Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 0 replies
  • Subscribers 27 subscribers
  • Views 2393 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPv6 6in4 Tunnel over PPPoE session Doesn't Work Properly

ChrisKnight

I've tried this with both SFOS 16.01.2 and SFOS 16.05.0 without success.

I'm trying to use an he.net tunnel over a PPPoE session due to the lack of DHCPv6 Prefix Delegation support.

The tunnel appears to be working partially. I've lowered the he.net side of the tunnel's MTU to 1472 to cater for the PPPoE header and verified via an Advanced Shell session that the 6in4 tunnel is also using an MTU of 1472. I've also lowered the IPv6 MTU on my test Windows 10 VM also to 1472.

I have a default route (::/0) pointing to the 6in4 tunnel.

I also have a single IPv6 rule that allows all traffic from the LAN zone to the WAN zone. No scanning, policies nor NAT is being applied. Simple vanilla allow rule.

I've taken the routed /64 prefix and assigned an address to the LAN interface (e.g. 2001:470:x:x::1).

I've also assigned the Windows 10 VM an address from the same prefix (2001:470:x:x::2) and using the XG Firewall's assigned address as the default gateway. Also using the he.net provided DNS Forwarder as the DNS server.

Both the XG Firewall and the Windows 10 VM are happy to ping and traceroute the remote end of the tunnel, the he.net supplied DNS forwarder and any number of IPv6 addresses.

However any attempt made to connect to TCP services such as SMTP, IMAP, POP3, HTTP and FTP over IPv6 result in timeouts.

I suspect that SFOS is being too smart for it's own good, intercepting the traffic even though the single IPv6 rule says don't do this, and then failing to establish the upstream connection due to a lack of a Global IPv6 address assigned to a WAN interface. The reason I suspect this is because running ifconfig via an Advanced Shell session only shows a single Global IPv6 address and that's the one I manually assigned to the LAN interface. The 6in4 tunnel has no Global IPv6 address and I can't see any way of assigning one.

Is there anyone who is able to confirm my suspicions? Or failing that, help me come up with a way of getting this to work?

Every time I try anything related to IPv6 on SFOS it just seems unnecessarily difficult and appears that the IPv6 implementation is half baked.



This thread was automatically locked due to age.