Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

Parents
  • Hi Ben, SanderRutten and Rene,

       I just merged the fix for the PPPoE issue from the 9.4 release into 9.5 release. The testing on 9.4 is going fine.

       I just wonder if you fellows allow me to test the fix for 9.5 on your 9.5 UTM. If yes, please let me know the

       login parameters.

       Thanks Fellows!

  • Hi Le!

    I will update the production machine to 9.5 in that case that you had access to before. Will send you a PM as soon as that is done. If you leave the patch on /home/login after installing, i will also install it on another machine i got running.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

       Thanks for head up on the HA scenario. There is no such a thing as minor. Please bring up as you see them. Thanks!

       I am not sure about the requirement for the HA scenario as yet. Let me dig up and see what UTM is supposed to do vs what UTM is currently doing. Will update ASAP.

     

    Note: Sorry I have not been able to use your system since I am stuck with few critical items.

    Can you give me a time slot that I can try the new patch on your system? Thanks Ben!

  • Hi Le,

    thanks for the update and info again! i will play around with HA again, but it seemed it didn't take over the prefix from master to slave. I will test with the production sophos as soon as possible.

    Time slot: all weekends, non-school hours during the week (7.30am to 5pm GMT+1 is school times). So from now 10 hours later you can do what you have to do :) 

     

    Ben

    ---

    Sophos UTM 9.3 Certified Engineer

  • Le,

    from now and the next 13 hours would be no problem. Same goes for the next few days.

    ---

    Sophos UTM 9.3 Certified Engineer

  • since i am now on holidays and got a little bit more time on my hands:

    - the IPv6 patch from Le is working great, 12 days of connectivity here on my testbox via ipv6 and pppoe

     

     

    Completly unrelated to IPv6 via PPPoE: Been trying to get IPv6 working on a friends "Deutsche Glasfaser" Connection. They are using 6rd which is kind of evil i think, but we managed to get it working on this WAN Interface, also with additional addresses and WAF/VPN working!. What is not working is his clients getting "out". We tried various things (including using masquarading which normally works), a traceroute would always end at the IPv6 of his internal interface. I suspect an addition route is probably missing. Anybody who can point me in the right direction here please?

    ---

    Sophos UTM 9.3 Certified Engineer

  • In the 9.502 changelog I don't see any IPv6 related changes, so I assume that the patch didn't make it in time?

  • Hi SanderRutten,

       No it is not yet in the release since currently it is in QA cycle. Will let you know ASAP. Thanks for helping us out!

  • i noticed in 9.503-4 there is a fix:

    [Network] Prefix Delegation does not work correctly during a PPPoE reconnect

    is this the implementation of this patch?

    ---

    Sophos UTM 9.3 Certified Engineer

  • Yes, it is.

    Thanks for your help and patient!

  • Hello Le (And maybe

    I just figured something out, but not sure if it is related to the original problem here.
    I think I can sum it up to: Network definition "Internet IPv6" is unresolved. Therefor I'm unable to create a (working) firewall rule to "Internet IPv6".

    Probably because it is not bound to an interface, but I can't assign an interface. In my WAN's interface defenition it is set as "IPv6 Default GW".
    I found out while trying to thighten my home security, it was quite open from internal network to the outside world. 

    First I had rule #1 and #3 combined, as well rule #2 and #4. But while trying to understand what happened I split them both in an IPv4 and an IPv6 rule. So now I have:

    As you can (hopefully :)) see: The small '6' is not displayed in the Internet IPv6 icon, but it is for "Any IPv6". And for IPv4 it also shows the little 4 in the icon.
    What I expect to happen is while surfing via IPv6, that rule #3 is being used. Instead it always used #4. 
    For IPv4 it works like what I was expecting. 

    When I don't enable the Any IPv6 rule, all traffic is dropped by the default rule.

    Any ideas if I can fix this myself?

  • Hi SR,

       Good to hear from you.

       OK, I am not sure what the problem is. Here is the what is needed:

       1) I have a script "get-data.sh" which will collect UTM system data. I need, somehow, to give this to you; Please let me know how I can send it to you. Thanks

       2) Do a tcpdump on the interface

       3) ./get-data.sh  ipv6

       4) Collect the data from step 3 and step 2 above

       5) Send me the collected data

     

       Question: Do you know how to turn tracing on Iptables? If yes, please turn it on and capture the iptables trace as well

     

        Good luck!

Reply
  • Hi SR,

       Good to hear from you.

       OK, I am not sure what the problem is. Here is the what is needed:

       1) I have a script "get-data.sh" which will collect UTM system data. I need, somehow, to give this to you; Please let me know how I can send it to you. Thanks

       2) Do a tcpdump on the interface

       3) ./get-data.sh  ipv6

       4) Collect the data from step 3 and step 2 above

       5) Send me the collected data

     

       Question: Do you know how to turn tracing on Iptables? If yes, please turn it on and capture the iptables trace as well

     

        Good luck!

Children
  • Hi,

    You can send it to me via PM or mail: sander [some @ sign ] rutten [a dot here] me ;-)
    I'm not sure how to do iptable traces, but I can run some command's if you have them available for me.

    For the rest is IPv6 working great. Since your patches it has been running smooth for me.

  • I have one standing issue with Prefix Delegation over PPPoE on the current Sophos UTM version. Every few weeks when my ISP is updating their stuff or doing maintance the following happens where the sophos UTM will change the delegated IPv6 Prefix:

    - ISP reboots their Edgerouters

    - Reboot completes, PPPoE Authentication works again

    - IPv4 comes back up

    - Sophos UTM reconnects, IPv4 works and tries to rebind IPv6 Prefix

    (ISP Router not done rebooting, IPv6 not back up yet)

    - Sophos fails to rebind to IPv6 Prefix a few times

    - Sophos gives up and asks ISP Router for a new IPv6 Prefix

    (ISP Router is fully back up again including IPv6)

    - Sophos gets a new IPv6 Prefix and everything works again, old prefix lost

     

    remarks: old IPv6 Prefix will work again if files in /var/chroot-dhcpc/var/db/ppp0* will be replaced with old files and UTM rebooted. So the old prefix is -not- invalid, the Sophos UTM just "gave up" on it due to getting to ISP Router reply on the rebind to it.

    possible solutions (that i can think of): give the IPv6 Script more time to rebind the IPv6, let the user "lock" the IPv6 via GUI so it will not change, dont let the Sophos UTM request a new ipv6 prefix "just" because the ISP Router is not replying to rebind. THere should be an error on a unsuccessfull rebind from the ISP Router i assume.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Thanks Ben and Le for the script :)
    Ran the script and tcpdump and mailed the output to Le.