Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

Parents Reply
  • Hello Le (And maybe

    I just figured something out, but not sure if it is related to the original problem here.
    I think I can sum it up to: Network definition "Internet IPv6" is unresolved. Therefor I'm unable to create a (working) firewall rule to "Internet IPv6".

    Probably because it is not bound to an interface, but I can't assign an interface. In my WAN's interface defenition it is set as "IPv6 Default GW".
    I found out while trying to thighten my home security, it was quite open from internal network to the outside world. 

    First I had rule #1 and #3 combined, as well rule #2 and #4. But while trying to understand what happened I split them both in an IPv4 and an IPv6 rule. So now I have:

    As you can (hopefully :)) see: The small '6' is not displayed in the Internet IPv6 icon, but it is for "Any IPv6". And for IPv4 it also shows the little 4 in the icon.
    What I expect to happen is while surfing via IPv6, that rule #3 is being used. Instead it always used #4. 
    For IPv4 it works like what I was expecting. 

    When I don't enable the Any IPv6 rule, all traffic is dropped by the default rule.

    Any ideas if I can fix this myself?

Children
  • Hi SR,

       Good to hear from you.

       OK, I am not sure what the problem is. Here is the what is needed:

       1) I have a script "get-data.sh" which will collect UTM system data. I need, somehow, to give this to you; Please let me know how I can send it to you. Thanks

       2) Do a tcpdump on the interface

       3) ./get-data.sh  ipv6

       4) Collect the data from step 3 and step 2 above

       5) Send me the collected data

     

       Question: Do you know how to turn tracing on Iptables? If yes, please turn it on and capture the iptables trace as well

     

        Good luck!

  • ipv6 works strange with rules, any ipv6 -> any -> any ipv6 / internet ipv6 will not work as expected.

    Putting an Interface with a /64 IPv6 Subnet will not allow it "per se"

    would still like some extra options to hardlock the prefix gotten, my isp sometimes reboots their router and unfortunitly ipv6 comes up last and the UTM reacts funny (Le has some info on that when he has some time on his hands in the future)

    otherwise i am happy UTM is this far thanks to LE!

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

    according to my daily report IPv6 traffic is passing the UTM.

    Thank you for your assistance.

    Ian

     

    Update. blocks facebook with tunnel fails and fails to fall back correctly, strange when using native and google home page takes considerable time to load. All fixed when ipv6 disabled and dhcp ipv6bon internal interface disabled.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    You can send it to me via PM or mail: sander [some @ sign ] rutten [a dot here] me ;-)
    I'm not sure how to do iptable traces, but I can run some command's if you have them available for me.

    For the rest is IPv6 working great. Since your patches it has been running smooth for me.

  • I have one standing issue with Prefix Delegation over PPPoE on the current Sophos UTM version. Every few weeks when my ISP is updating their stuff or doing maintance the following happens where the sophos UTM will change the delegated IPv6 Prefix:

    - ISP reboots their Edgerouters

    - Reboot completes, PPPoE Authentication works again

    - IPv4 comes back up

    - Sophos UTM reconnects, IPv4 works and tries to rebind IPv6 Prefix

    (ISP Router not done rebooting, IPv6 not back up yet)

    - Sophos fails to rebind to IPv6 Prefix a few times

    - Sophos gives up and asks ISP Router for a new IPv6 Prefix

    (ISP Router is fully back up again including IPv6)

    - Sophos gets a new IPv6 Prefix and everything works again, old prefix lost

     

    remarks: old IPv6 Prefix will work again if files in /var/chroot-dhcpc/var/db/ppp0* will be replaced with old files and UTM rebooted. So the old prefix is -not- invalid, the Sophos UTM just "gave up" on it due to getting to ISP Router reply on the rebind to it.

    possible solutions (that i can think of): give the IPv6 Script more time to rebind the IPv6, let the user "lock" the IPv6 via GUI so it will not change, dont let the Sophos UTM request a new ipv6 prefix "just" because the ISP Router is not replying to rebind. THere should be an error on a unsuccessfull rebind from the ISP Router i assume.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Thanks Ben and Le for the script :)
    Ran the script and tcpdump and mailed the output to Le.