Open IPv6 Issues / questions

Hi Ben, please see my answers inline below:

Ben said:

- will the fix for issue NUTM-7187 be included with 9.5?

 [BL]: The fix for NUTM-7187 is not included in this current UTM 9.5 beta version. We are actively working on the fix right now though, so as soon as we have a confirmed fix it will be included in a subsequent release.

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

[BL]: This should be supported today, unless the ISP is doing both stateless & stateful. Is that the case for you? If so, we are fixing that as part of NUTM-7187 as well.

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

[BL]: Unfortunately this isn't part of this 9.5 release.

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

[BL]: Lets Encrypt is on our current roadmap, but it's mainly planned as a WAF feature. As for 6tunnel integration, it's currently not planned for any specific release.

 

thank you in advance.

 

three things i forgot to ask:

- RED (sophos to sophos, red device to sophos) over IPv6 only?  - pleaassseee! :-) 

- Ability/Option to disable IPv6 for the SMTP Proxy -> When enabling IPv6, E-Mails beeing sent out will go over IPv6 if the Target MX Entry has an AAAA entry. We only want to use IPv6 for Websurfing, VPN etc. not for SMTP yet until it is properly assigned and managed

- On our main business UTM we received a static IPv6 and Prefix from our Provider. The UTM does not have the ability/option to manually enter a Prefix that is statical assigned, if addresses out of the static prefix pool are "just" used, they won't have a route. Is this feature possible or non-standard? 

Hi Ben,

your last statement is correct for this version, something in 9.5 IPv6 is broken. DHCP does not work because it wants a setting which worked in 9.4. In 9.5 using advertisment my wifi card is assigned two IPv6 addresses from my /64 range.

Maybe I should start a bug report on DHCP and IPv6?

Hi rfcat_vk:

Are you saying something was working in 9.4 (e.g. 9.411), but is now broken in 9.5? That's definitely not our intention, so I would like to better understand what's not working.

You mentioned there's a setting which worked in 9.4, which setting is that exactly? Were you not getting 2 IPv6 addresses using the same setup in 9.4?

Any additional info you can provide will really help us track down if something indeed changed in 9.5 or not.

Thanks!

Let me try to explain.

Under 9.4 you needed advertisment as well as DHCP to have control over your IPv6 address allocations.

Under 9.5 you can have DHCP which does not assign an address but gives you a warning that a flag needs to be set, but there is no option to set the flag.

Or you use advertisment which does not allow you control over your address assignments. I have a /48 which I have used a /64 for one interface. Instead of getting one address (real IPv6) per interface I get two within the /64 range. I am using a home licence with a limit of 50 IP addresses so I quite concerned if suddenly all my devices get two additional addresses instead of 1. While I am not near my limit it is disturbing that each device is assigned 3 IP addresses, so 16 devices takes you to your licence limit.

Is that plain enough or do you need more details?

on ipv6 prefix advertisement set prefered lifetime to 15 min, valid lifetime to 1 hour (or other way around)

that way the leases won't count for too long.

also +1 on removing the user limit on ipv6 connections for home user licence, its not practicable, neither for business uses (1x ipv4, 2-4x ipv6)

i use stateless only and deactive privacy extension on the endpoints, ubuntu linux for example always pulls the same ipv6 via SLAAC. 

on ipv6 prefix advertisement set prefered lifetime to 15 min, valid lifetime to 1 hour (or other way around)

that way the leases won't count for too long.

also +1 on removing the user limit on ipv6 connections for home user licence, its not practicable, neither for business uses (1x ipv4, 2-4x ipv6)

i use stateless only and deactive privacy extension on the endpoints, ubuntu linux for example always pulls the same ipv6 via SLAAC. 

Ben, I never asked or even implied I was suggesting removing the home licence IP limit, not sure how you worked that out from my post?

I was commenting using advertisement very quickly adds addresses to the count.

I just fixed the IPv6 DHCP and advertisement issue, now I will change the lease time as you suggested because my IP6v devices now have 3 addresses.