Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

  • Hi Rene,

    From the debug logs you have pasted, it looks like the ppp0 interface hasn’t received any RA from the ISP end.

    Unless an RA is received with the appropriate flags (M, O or A) set, dhclient6 will not be started for this interface on the UTM.

    Please check if disabling and re-enabling the DSL interace on the UTM helps.

    -Prakash

  • Hi Prakash,

    That is correct. The ISP does not do RA i my case. If you want I can share the capture of the regular setup with the box provided by the ISP instead of the sophos. 
    After setting up the PPPoE connection it should do a DHPCv6 request for the prefix immediately. No RA is received.

    Regards,

    René

  • Hi Rene,

    I looked into the capture file you provided and found that the box provided by your ISP directly sends out DHCPv6 solicit messages with IA_PD option, immediately after PPP IPV6CP is successful. The box provided by your ISP is probably configured to always use DHCPv6 IA_PD when connecting to the server.

    On the other hand, the Sophos UTM has a need to first do IPv6 Neighbor Discovery to understand if the server (ISP end) supports SLAAC or stateless/stateful DHCPv6. Based on the RA and prefix flags it receives from the server during IPv6 ND, it would then setup the dhclient6 appropriately to use SLAAC or DHCPv6 or both.

    In the absence of ICMPv6 RAs, the current code doesn’t initiate stateful autoconfiguration by default. We will look into addressing this issue asap as a bug fix in a future release.

    -Prakash

  • Thank Prakash. Really appreciate the response on the forum!

    In this case no Neighbor Discovery is possible. I tried it, but no response from the ISP network. So best would be a statefull autoconfig as fallback when no RAs are received.

     

    Thanks again! Can you keep me updated on the bug report?

     

    Regards,

    René

  • three things i forgot to ask:

    - RED (sophos to sophos, red device to sophos) over IPv6 only?  - pleaassseee! :-) 

    - Ability/Option to disable IPv6 for the SMTP Proxy -> When enabling IPv6, E-Mails beeing sent out will go over IPv6 if the Target MX Entry has an AAAA entry. We only want to use IPv6 for Websurfing, VPN etc. not for SMTP yet until it is properly assigned and managed

    - On our main business UTM we received a static IPv6 and Prefix from our Provider. The UTM does not have the ability/option to manually enter a Prefix that is statical assigned, if addresses out of the static prefix pool are "just" used, they won't have a route. Is this feature possible or non-standard? 

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

    your last statement is correct for this version, something in 9.5 IPv6 is broken. DHCP does not work because it wants a setting which worked in 9.4. In 9.5 using advertisment my wifi card is assigned two IPv6 addresses from my /64 range.

    Maybe I should start a bug report on DHCP and IPv6?

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi rfcat_vk:

     

    Are you saying something was working in 9.4 (e.g. 9.411), but is now broken in 9.5? That's definitely not our intention, so I would like to better understand what's not working.

     

    You mentioned there's a setting which worked in 9.4, which setting is that exactly? Were you not getting 2 IPv6 addresses using the same setup in 9.4?

     

    Any additional info you can provide will really help us track down if something indeed changed in 9.5 or not.

     

    Thanks!

  • most recent test: (testbox)

    reconnected monday, april 10th at 11.58 am, 

    ipv6 prefix "died" about 7pm, april 12th, so it worked for 61 hours. ;P

    triggered reconnect, working again. UTM did one "rebind" after reconnecting, it is not doing renews or more rebinds after i trigger reconnect.

    I suspect i'd have to disable/reenable interface or something else to start the renew/rebind cycle again.

    Your Programmer probably has enough info already, but i always try to be as complete as possible with infos ;) 

    ---

    Sophos UTM 9.3 Certified Engineer

  • Let me try to explain.

    Under 9.4 you needed advertisment as well as DHCP to have control over your IPv6 address allocations.

    Under 9.5 you can have DHCP which does not assign an address but gives you a warning that a flag needs to be set, but there is no option to set the flag.

    Or you use advertisment which does not allow you control over your address assignments. I have a /48 which I have used a /64 for one interface. Instead of getting one address (real IPv6) per interface I get two within the /64 range. I am using a home licence with a limit of 50 IP addresses so I quite concerned if suddenly all my devices get two additional addresses instead of 1. While I am not near my limit it is disturbing that each device is assigned 3 IP addresses, so 16 devices takes you to your licence limit.

    Is that plain enough or do you need more details?

     

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • on ipv6 prefix advertisement set prefered lifetime to 15 min, valid lifetime to 1 hour (or other way around)

    that way the leases won't count for too long.

    also +1 on removing the user limit on ipv6 connections for home user licence, its not practicable, neither for business uses (1x ipv4, 2-4x ipv6)

    i use stateless only and deactive privacy extension on the endpoints, ubuntu linux for example always pulls the same ipv6 via SLAAC. 

    ---

    Sophos UTM 9.3 Certified Engineer