Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

Parents
  • Hi Ben, please see my answers inline below:

    Ben said:

    - will the fix for issue NUTM-7187 be included with 9.5?

     [BL]: The fix for NUTM-7187 is not included in this current UTM 9.5 beta version. We are actively working on the fix right now though, so as soon as we have a confirmed fix it will be included in a subsequent release.

    - is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

    [BL]: This should be supported today, unless the ISP is doing both stateless & stateful. Is that the case for you? If so, we are fixing that as part of NUTM-7187 as well.

    - what about the ability to change/edit the UID for IPv6 Delegation Requests?

    [BL]: Unfortunately this isn't part of this 9.5 release.

    - what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

    [BL]: Lets Encrypt is on our current roadmap, but it's mainly planned as a WAF feature. As for 6tunnel integration, it's currently not planned for any specific release.

     

    thank you in advance.

     

  • Hi Bobby,

    Normally the ISPs router will then request /48 prefix and use a /64 from that prefix for the wan interface and a /64for the lan interface. So there are no other global ipv6 addresses than the ones from that /48.

    On the Sophos UTM, in my case I will only receive a link local IPv6 address via PPPoE. Using a tcpdump I have verified the UTM is not sending out a prefix request after the PPPoE has been established. Is it waiting for a advertised IPv6 address for the WAN interface first before it will do this? Because in this case it will never get it... And thus a IPv6 prefix will never be requested.

    If you want to have a look at my Sophos VM, or need some tcpdumps of the PPPoE setup let me know!

    Rene

  • Hi Le,

    Sorry for the late reply. I was on holiday for the last two weeks.

    There is indeed no router that responds to RS messages. Also in the capture I made from the ISP provided CPE I do not see any RS/RA messages and still it is working correctly on this device. I guess the provide CPE is using the remote LL address received via PPP as the default gateway. I think it would be nice if the UTM would use that address as well when no RAs are received.

     You have XS4all right? I thought the implementations of those providers where the same, but apparently you are receiving a RA?

    -René

  • Yeah I got it fully working thanks to Le (And others?) with XS4ALL.

    Could it be that I'm using a managed switch between my fiber NTU and the firewall?  
    In my setup, my NTU is connected to LAN1, tagged with VLAN6. LAN2 is untagged, and going to the WAN port of my Sophos UTM.
    So my Sophos UTM is only setting up a PPPoE connection, and not a PPPoE with VLAN. Not sure if this matters for the IPv6/RA part tho.

  • I have the same setup. A managed switch tagged to the fiber NTU with vlan 6 and tagged towards my vmware machine. The virtual machine itself is untagged in vlan 6 so UTM sets up PPPoE without vlan.

    Do you see RS/RA messages when doing a packet capture?

  • Hi Rene,

       Good to hear from you. Hope that you had a great holiday.

       I will pass on your request to the team wrt using the remote LL as default gateway.

       Thanks for your help and suggestion.

  • Hello Le,

    i noticed the 9501055 Update contains a "ep-ipv6-watchdog-9.50-3.g64d8245.rb3.i686.rpm"

    does it include the fixes for the ipv6 pppoe prefix delegation or do i still need to apply this private patch?

    i would like to update our work machines and my own machine sometime soon, but didn't because of the fix.

    thank you!

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

       No I don't believe 9501055 contains the fix since the QA is currently going thru the fix. So you still need the emergency patch. I will announce it here once the fix becomes GA. Sorry and Thanks and your patient! 

  • Hi ,

     

    is there any progress on this issue, as I'm affected too as Deutsche Glasfaser's customer?

     

    Ben said:

    Hello Le,

    thank you for taking care of leftover issues with IPv6. Just the other day i was talking to someone who has "Deutsche Glasfaser" (one of the larger direct fiber providers in north-west germany). Appearently they are using 6rd for IPv6 Dual Stack. Would supporting 6rd be more of a feature request or do you want to address this aswell within this bugfix? (i don't know much about 6rd as i did not run into this issue before)

    thank you again for you work on this.

     

  • Deutsche Glasfaser is using "6rd" for IPv6, Sophos UTM does not support it. You can fiddle around with it over shell but the most we got was having one single IPv6 for VPN and WAF.

    I would highly advise to put a mikrotik router in front of the sophos (50 € device like the hEX gen3) that will do 6rd and delegate a prefix to the UTM properly. I can provide a github link for the scripts if i my friend who made them puts them up.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi ,

     

    thanks for the reply. As 6rd is not so uncommon I would like to see direct support in UTM (if they haven't abandoned it yet in favour of this - sorry insane - XG).

    Such a workaround is possible but not really feasible.

    But thanks, yes, the scripts would be helpful.

  • 6rd is uncommon and super uncommon for any business use so i understand why sophos is not supporting it. 

    6rd is a lazy (easy) method for ISPs to get Customers IPv6, its not native (its based on 6in4)

    ---

    Sophos UTM 9.3 Certified Engineer

Reply Children
No Data