Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 28 subscribers
  • Views 2563 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter policy engine breaks website on ipv6 SFOS 17.5 MR9&10

Dion-Ben Hendriks

Hi,

 

I have a problem with the web filter policy engine when trying to connect to https://mijn.triathlonbond.nl/login over ipv6. My default firewall rule includes a web filter policy which allows all. 

 

 for logging purposes.

 

But when I try to connect to the above mentioned site over IPv6 the connection times-out. In the logging of the Sophos there is no indication of an error, nothing is being blocked, not on any of the log categories...(when is a unified logging view comming...?)

But when I change the firewall rule not the include the web filter, the website behaves normal...How to fix this, or is it, bug or limitation of XG? I Have this in both MR9 and MR10

BTW: the XG is running in bridge mode, without NAT. I Would have liked to be running in routed mode but the XG is apparently not able to request a IPv6 subnet delegation from my router. (OpenSense does!)

 

Dion



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Dion-Ben Hendriks

    Hi Dion-Ben,

    a very simple answer you have not enabled MASQ (NAT) on your firewall rule. NAT is mandatory on XG IPv6 firewall rules.   

    Ian

  • 0 in reply to rfcat_vk

    But why does all other traffic then work?

    and to circumvent the problem I had created another rule were the web policy is not include, still no MASQ and that worked....? 

    Here the Firewall Log showing traffic flowing thru first rule 7 (the default traffic rule) and later rule 16 (the specific traffic rule create for this site, see above).

    Here the Web policy log (only showing rule 7, as expected)

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    If you examinee those logviewer results there is no traffic passed, just allowed by the firewall rule but never leave the XG due to no NAT.

    Ian

  • 0 in reply to rfcat_vk

    Ian, 

    that is the WEB log (the bottom image) you are referring to, which only shows rule 7 traffic, which is not working, 0 byte is the only indication that its not working.

    In the Firewall log ( the before last  image) it also shows traffic flowing thru rule 16, in that case it worked....  Note that rule 16 also has no NAT configured.

    In the top image is WEB log for other IPv6 traffic passing thru rule 7, bytes sent >0. 

    So my conclusion is that IPv6 without NAT in working in Bridge mode.....

     

    Dion

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    I agree with you, which is at odds with others experience. I do not have a bridge setup at the moment, i would need to put my test box online and see what happens.

    In the meantime lets hope another member who has IPv6 can test bridge mode?

    Ian