Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 7919 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to set firewall rule precedence when using IP4 and IPv6?

rfcat_vk

Hi folks,

I think this might be the reason why my IPv6 implementation did not work correctly?

For devices that have dual stack, what determines the firewall rule that will be applied? In my case the traffic flow seemed to work correctly for every web site except google. The various web browsers would report of an interrupted connection which was further reported as an insecure connection.

Your thoughts please?

Ian



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ian,

    ASAIK, priority of the firewall rule is considered by its order; Top to Bottom. I think your query is more related to choosing the right DNS servers for the DNS queries. Go to Network | DNS | DNS query configuration. This section is used to choose the DNS server to be used for resolving the domain name on the basis of the incoming requests record type. Incoming request can be of A or AAAA type.

    Any help?

  • 0 in reply to sachingurung

    Hi Sachin,

    no help thank you. My question applies to firewall rules. I have IP4 and IPv6 rules because the XG treats the two protocols as basically two firewalls which part when the packets hit the XG, then rejoin when they leave the XG.

    How do you determine which firewall rule will be checked because the DNS will respond with both IP4 and IPv6 addresses. I would like to have the IPv6 rule as a higher priority to see if that fixes an issue I have with google connections failing.

    Ian

    I have changed the DNS setting to use IPv6 if the requesting address is IPv6. I will do further testing by recreating all the IPv6 configuration in the XG.

Reply
  • 0 in reply to sachingurung

    Hi Sachin,

    no help thank you. My question applies to firewall rules. I have IP4 and IPv6 rules because the XG treats the two protocols as basically two firewalls which part when the packets hit the XG, then rejoin when they leave the XG.

    How do you determine which firewall rule will be checked because the DNS will respond with both IP4 and IPv6 addresses. I would like to have the IPv6 rule as a higher priority to see if that fixes an issue I have with google connections failing.

    Ian

    I have changed the DNS setting to use IPv6 if the requesting address is IPv6. I will do further testing by recreating all the IPv6 configuration in the XG.

Children
  • 0 in reply to rfcat_vk

    Hi Ian,

    Exactly, as you said that IPv4 and IPv6 are two separate stacks in the XG firewall hence precedence of one over the another is not relevant. After reading some forums and posts, IPv6 is prioritized over IPv4 but this is decided by the Operating System. However, the precedence between the two protocol is also configured in the DNS server. Here, if XG is the DNS server then configure it to choose IPv6 DNS Server over IPv4 and it will do the job. 

    Thanks

  • 0 in reply to sachingurung

    Hi Sachin,

    I tried all of things today with the same result, google indicating an insecure connection.

    To get IPv6 to work I had to disable match users. Further I found I could select IP4 devices in my source networks.

    I will try again after the theoretical NBN is deployed and I have a more stable and quicker network.

    Ian