I've read an article about setting up SSL-tunnels with 6rd but what about setting up IPv6 internet connectivity through 6rd?
My ISP currently only supports IPv6 through 6rd. I am really confused as to how I can set this up on the XG.
I have the following info from my ISP:
IPv4 BR address: 213.167.115.92
IPv4 Prefix: 0
IPv6 Prefix: 2a01:79c::
IPv6 Prefix Length: 30
IPv6 DNS: 2a01:798:0:8012::4
Please advice!
@Kenneth AndréKrøgenes - here's the link to the youtube video that I made that answers your question :) - www.youtube.com/watch
@DavidOkeyode Thank you for a very informative walkthorugh for 6RD.
I have calcuIated my ISPs IPv6 network to be 2a01:79c:d5a7:735c::/60 and I am working on getting my ISP's default IPv6 gateway address.
I do however notice you have cut out a very crucial part of your video. In your test environment you demonstrate setting up your ipv6 interface on the border router and simply comment that you set it up in the same way on the Customer Edge router.
My question is then: Have I understood you correcly that the delegated prefix for the internal network is supposed to be set up on the LAN-interface on the CE router? To complicate the matter even further, I have 4 VLANs on the CE router and because the Sophos XG forces you to configure IPv6 on the LAN-interface associated with the VLAN interface, I've added the original calculated prefix on LAN and then added some more for the VLAN I'd like for IPv6 traffic to flow. Does this make sense?
Looking forward to more advanced movies on the XG. If you'd like to make a short tutorial to setup IPv6 locally and on multiple VLANs I'd love to see them :)
Kenneth AndréKrøgenes No problems. Basically, your LAN network will come from the delegated prefix. This can then be broken down to form multiple subnets. I'll make a clearer video on this once I get the chance :)
After some further testing I've come to the conclution that the Sophos XG really does not support 6RD for WAN the way the ISP delivers it. The details in my first post is everything I need according to the ISP. The way you've demonstrated the tunneling option would work if this was the way the ISPs border router was set up, but this is not the case and I think it's mainly a matter of getting the developers of the XG to add this option in the IPv6 WAN-settings.
A quick google search on '6rd wan' and you'll see how other routers handle these connections.
The XG does support 6RD from my testing (and I have done a lot of testing). You might have misunderstood my explanation in the video. Again this comes back to the issue not being with the XG but with people's understanding of IPv6 and its operations. I'll advise going through the RFC here. I have gone through it. It is very informative and also to invest in a training on IPv6 (pluralsight has a good one) - tools.ietf.org/.../rfc5969
To help you with this though. You do indeed have the information that you need from your ISP. You don't need your ISP's default gateway. Their border router is your IPv6 default gateway.
BUT as your ISP's IPv6 prefix is /30, your calculation of your own delegated prefix and the BR's delegated prefix won't be as straightforward as converting the IPv4 to hex (remember that every IPv6 address characters = 4bit)
Therefore your ISP's prefix is interpreted as follows
[2a01]:79c[00XX]::
[2a01] = 16bits
79c[00] = 79c is 12 bits; then the next 2 bits.
The remaining XX bit in the 2nd 'hextet" is not part of your ISP's prefix. Does this make sense?
# So to calculate your ISP's delegated prefix
Your ISP's IPv4 BR address: 213.167.115.92
Your ISP's IPv6 Prefix: 2a01:79c::
Your ISP's IPv6 Prefix Length: 30
Because your ISP unfortunately has the 30 prefix rather than the 32 prefix, you'll have more work to do :)
1. Convert your ISP's IPv4 address to Binary (not hex this time. Again remember that there are 2 vacant bits in the 2nd hextet that you have to fill and computers deal in binary)
213.167.115.92
213 = 11010101
167 = 10100111
115 = 01110011
92 = 01011100
2. Fill in the binary values in the IPv6 prefix starting from the last two bits
2a01:79c[0011]:[0101 0110 1001 1101]:[1100 1101 0111 00XX]:
Blue = ISP's IPv6 prefix
Red = ISP's IPv4 address in binary
Green - 2 bits left in the 4th hextet
3. Convert back to Hex in 4 bit blocks
2a01:79c[0011]:[0101 0110 1001 1101]:[1100 1101 0111 00XX]: /62
2a01:79c3:569d:cd7::/62
62 is the prefix as there are 2 bits let unfilled in the last
4. So then your XG configuration
Network --> IP Tunnels --> Add
Tunnel Name: Whatever
Tunnel Type: 6RD
6RD Prefix: 2a01:79c::/30
Zone: WAN
Local Endpoint: Your External IPv4 address that connects to the ISP's BR
5. Then when you're prompted to "Add Static Unicast Route for IP Tunnel"
Destination IP = ::
Prefix = 0
Gateway = 2a01:79c3:569d:cd7::/62 (Your ISP BR's delegated prefix that you calculated earlier)
Interface: Your 6RD tunnel name
6. Using the method above, calculate your internal IPv6 delegated prefix (instead of your ISP's public IP, it will be using your public IP)
Or you can use the route -A inet6 command in the backend to see it (the XG calculates it automatically)
That is what you will use for your internal network with some subnetting of course. For example, the last 2 vacant bits in the last subnet can be used by you for different subnets (this makes it a /64) or you can even extend the bits further to the right
After many attempts, I finally am able to get IPv6 working. :) I tried to create a 6RD tunnel many times and it just never connected. :( This last attempt, I used 6in4, for the heck of it, instead of 6RD. To my surprise, it worked. :) I was reading that 6RD is a feature of 6in4 so I tried it. 6in4 will not automatically assign your local IPv6 subnet but that can be calculated (as mentioned) or obtain that information from your ISP.
