Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 3320 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF and IPv6

scorpionking
Hi!

I have a problem wih my WAF setup and IPv6.

When I try to reach my WAF protected web site fom outside via IPv6, I get nothing in the WAF log but the firewall log drops lots of lines like this one:
2013:10:29-12:42:53 vpn ulogd[4597]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="" dstmac="" proto="6" length="68" srcip="" dstip="" hlim="57" srcport="55554" dstport="443" tcpflags="SYN"


The UTM has a valid public IPv6 address at the WAN interface (native, no tunnel broker), the Real web server has a unique local address (ULA).

With IPv4 it's working fine.

WAF setup:
 

According to the UTM Online Help the "Web Application Protection" is IPv6 capable.

Any idea what's wrong here?


This thread was automatically locked due to age.
  • 0
    I didn't know that WAF was supposed to work with IPv6. 

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi, 

    You should open a support case with your reseller or Premium support.

    You could also look at the output of 
    iptables -n -L
    and/or
    ip6tables -n -L
    and see if you can the input rules for port 443

    Barry
  • 0
    Bob, according to the Online Help (Interfaces & Routing -> IPv6) WAF is IPv6 ready...

    Barry, it's a home setup, no reseller or premium support here... ;-)

    But: It works now! I found out that my special setup suffers from a IPv6 bug in UTM. I have a FritzBox in front of my UTM (so basically a double NAT setup) because of VoIP. The FritzBox assigns IPv6 addresses via DHCPv6 (IA_NA) by default. According to trollvottel the UTM has a bug not keeping the new address after a lease renew.

    So I changed the FritzBox to only delegate the IPv6 prefix (IA_PD), now it works.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Unfiltered HTML