This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPv6 not working without masquerading

Hello,

I'm new to this community. So if this questing is in the wrong section or already answered please move it or send me a link.

My problem: IPv6 connection is not working if I disable masquerading for the connection.

My setup:

Firmware version: 9.500-9

 

If I enable the "No NAT" a connection to IPv6 only sites is not possible.

Without the "No NAT" I can access everything but my IP is the one from the external interface.

Please tell me if you need morge information.



This thread was automatically locked due to age.
Parents Reply Children
  • you have double NAT according to the IP Adress of your WAN Interface.

    What Router is in "front" of your UTM? Your Router in front of the sophos needs to support IPv6 prefix delegation, otherwise your IPv6 Subnets won't/can't be routed. 

    The reason it works with masquarading is that the sophos is using its own WAN Ipv6 for the internal clients. This is not nessesarily a bad thing depending on what you want to do, but will not allowed true end to end communication (which is one of the goals of ipv6 of course)

    Also instead of putting NAT rules "no NAT for ipv6" in the sophos, i would suggest you manually make IPv4 Network Definitions for your internal LANs and that way only masquarade your internal IPv4 adresses. 

    ---

    Sophos UTM 9.3 Certified Engineer

  • I wouldn't encourage anybody to use NAT with ipv6. NAT is an ipv4 way of thinking and was developed due to the shortage of ip's available. The sooner we get away from it, the better.

  • It's a Technicolor TC72000 which I got from Unitymedia.

    As I can see a delegated prefix (see my 2nd pixture) I guess the router supports prefix delegation?

    Further more I found out that my config is working if I put my external interface IPv6 to dynamic.

    So my guess is that the Technicolor router doesn't know where to put the replys when I give the interface another IP?

    I'm using Webserver Protection and Remote Access (SSL) with some domains pointing to my "old" external IPv6.

    Does anybody has an idea how to keep using the "old" IPv6 AND disable NAT for IPv6?

    Edit: added an additional address with the "old" IPv6 and changed it on the virtual webservers. Seems to be working atm.

     That's why I want it to work without NAT, with NAT it's working fine.

  • piece of crap "TC7200" doesn't support that, not even sure unitymedia properly supports it (maybe with a fritzbox)

     

    NAT for IPv6 is not that bad depending on what you want to do. As long as you don't have a real static ipv6 prefix, its easier (and probably best practise) to put in local unique IPv6 and NAT it if you are running servers via ipv6. 

    ---

    Sophos UTM 9.3 Certified Engineer