Web filter policy engine breaks website on ipv6 SFOS 17.5 MR9&10

Further info, that site only returns an IP4 address.

Ian

For me it resolves ipv6 to:

mijn.triathlonbond.nl.

TTL=299

AAAA    2a01:7c8:aaae:18::1

(not authoritative)

Hi,

I can trace route to the site, but cannot connect to it. Fails safari and FF as invalid address. The following is part of the trace route and seems to have some invalid addresses as well as very long responses which could explain your failures.

19  e1-a8.r2.ams0.transip.net  308.888 ms  310.665 ms  312.896 ms

20  r2.f2.ams4.transip.net  311.594 ms  317.441 ms  313.973 ms

21  f2.l1.ams4.transip.net  312.796 ms  319.728 ms  316.361 ms

22  * *

    f2.l1.ams4.transip.net  3337.408 ms !A

23  * * *

24  *

    f2.l1.ams4.transip.net  3601.819 ms !A *

25  f2.l1.ams4.transip.net  3646.906 ms !A * *

26  *

    f2.l1.ams4.transip.net  3357.424 ms !A  3954.573 ms !A

Ian

Hi,

I can trace route to the site, but cannot connect to it. Fails safari and FF as invalid address. The following is part of the trace route and seems to have some invalid addresses as well as very long responses which could explain your failures.

19  e1-a8.r2.ams0.transip.net  308.888 ms  310.665 ms  312.896 ms

20  r2.f2.ams4.transip.net  311.594 ms  317.441 ms  313.973 ms

21  f2.l1.ams4.transip.net  312.796 ms  319.728 ms  316.361 ms

22  * *

    f2.l1.ams4.transip.net  3337.408 ms !A

23  * * *

24  *

    f2.l1.ams4.transip.net  3601.819 ms !A *

25  f2.l1.ams4.transip.net  3646.906 ms !A * *

26  *

    f2.l1.ams4.transip.net  3357.424 ms !A  3954.573 ms !A

Ian

But why does it the work when I disable the Web filter policy in the firewall rule?

Hi

do you have decrypt and scanning enabled? Have you installed the CA on you PC. Please post the firewall rule.

Ian

Nope...

details:

Hi Dion-Ben,

a very simple answer you have not enabled MASQ (NAT) on your firewall rule. NAT is mandatory on XG IPv6 firewall rules.   

Ian

But why does all other traffic then work?

and to circumvent the problem I had created another rule were the web policy is not include, still no MASQ and that worked....? 

Here the Firewall Log showing traffic flowing thru first rule 7 (the default traffic rule) and later rule 16 (the specific traffic rule create for this site, see above).

Here the Web policy log (only showing rule 7, as expected)

Hi,

If you examinee those logviewer results there is no traffic passed, just allowed by the firewall rule but never leave the XG due to no NAT.

Ian

Ian, 

that is the WEB log (the bottom image) you are referring to, which only shows rule 7 traffic, which is not working, 0 byte is the only indication that its not working.

In the Firewall log ( the before last  image) it also shows traffic flowing thru rule 16, in that case it worked....  Note that rule 16 also has no NAT configured.

In the top image is WEB log for other IPv6 traffic passing thru rule 7, bytes sent >0. 

So my conclusion is that IPv6 without NAT in working in Bridge mode.....

Dion

Hi,

I agree with you, which is at odds with others experience. I do not have a bridge setup at the moment, i would need to put my test box online and see what happens.

In the meantime lets hope another member who has IPv6 can test bridge mode?

Ian