Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

Parents
  • Hi Ben, please see my answers inline below:

    Ben said:

    - will the fix for issue NUTM-7187 be included with 9.5?

     [BL]: The fix for NUTM-7187 is not included in this current UTM 9.5 beta version. We are actively working on the fix right now though, so as soon as we have a confirmed fix it will be included in a subsequent release.

    - is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

    [BL]: This should be supported today, unless the ISP is doing both stateless & stateful. Is that the case for you? If so, we are fixing that as part of NUTM-7187 as well.

    - what about the ability to change/edit the UID for IPv6 Delegation Requests?

    [BL]: Unfortunately this isn't part of this 9.5 release.

    - what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

    [BL]: Lets Encrypt is on our current roadmap, but it's mainly planned as a WAF feature. As for 6tunnel integration, it's currently not planned for any specific release.

     

    thank you in advance.

     

  • Hi Bobby,

    Normally the ISPs router will then request /48 prefix and use a /64 from that prefix for the wan interface and a /64for the lan interface. So there are no other global ipv6 addresses than the ones from that /48.

    On the Sophos UTM, in my case I will only receive a link local IPv6 address via PPPoE. Using a tcpdump I have verified the UTM is not sending out a prefix request after the PPPoE has been established. Is it waiting for a advertised IPv6 address for the WAN interface first before it will do this? Because in this case it will never get it... And thus a IPv6 prefix will never be requested.

    If you want to have a look at my Sophos VM, or need some tcpdumps of the PPPoE setup let me know!

    Rene

  • Hi Rene,

       Thanks so much for your help and also for letting me debug the system.

       The reason for no default route on your system is that no router responds to the RS request on the ppp0 interface.

       The system (fe80::2a31:52ff:fe59:9fa6) on the other end of ppp0 connection does not respond at all to RS on ppp0. Also, it does not send out

       regular RA. So no default route for ppp0 is a reasonable thing.

       But this system (....:9fa6) serves as DHCPv6 server, i.e. it will dish out PD if request.

       UTM's behavior wrt to "no default route" is correct.

       Will update more tomorrow.

       Thanks Rene. Your help is much appreciated.

     

    Edited: rdisc6, radvdump can be used to send out RS on ppp0 and see what happens. Thx.

      

  • Hi Le,

    Thanks for the efforts troubleshooting. I indeed already noticed that there are no RAs in my situation. Even with the capture I made when using the ISPs supplied box it did not send any RAs

     

    # rdisc6 ppp0
    Soliciting ff02::2 (ff02::2) on ppp0...
    Timed out.
    Timed out.
    Timed out.
    No response.

     

  • OK and Thanks Rene.

    Can I use your system for another day or two? Thanks.

  • Hi Le,

    I see you have been rebooting my UTM a few times the last days and assume you are still working on the issue? Do you have any updates? Could you share with us what you are working on?

     

    Regards,

    René

  • Have 6 tunnel and native on UTM waiting for 6 tunnel and native on XG.

    Native 6 is no longer a high priority because the progressive ISP was taken over by a regressive ISP.

    But, when the NBN arrives I might change ISPs to one that assigns native 6 to home users.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Le has been quite busy yeah :)
    Many many reboots later, I think that he completely solved my problems. IPv6 after a reconnect or reboot takes about a minute before it is working, after that everything is now okay.

    Le is still monitoring my UTM and rebooting it a few times. Maybe some small adjustments or just to see if everything keeps working.

  • Le has been busy on a test sophos i provided. the nightly pppoe auto reconnect breaks ipv6 every time with the latest patch. he is investigating why that does happen.

    two thumbs up, he wants to do a proper patch that fixes all problems and doesn't leave us with any bugs.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi All,

       Sorry for not updating the progress since I am busy finalizing all the changes, i.e. making sure it is really well done.

       Thanks for all of your help.

       Quick Summary:

       1) SanderRutten system: everything is good to go

       2) Rklomp system: Same as 1

       3) Ben system: There is one small issue that I just put another newer rpm on it to see if it can resolve this issue (RA is not automatically sent by router - this is the hypothesis: to be confirmed by the reconnect by 4:00AM Ben's time).

       Once Ben system is good to go, then at lease the issue of "reboot and reconnect" is fixed for PPPoE connection.

       Thanks and sorry about the delayed update.

Reply
  • Hi All,

       Sorry for not updating the progress since I am busy finalizing all the changes, i.e. making sure it is really well done.

       Thanks for all of your help.

       Quick Summary:

       1) SanderRutten system: everything is good to go

       2) Rklomp system: Same as 1

       3) Ben system: There is one small issue that I just put another newer rpm on it to see if it can resolve this issue (RA is not automatically sent by router - this is the hypothesis: to be confirmed by the reconnect by 4:00AM Ben's time).

       Once Ben system is good to go, then at lease the issue of "reboot and reconnect" is fixed for PPPoE connection.

       Thanks and sorry about the delayed update.

Children