Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 28 subscribers
  • Views 2562 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter policy engine breaks website on ipv6 SFOS 17.5 MR9&10

Dion-Ben Hendriks

Hi,

 

I have a problem with the web filter policy engine when trying to connect to https://mijn.triathlonbond.nl/login over ipv6. My default firewall rule includes a web filter policy which allows all. 

 

 for logging purposes.

 

But when I try to connect to the above mentioned site over IPv6 the connection times-out. In the logging of the Sophos there is no indication of an error, nothing is being blocked, not on any of the log categories...(when is a unified logging view comming...?)

But when I change the firewall rule not the include the web filter, the website behaves normal...How to fix this, or is it, bug or limitation of XG? I Have this in both MR9 and MR10

BTW: the XG is running in bridge mode, without NAT. I Would have liked to be running in routed mode but the XG is apparently not able to request a IPv6 subnet delegation from my router. (OpenSense does!)

 

Dion



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    But why does all other traffic then work?

    and to circumvent the problem I had created another rule were the web policy is not include, still no MASQ and that worked....? 

    Here the Firewall Log showing traffic flowing thru first rule 7 (the default traffic rule) and later rule 16 (the specific traffic rule create for this site, see above).

    Here the Web policy log (only showing rule 7, as expected)

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    If you examinee those logviewer results there is no traffic passed, just allowed by the firewall rule but never leave the XG due to no NAT.

    Ian

  • 0 in reply to rfcat_vk

    Ian, 

    that is the WEB log (the bottom image) you are referring to, which only shows rule 7 traffic, which is not working, 0 byte is the only indication that its not working.

    In the Firewall log ( the before last  image) it also shows traffic flowing thru rule 16, in that case it worked....  Note that rule 16 also has no NAT configured.

    In the top image is WEB log for other IPv6 traffic passing thru rule 7, bytes sent >0. 

    So my conclusion is that IPv6 without NAT in working in Bridge mode.....

     

    Dion

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    I agree with you, which is at odds with others experience. I do not have a bridge setup at the moment, i would need to put my test box online and see what happens.

    In the meantime lets hope another member who has IPv6 can test bridge mode?

    Ian

  • 0

    Google and youtube and several other sites are IPv6.  www.example.com is IPv6 and supports both HTTP and HTTPS.  If those sites work then I do not think he has a generic IPv6 problem such as NAT,.  Remembering of course that all the sites are dual-stack and fall back to IPv6 so you need to look at logs to confirm you are connecting with IPv6.

    If it is only this one website that is the problem I would focus my debugging on that site.  Basically if IPv6 works in general and this site fails in particular, I would blame the site and not the config.  It may not be an IPv6 problem at all.

     

    Just in case it is a silly error...  Are you sure that your IPv4 and your IPv6 firewall rules are in sync with each other.

  • 0 in reply to Michael Dunn

    For IPv4 i have no special firewall rule to allow this site without the webfilter, all IPv4 traffic passes the same webfilter as IPv6

     

    The site is accessable via IPv6 for it works when I pass it thru a rule without Webfilter, it break if it passes the webfilter. but only the IPv6 traffic, if I access the site through IPv4 with the same webfilter it works....so I really think it's the webfilter in IPv6 that breaks this site.....