IPv6 not working without masquerading

I'm guessing you have web protection enabled. Disable ipv6 on web protection by only allowing ipv4 to access the web filter.

Make sure your nat rules only allow for ipv4 as well.

Web protection is not enabled.

Shouldn't e "No NAT" for my INT_IPv6 exclude it from beeing natted?

you have double NAT according to the IP Adress of your WAN Interface.

What Router is in "front" of your UTM? Your Router in front of the sophos needs to support IPv6 prefix delegation, otherwise your IPv6 Subnets won't/can't be routed. 

The reason it works with masquarading is that the sophos is using its own WAN Ipv6 for the internal clients. This is not nessesarily a bad thing depending on what you want to do, but will not allowed true end to end communication (which is one of the goals of ipv6 of course)

Also instead of putting NAT rules "no NAT for ipv6" in the sophos, i would suggest you manually make IPv4 Network Definitions for your internal LANs and that way only masquarade your internal IPv4 adresses. 

you have double NAT according to the IP Adress of your WAN Interface.

What Router is in "front" of your UTM? Your Router in front of the sophos needs to support IPv6 prefix delegation, otherwise your IPv6 Subnets won't/can't be routed. 

The reason it works with masquarading is that the sophos is using its own WAN Ipv6 for the internal clients. This is not nessesarily a bad thing depending on what you want to do, but will not allowed true end to end communication (which is one of the goals of ipv6 of course)

Also instead of putting NAT rules "no NAT for ipv6" in the sophos, i would suggest you manually make IPv4 Network Definitions for your internal LANs and that way only masquarade your internal IPv4 adresses. 

I wouldn't encourage anybody to use NAT with ipv6. NAT is an ipv4 way of thinking and was developed due to the shortage of ip's available. The sooner we get away from it, the better.

It's a Technicolor TC72000 which I got from Unitymedia.

As I can see a delegated prefix (see my 2nd pixture) I guess the router supports prefix delegation?

Further more I found out that my config is working if I put my external interface IPv6 to dynamic.

So my guess is that the Technicolor router doesn't know where to put the replys when I give the interface another IP?

I'm using Webserver Protection and Remote Access (SSL) with some domains pointing to my "old" external IPv6.

Does anybody has an idea how to keep using the "old" IPv6 AND disable NAT for IPv6?

Edit: added an additional address with the "old" IPv6 and changed it on the virtual webservers. Seems to be working atm.

Louis-M That's why I want it to work without NAT, with NAT it's working fine.

piece of crap "TC7200" doesn't support that, not even sure unitymedia properly supports it (maybe with a fritzbox)

NAT for IPv6 is not that bad depending on what you want to do. As long as you don't have a real static ipv6 prefix, its easier (and probably best practise) to put in local unique IPv6 and NAT it if you are running servers via ipv6. 

Nice answer :)