This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to disable IPv6 NAT

So I finally have an Internet connection with IPv6 addressing and thought I had everything setup correctly. I'm able to get to IPv6 sites without a problem however I'm unable to disable the NAT. I changed the masquerading rule to only NAT v4 stuff like so:

However when I go to any test site (or my own server for that matter) I always get the "Native over WAN" address of my Sophos box rather than the actual IP of the machine behind it:

When I do an IP config on my laptop I can see that I have an address from the delegated prefix:

Is there something else I need to do to fully disable the IPv6 NAT? Thanks!!

This thread was automatically locked due to age.

Parents

0 DavisDarvish over 8 years ago

It is your web protection i believe. If you disable web protection you should not have that issue anymore...
Cancel
Vote Up 0 Vote Down

Cancel
0 danodemano over 8 years ago in reply to DavisDarvish

Just tried disabling the web protection as a test. With it shut off IPv6 doesn't work at all. That's not a solution anyway, I don't want to disable the web protection...
Cancel
Vote Up 0 Vote Down

Cancel
0 DavisDarvish over 8 years ago in reply to danodemano

sorry i should have been a little more clear... clearly you have a ipv6 configuration error but web filtering IS the reason why you dont see the computers individual ip address. i was suggesting turning it off just to show that it is indeed the reason.. you can still have it enabled and have it show your source IP but it will take a bit more configuration involving certificates and making sure each computer gets issuesd the certs .. there is even a note about it on the page ...

'Full transparent mode is only available when running in Bridged mode. This option will preserve the source IP addresses after they pass through the Web Filter.'
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DavisDarvish over 8 years ago in reply to danodemano

sorry i should have been a little more clear... clearly you have a ipv6 configuration error but web filtering IS the reason why you dont see the computers individual ip address. i was suggesting turning it off just to show that it is indeed the reason.. you can still have it enabled and have it show your source IP but it will take a bit more configuration involving certificates and making sure each computer gets issuesd the certs .. there is even a note about it on the page ...

'Full transparent mode is only available when running in Bridged mode. This option will preserve the source IP addresses after they pass through the Web Filter.'
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 danodemano over 8 years ago in reply to DavisDarvish

DavisDarvish said:

sorry i should have been a little more clear... clearly you have a ipv6 configuration error but web filtering IS the reason why you dont see the computers individual ip address.

I'm aware I have a configuration error, that's why I came here for assistance. As I mentioned when I turned off the web filter for a test I cannot browse via IPv6 at all.

DavisDarvish said:

you can still have it enabled and have it show your source IP but it will take a bit more configuration involving certificates and making sure each computer gets issuesd the certs

I'm willing to work through the additional configs, but I want to make sure it's going to work properly before doing so.

So what do you suggest I do next?
Cancel
Vote Up 0 Vote Down

Cancel
0 DavisDarvish over 8 years ago in reply to danodemano

can you share with us the definition u made for internal ipv4 network in the masquerade settings?
i want to confirm it is 192.168.9.0/24
Cancel
Vote Up 0 Vote Down

Cancel
0 danodemano over 8 years ago in reply to DavisDarvish

DavisDarvish said:
can you share with us the definition u made for internal ipv4 network in the masquerade settings?
i want to confirm it is 192.168.9.0/24

As requested yes, it is 192.168.9.0/24:
Cancel
Vote Up 0 Vote Down

Cancel
0 DavisDarvish over 8 years ago in reply to danodemano

Well im not sure but if you wanna jump on a google hangouts or skype session id be happy to share my screen and we can compare settings to see if that makes a difference
Cancel
Vote Up 0 Vote Down

Cancel
0 dms over 7 years ago in reply to danodemano

Did you ever get to the bottom of this as I have the same issue?
Cancel
Vote Up 0 Vote Down

Cancel
0 danodemano over 7 years ago in reply to dms

Nope, still natted. :/
Cancel
Vote Up 0 Vote Down

Cancel
+1 Ben over 7 years ago in reply to danodemano

this is not a bug, its a feature

you are using the proxy through web protection, so the sophos utm acts as a proxy and filters the websites

its technically not possible that the sophos acts on behalf of your clients IPv6 while still using web protection/proxy.

This is how it is supposed to be.

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Cancel
0 dms over 7 years ago in reply to Ben

I did a bit of playing last night and now have my IPv6 traffic non-natted having tweaked my NAT rules (I don't use web filtering). But when I do switch on filtering, as a test, NATting comes straight back again. So I agree, it's a feature of web filtering.
Cancel
Vote Up 0 Vote Down

Cancel
0 danodemano over 7 years ago in reply to Ben

Well that's pretty annoying.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben over 7 years ago in reply to danodemano

why is it annoying?

as i explained, using a proxy comes with also having its IP adress in use, there is no way around that!

technically speaking using a proxy has nothing to do with NAT - at all -

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Cancel