Open IPv6 Issues / questions

- will the fix for issue NUTM-7187 be included with 9.5?

- is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands)

- what about the ability to change/edit the UID for IPv6 Delegation Requests?

- what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release.

 

thank you in advance.

  • Hi Prakash,

    Does this new version also solve my issue?

    Regards,
    René

  • OK good news; the patch seems to fix the rebind/renew and the IPv6 prefix is responding again

    bad news: the prefix changes on every reconnect, it seems to ignore DUID or generates a new one (speculation at this point) each time it connects.

    Before this version the prefix always stayed the same (and also does with other routes connected) so this must be some side effect of the fix.

     

    Edit: ok i made 2 wireshark dumps, with the old patch and the new patch, here are the differences:

    old patch on pppoe reconnect:

    solicit, advertise going on for the WAN Interface (solicit is without prefix delegation!), than a REBIND happens for the OLD Prefix, Cisco ISP Router replys and confirms the old prefix!

    new patch on pppoe reconnect:

    solicit, advertise happened (with prefix delegation!), it seems the cisco isp router than proposes a NEW prefix, Sophos sends a REQUEST with the new proposed prefix. sophos never tries to rebind on the old prefix.

    remarks: this only happens on interface reconnect, when just applying the patch and restarting the ipv6 watchguard the old prefix is beeing used. The new patch seems to just request a new prefix through the solicit without trying to "get" the old one. When applying back the old patch and restarting the ipv6 watchguard the prefix won't change.

    i have put these two pcap (one with the old patch 1.x, one with the current patch 2.1) on the sophos with the ticket in /home/login/pcap-testmachine1/ .. these are pcaps from my testmachine since i dont want to bring the connection on the other machine up and down as much.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Ben,

    I guess I know what could be causing the prefix to change on every reconnect.

    I have copied another fix to you UTM (/root/fix-2.2/ep-ipv6-watchdog-9.40-4.gce64053.i686.rpm) which might solve this problem. Please install it and let me know how it goes.

    Thanks,

    Prakash

  • Hi René,

    Please get the latest fix (/root/fix-2.2/ep-ipv6-watchdog-9.40-4.gce64053.i686.rpm) from Ben.

    It has the fix for your issue too. Let me know if it works for you.

     

    In any case, please collect the ipv6.log and system.log files from /var/log and also provide packet captures if possible.

     

    Thanks,

    Prakash

  • Hello Prakash,

    thanks again for the swift reply, this fix indeed seems to fix all the issues! It did a rebind on reconnect instead of getting a new prefix. 

    I will now let this run for 2-3 days and than report back :)

    THANK YOU! :-) and big thanks to any other developer involved in this fix! 

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi Prakash, Ben, etc :)

    Is it possible to receive this hotfix as well? I'd like to test if it now works with XS4ALL. Would love to have my SG125w fully up and running again :)
    Since this is in the UTM 9.5 beta board, I can use the beta as base? Or did you install it on the latest 9.4?

  • Hi,

    as long as Prakash is ok with that ill provide you with the patch. I am running on 9.4, i think Rene is running on 9.5 beta. Since the patch only patches the ipv6 watchdog files (i think) you should be OK with 9.5 beta.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Hi SanderRutten,

    You are free to get the rpm from Ben.

    However, please note that this fix was only verified for 9.411-3.1. But, as Ben said, it should (I am 'pretty' sure it would) work if installed over 9.5 Beta too.

    -Prakash

  • Hi Prakash,

    Good and bad news...

    The good news is, I am now getting an IPv6 prefix! YAAY

    The bad news. IPv6 traffic is not working yet :( 
    In the interfaces overview I am not seeing my link local address anymore on the pppoe wan interface. This was shown before.

    Log still shows I get it, but ifconfig does not show this local LL address.  
    2017:04:19-19:41:55 gateway pppd-pppoe[27608]: local LL address fe80::3567:15be:c320:d03e
    2017:04:19-19:41:55 gateway pppd-pppoe[27608]: remote LL address fe80::2a31:52ff:fe59:9fa6

    I am also missing an IPv6 default route.

    -- UPDATE
    After reverting to the previous version I see the ipv6 LL address again in the interfaces overview, but it does not show up in ifconfig.

    Using both versions I am able to ping the remote LL
    # ping6 -I ppp0 fe80::2a31:52ff:fe59:9fa6
    PING fe80::2a31:52ff:fe59:9fa6(fe80::2a31:52ff:fe59:9fa6) from fe80::8445:1d69:66c2:b895 ppp0: 56 data bytes
    64 bytes from fe80::2a31:52ff:fe59:9fa6: icmp_seq=1 ttl=64 time=1.14 ms
    64 bytes from fe80::2a31:52ff:fe59:9fa6: icmp_seq=2 ttl=64 time=1.08 ms

     

    -- UPDATE2

    After setting a default route connectivity works! :D
    # route add -A inet6 default gw fe80::2a31:52ff:fe59:9fa6 dev ppp0

    I also noticed the "Internet IPv6" network object is not bound to any interface.


    René