Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

  • Hi,

    You can send it to me via PM or mail: sander [some @ sign ] rutten [a dot here] me ;-)
    I'm not sure how to do iptable traces, but I can run some command's if you have them available for me.

    For the rest is IPv6 working great. Since your patches it has been running smooth for me.

  • I have one standing issue with Prefix Delegation over PPPoE on the current Sophos UTM version. Every few weeks when my ISP is updating their stuff or doing maintance the following happens where the sophos UTM will change the delegated IPv6 Prefix:

    - ISP reboots their Edgerouters

    - Reboot completes, PPPoE Authentication works again

    - IPv4 comes back up

    - Sophos UTM reconnects, IPv4 works and tries to rebind IPv6 Prefix

    (ISP Router not done rebooting, IPv6 not back up yet)

    - Sophos fails to rebind to IPv6 Prefix a few times

    - Sophos gives up and asks ISP Router for a new IPv6 Prefix

    (ISP Router is fully back up again including IPv6)

    - Sophos gets a new IPv6 Prefix and everything works again, old prefix lost

     

    remarks: old IPv6 Prefix will work again if files in /var/chroot-dhcpc/var/db/ppp0* will be replaced with old files and UTM rebooted. So the old prefix is -not- invalid, the Sophos UTM just "gave up" on it due to getting to ISP Router reply on the rebind to it.

    possible solutions (that i can think of): give the IPv6 Script more time to rebind the IPv6, let the user "lock" the IPv6 via GUI so it will not change, dont let the Sophos UTM request a new ipv6 prefix "just" because the ISP Router is not replying to rebind. THere should be an error on a unsuccessfull rebind from the ISP Router i assume.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Thanks Ben and Le for the script :)
    Ran the script and tcpdump and mailed the output to Le.

  • Hi ,

     

    is there any progress on this issue, as I'm affected too as Deutsche Glasfaser's customer?

     

    Ben said:

    Hello Le,

    thank you for taking care of leftover issues with IPv6. Just the other day i was talking to someone who has "Deutsche Glasfaser" (one of the larger direct fiber providers in north-west germany). Appearently they are using 6rd for IPv6 Dual Stack. Would supporting 6rd be more of a feature request or do you want to address this aswell within this bugfix? (i don't know much about 6rd as i did not run into this issue before)

    thank you again for you work on this.

     

  • Deutsche Glasfaser is using "6rd" for IPv6, Sophos UTM does not support it. You can fiddle around with it over shell but the most we got was having one single IPv6 for VPN and WAF.

    I would highly advise to put a mikrotik router in front of the sophos (50 € device like the hEX gen3) that will do 6rd and delegate a prefix to the UTM properly. I can provide a github link for the scripts if i my friend who made them puts them up.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi ,

     

    thanks for the reply. As 6rd is not so uncommon I would like to see direct support in UTM (if they haven't abandoned it yet in favour of this - sorry insane - XG).

    Such a workaround is possible but not really feasible.

    But thanks, yes, the scripts would be helpful.

  • 6rd is uncommon and super uncommon for any business use so i understand why sophos is not supporting it. 

    6rd is a lazy (easy) method for ISPs to get Customers IPv6, its not native (its based on 6in4)

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi everyone,

    My ISP hands out prefix delegates using /64 by default.  Is it possible at all to send a hint to request a /60 or to make multiple prefix delegate requests?  Apparantly they are there and available I just need to request them.  It seems Sophos is only requesting the first.  Is there a potential workaround for this IA_PD?

    Thanks,

    Dave