I created the steps below (for my own sanity) but hopefully it will help someone else. It's a very easy step-by-step walk through.
Items required:
Public IPv4 address provided by ISP
Internal IPv6 subnet provided by ISP. Calculated or provided by ISP.
ISP Border Relay or Border router IPv4 address.
---
Step #0: !!! SAVE YOUR CURRENT CONFIGURATION !!!
System → Administration → Backup & Restore
Save your backup in a safe and easy access location
---
Step #1: Add 6in4 tunnel (not 6RD)
System → Network → IP Tunnel
Click Add
Tunnel name: “free form”
Tunnel Type: 6in4
Zone: WAN
Local Endpoint: Public IPv4 address provided by ISP
Remote Endpoint: ISP Border Relay or Border router IPv4 address.
Click Save.
A pop-up window will be displayed asking for a static route
Destination IP: :: (colon 2x)
Prefix: 0 (zero)
Leave distance at 1
Click Save
---
Step #2: Enable IPv6 on LAN interface
System → Network →Interfaces
Click to choose your internal LAN port
Click IPv6 Configuration box
IP Assignment: Static
Insert internal IPv6 subnet provided by ISP with a 1 added to the end
Example: 2000:abcd:abcd:4321::1 /62
Click Save
Click OK at warning window
---
Step #3: Add IPv6 policy to allow traffic.
Policies → Click IPv6 tab → Add firewall rule → User/Network Rule
Create rule with any-in any-out FOR NOW. Lockdown in step #6
Rule name: “free form”
Identity: off
Source: Zone, Any
Destination: Zone, Any
Action: accept
Routing: all off
Everything else: off
---
Step #4: Test your IPv6 from the firewall.
SSH into the firewall. (or direct console)
Click 5. Device management
Click 3. Advanced Shell
From the prompt ping “ipv6.google.com”
Example: # ping6 ipv6.google.com
At this point, ping should reach the internet. If not, troubleshoot or back out.
---
Step #5: Enable IPv6 router advertisements on LAN. (or use DHCPv6)
System → Network → IPv6 Router Advertisement
Click add
Interface: click your LAN port
Prefix Advertisement Configuration: Insert a /64 subnet portion of your overall /62
Example: 2000:abcd:abcd:4323::
Click Save
---
Step #6: Lockdown your IPv6 policy from step #3.
Policies → Click IPv6 tab
Click on the policy created in step #3
Do not do extra work.
Just copy your favorite IPv4 firewall policy to IPv6
---
Step #7: Success!!! Conduct final IPv6 tests from the LAN workstations.
Nice work Trony!
I've got this running as far as doing a ping6 from the firewall! I still have to wrap my head aroud it:
I am running 3 VLANs on the XG (the LAN is not used) and the way the XG has constructed it's interfaces the VLANs are dependent on the LAN they are attached to.
So - I have to define the IPv6 subnet on the LAN before I can enable a IPv6 subnet on a VLAN. So far so good. (I am not sure why Sophos has buildt it like this but maybe you or David have an explanation for this).
Anyways, the firewall can ping6 now and I've successfully distributed IPv6 subnets to the VLANs, adding some unique bits for each VLAN.
-But: the VLANs are still not able to ping6... Is there some additional maquerading or defining of gateways I've missed? Have I misunderstood something regarding the Prefix Advertisement Configuration?
In your example you've used 2000:abcd:4321::1 /62 as the calculated IPv6 subnet and in your description for inserting a /64 subnet portion of your overall /62 -- I recon that you are referring to abbreviating this /64 subnet from the /62-example. How does this end up as 2000:abcd:4323:: ?
Is this 3 just a random number you made or could you elaborate? I myself used a 2000:abcd:4321:1234::1 /64 for my VLAN subnet...but maybe I've ended up with a subnet that is not able to reach the gateway...?
Any thoughts from you or David would be muchappreciated :)
Almost there!
It looks like you got the most difficult part out of the way, which is getting your device connected to the internet using IPv6. :)
You are correct regarding the subnetting and I stand corrected, which I missed a using the next octet over. Here is the breakdown using website: http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
| IP address | 2000:abcd:abcd:4321::/62 |
| type | GLOBAL-UNICAST |
| network | 2000:abcd:abcd:4320:: |
| Prefix length | 62 |
| network range | 2000:abcd:abcd:4320:0000:0000:0000:0000- 2000:abcd:abcd:4323:ffff:ffff:ffff:ffff |
| total IP addresses | 73786976294838206464 |
Breaking down your /62 network into individual /64's, you will have the following sub-networks to use for each separate VLAN:
2000:abcd:abcd:4320::/64
2000:abcd:abcd:4321::/64
2000:abcd:abcd:4322::/64
2000:abcd:abcd:4323::/64
If you have a /60, you have a bunch more subnets to use.
Do not forget to match your IPv6 Router Advertisements with your respective VLANs.
It seems those are the only pieces missing.
Anyway, I hope I answered your question. Please advise when you do get it working. I'm very curious. :)
Thanks.
I forgot to mention, you do have to create a seperate IPv6 Router Advertisement policy for each interface and also match the subnet. This way, each workstation receives the correct information.
Thanks.
