I changed that and IPv6 came back. I then pushed my luck with a UTM reboot and IPv6 did come back, eventually, but it took about 5 mins for it to sort itself out and I'm getting some weird ICMP behaviour that I've not got time to diagnose (basically IPv6 tests are showing that ICMP is filtered all of a sudden on certain vlans and not on others even though my fw rules haven't changed).

     

    fe80 addresses on the gateway are ok though - that's normal for IPv6 networks.

  • 0 in reply to dms

    Hi,

    the FE80 as a gateway is not of concern, but the same address as the IPv6 DNS is considering that Telstra has seperate DNS for all other networks. I think the UTM is picking up the wrong information from the PPPoE connection.

    Ian

    Looking at the web logs I see a lot of IPv6 timeouts and fallback to IPv4,so that is why the screen takes so long to load. Also I see tunnel failures, now the configuration I restored had a sixxs and a HE tunnel which appear to be active even though disabled. I have never been able to workout how to remove a tunnel, the configuration shows in the IPv6 tabs even when disabled.

    Ian

    Update. Fresh build coming with a completely new configuration.

     

    Fresh build 9.503 and a new configuration with Ben's patch. After much fiddling got a /56 and /128. But still fails whatismyipv6 address testing. At this stage I have not needed to modify the DNS settings.

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Update: forcing a static address on the WAN keeps things relatively stable now. A restart after the latest fw update failed to load an ipv6 gateway address so ipv6 still failed (but at least ipv4 routes were still available); a quick reconnect and it was back up so it's not the end of the world, just a bit buggy. I've since discovered pfsense so I'm slowly beginning the migration; this has left a bad taste for me I'm afraid.

Unfiltered HTML