BUG: IPv6 Prefix Delegation over PPPoE broken

reported this in 9.3 aswell,

when setting up WAN Connection over PPPoE the sophos is unable to get a prefix delegated to use for IPv6. 

other routers i tested are able to get a /48 IPv6 Prefix with the same connection.

  • will Bugs like this get any "dev love" or are you only looking into 9.4 specific bugs? Reason of question is, does it make more sense to post this bug elsewhere?

    ---

    Sophos UTM 9.3 Certified Engineer

  • +1 same problem here even with latest beta version
  • i reported this issue a year ago for the first time. I am not sure if its a BUG or a missing feature of the way that the prefix is assigned by the ISP. The only issue i got is that even a cheap consumer AVM Fritzbox or a OpenWRT is able to do this properly and this industry grade Firewall is not.

    ---

    Sophos UTM 9.3 Certified Engineer

  • I get a /56 prefix by delegation over a PPPoE connection and have been since I installed an ADSL service with native IPv6. I haven't tried it on this version due to phone line stability and a broken powersupply. I iwl be moving the VM where the 9.4 UTM is installed into another case to try and improve power stability and then try the native IPv6 connection again.

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

  • If i search the logs I connot find any indication it is requesting a prefix. But is is receiving an IPv6 link local address.

    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: Connect: ppp0 <--> eth0
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [LCP ConfReq id=0x1 <mru 1492> <magic 0x5b010044>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [LCP ConfReq id=0x2 <mru 1500> <auth pap> <magic 0x9ffdb81a>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [LCP ConfAck id=0x2 <mru 1500> <auth pap> <magic 0x9ffdb81a>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [LCP ConfAck id=0x1 <mru 1492> <magic 0x5b010044>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [LCP EchoReq id=0x0 magic=0x5b010044]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [PAP AuthReq id=0x1 user="kpn" password=<hidden>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [LCP EchoRep id=0x0 magic=0x9ffdb81a]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [PAP AuthAck id=0x1 "Authentication success,Welcome!"]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: Remote message: Authentication success,Welcome!
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: PAP authentication succeeded
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: peer from calling number 28:31:52:59:9F:A6 authorized
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [IPV6CP ConfReq id=0x1 <addr fe80::19a1:3d21:d79e:23b1>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [IPCP ConfReq id=0x1 <addr 195.190.228.3>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [IPCP ConfAck id=0x1 <addr 195.190.228.3>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [IPV6CP ConfReq id=0x1 <addr fe80::2a31:52ff:fe59:9fa6>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [IPV6CP ConfAck id=0x1 <addr fe80::2a31:52ff:fe59:9fa6>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [IPCP ConfNak id=0x1 <addr 77.165.167.135> <ms-dns1 195.121.1.34> <ms-dns2 195.121.1.66>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: sent [IPCP ConfReq id=0x2 <addr 77.165.167.135> <ms-dns1 195.121.1.34> <ms-dns2 195.121.1.66>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [IPV6CP ConfAck id=0x1 <addr fe80::19a1:3d21:d79e:23b1>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: local LL address fe80::19a1:3d21:d79e:23b1
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: remote LL address fe80::2a31:52ff:fe59:9fa6
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: Script /etc/ppp/ipv6-up started (pid 17453)
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: rcvd [IPCP ConfAck id=0x2 <addr 77.165.167.135> <ms-dns1 195.121.1.34> <ms-dns2 195.121.1.66>]
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: local IP address 77.165.167.135
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: remote IP address 195.190.228.3
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: primary DNS address 195.121.1.34
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: secondary DNS address 195.121.1.66
    2016:02:20-12:34:41 gateway pppd-pppoe[17446]: Script /etc/ppp/ip-up started (pid 17454)
    2016:02:20-12:34:42 gateway pppd-pppoe[17446]: Script /etc/ppp/ip-up finished (pid 17454), status = 0x0
    2016:02:20-12:34:43 gateway pppd-pppoe[17446]: Script /etc/ppp/ipv6-up finished (pid 17453), status = 0x0

    ifconfig also shows this:
    ppp0 Link encap:Point-to-Point Protocol
    inet addr:77.165.167.135 P-t-P:195.190.228.3 Mask:255.255.255.255
    inet6 addr: fe80::19a1:3d21:d79e:23b1/10 Scope:Link
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
    RX packets:1955 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2447 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:811985 (792.9 Kb) TX bytes:601254 (587.1 Kb)

     did you had to configure anything extra to get the prefix delegation working? Do you see the PD in your log?

  • I finally have IPv6 working again, but that is a long story.
    I reviewed the logs this morning and can only see a couple of LL addresses being supplied. I have setup the IPv6 acces on my ISPs user account. Other than that I did nothing extra than enabling IPv6 in the UTM.
    The following two lines are part of the PPPoE log.

    m pppd-pppoe[20586]: sent [IPV6CP ConfReq id=0x1 <addr fe80::ecd1:1e64:d42d:8dbb>]

    Script /etc/ppp/ipv6-up started (pid 20658)

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

  • @Sophos: would appreciate any comment on this. Have been waiting for over a year for this issue to be adressed.

    ---

    Sophos UTM 9.3 Certified Engineer

  • I haven't tested 9.4 yet, but I assume Ben has done some testing already. His ISP seems to have a similar setup as mine.
    My native /48 IPv6 isn't working either on 9.3, and allegedly also on 9.4. (Need to verify that, soon.)

    My ISP is XS4ALL fiber connection. They are using PPPoE, and VLAN's.
    For some reason VLAN isn't working over PPPoE, so I stip my VLAN via a managed switch first. Apparently you can only have ethernet with VLAN, or vDSL PPPoE with VLAN's (In which case you won't get a connection because it isn't vDSL), according to Sophos's webinterface anyway.

    Opened a support case at Sophos, but nothing useful or working from that.
    So +1 to get this fixed.
  • Sander Rutten: the best fix right now without Sophos is to put a Mikrotik Router in front of the sophos to do the PPPoE and handle the IPv6 Delegation. You can than offer the sophos a part of that /48. This setup works, but this double NAT and having extra hardware is bananas. Sophos has been ignoring this problem. I opened a case through our partner for this almost a year ago and last i heard back is that they (sophos) haven't provided any update on it.

    ---

    Sophos UTM 9.3 Certified Engineer

  • I have the same setup using KPN. The are using exactly the same setup.
    My VMware server strips the vlan tag. But I guess this should not make any difference. Tagged or untagged, the prefix delegation request should be the same.