Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG750 Dual Stack Captive Portal. How To?

akshay_r

We have 2 XG 750s (Passive HA) facing the WAN (IPv4) and a large 10.0.0.0/8 network on the LAN side. The LAN side consists of L3 core switches and several hierarchies of L3 and L2 switches.

As of today, the captive portal authenticates all users against IPv4.

We are now in the process of getting an IPv6 /32 block and want to transition to IPv6 using a dual-stack mode.

When it comes to the captive portal, will the users need to log in using captive portals (one ipv4 and one ipv6) to access both IPv4 and IPv6 sites?

If yes, is there a workaround for it?

If not, how does it authenticate both IPs?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    a /32 IPv6 is a very large range of addresses.

    The current version of XG does not support IPv6 very well, all IPv6 rules need a NAT. 

    As of today, I have not found away of using IPv6 addressing FQDNs in XG. A FQDN will be resolved and connected when a device makes a request.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    Hi,

    a /32 IPv6 is a very large range of addresses.

    The current version of XG does not support IPv6 very well, all IPv6 rules need a NAT. 

    As of today, I have not found away of using IPv6 addressing FQDNs in XG. A FQDN will be resolved and connected when a device makes a request.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    Hi Ian, Thanks for the reply.

    /32 is pretty large for a university, but we only had choices from RIR between 48 and /32, and as we have a multi-site setup, /32 was the better choice.

    I am not clear on "all IPv6 rules need a NAT". We have an IPv6 network coming into the WAN interface for the XG750, and I am not sure if NAT applies to IPv6 (both LAN and WAN are on IPv6).

    We have a dual-stack setup, so clients have both IPv4 and IPv6 addresses allocated to them via a set of DHCP servers. We have not yet enabled IPv6 over the switches in our network.

    The concern we have is, say a user accesses ipv4.google.com, they (browser) will naturally connect to the sophos on the IPv4 interface IP, the captive portal will capture this IP and allow login and pass the request.

    Then say the user accesses ipv6.google.com, which exclusively has a AAAA record, the browser will initiate a IPv6 packet towards the sophos firewall on its IPv6 interface, the captive portal might show up again as the previous login was against the IPv4 IP.

    We haven't tested it yet but this seems like what is most likely going to happen. If this is true, how can the first login page capture both IPv4 and IPv6 IPs of the client?

  • 0 in reply to akshay_r

    Hi,

    I am not a captive portal user, so I cannot help you with the question. I  have a dual stack system and you need a NAT for all IPv6 traffic between LAN and WAN.

    I need to make a correction, you  can create networks with IPv6 addresses, but you can't use FQDNs' in IPv6 firewall rules

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?