Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 692 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPV6 questions re: NDP link local entries for WAN port, ISP delegation methods, etc

Wayne Folta

My ISP doesn't yet support IPV6. Using XGS87, v 18.5. I have not enabled anything IPV6 yet, but obviously almost all devices are using it internally.

1. In poking through IPV6-related pages in the GUI I can see in Network > Neighbor > IPV6 Cache, I see 60+ link-local entries of which about half show the WAN port (Port 2 in my case) as their Interface. These devices have MAC addresses that I don't recognize as my devices but I guess it's possible they're devices I'm not aware of on my network and for whatever reason they are associated with the WAN rather than their internal zone. Should I be seeing apparently external ipv6 (and and associated MAC) addresses as neighbors? (I realize this has to do with what my ISP is doing upstream of me, though again I'd mention that they don't currently support ipv6 for customers, so I'm suspicious of them having a lot of ipv6-using devices of their own that are directly visible to my XGS.) 

2. It seems like there are at least 4 methods my ISP could use to roll out IPV6 to the XGS87. The current SFOS 18.5 allows for a manual entry, and also for DHCPv6. There is apparently a different DHCP-based mechanism (DHCP-PD) that SFOS doesn't currently support. And it seems like there another option as well. Have you found any concise clear descriptions of these mechanisms and can you say which ones Sophos currently supports or is expected to support soon?

3. It seems like internally, regardless of the option the ISP chooses (from question #2), I just have to turn on the IPV6 RA on the XGS and that will let all the local devices know what to do. Is it pretty much that simple? (It seems like DHCPv6 is also available for the internal networks, but that seems like overkill for a home office network.)

4. DDNS currently supports either ipv4 or ipv6. Is this a Sophos limitation or do places like Google not support it?

5. How might one create rules that apply to individual devices? The mechanisms I see would be either clienteles users or Mac-address-based host names? Not sure if a clienteles user supports multiple IP (v6) addresses though. I believe that since most of my rules are zone-based they should work regardless of ipv6 addresses changing. Right? So it's just the couple of device-specific rules that need to be considered?

Thanks!``



This thread was automatically locked due to age.
  • 0

    Hi,

    some devices provide an alternative MAC address fro iPv6 which makes diagnosing what the device is very difficult.

    Clientless users only support one IP address. The current version of XG requires IPv6 to use a NAT and does not  fully support IPv6 addressing mechanisms, very frustrating. Also the current version of XG does not support IPv6 FQDN in network firewall rules.

    XG DNS does support a client devices with two types of addresses IP4 and IPv6.

    If you use the internal RA, you can create your own IPv6 addresses, but be careful because most devices will get at least two if not more IPv6 addresses which makes managing access very difficult.

    Ian

  • 0 in reply to rfcat_vk

    OK, bad news. Or not-so-bad in the sense that my ISP doesn't offer IPv6 anyhow. So I'll be a doubly-late adopter of IPv6 I guess.

    I am still puzzled by over 30 IPv6 addresses associated with the WAN port. But I was able to confirm all but one MAC address for devices associated with my LAN zone. That one puzzles me a lot, but per your suggestion it could be a device with multiple MAC addresses. So I do think that there are 30 devices out there that are in direct contact with my XGS: the question is if they're ISP-housed devices or perhaps ISP-provided modems/firewalls that are in other apartments in our building.