WAN IPV6 in XG v17. Is there a trick to it?

Hi,

the XG does not fully support IPv6. The external interface will pickup IPv6 using the DHCP setting and will provide you with IPv6 DNS. The XG will not display or even show you your assigned /56 for your local network use. I was never able to find the assigned /56 so I gave in the hope that a new XG release will at least bring the XG up to the same standard as the IPv6 on the UTM. You will need to setup seperate rules.

Ian

Hi,

the XG does not fully support IPv6. The external interface will pickup IPv6 using the DHCP setting and will provide you with IPv6 DNS. The XG will not display or even show you your assigned /56 for your local network use. I was never able to find the assigned /56 so I gave in the hope that a new XG release will at least bring the XG up to the same standard as the IPv6 on the UTM. You will need to setup seperate rules.

Ian

Yep.  Each and every rule will have to be duplicated.  But wait !!!  The bad joke does not end there !!!  You will have to duplicate all object as well !!!

So ...  If you have 70 rules on your firewalls, and 150 objects ...  Well multiply by two.

Same problems with NAT.  Instead of being a component of an object or network, it is a component of a rule.  So if you change your ISP, you will have to hunt all of these details.  Takes forever.

Absolutely nothing is easy with Sophos.

Hi Big_Buck,

in theory you should not have to duplicate your rules because 'any' should pickup the IPv6 interfaces, but your suggesting it doesn't and the firewall rules having two tabs would also imply it doesn't. So that then leads to the next question, what is the difference and where is it displayed in the GUI between IP4 'any' and IPv6 'any'?

The other theory is NAT was not required with IPv6 you could go direct, but the nat mob prevailed and masq/nat was added.

"Then there is another issue with static addresses, because you cannot assign the same MAC address to two different IP addresses." I will rephrase this, you can't associate the same device name to a IPv6 and IP4 address.

Ian

With Sophos, objects for IPv6 are not the same as objects for IPv4.  Checkpoint objects like many other firewalls have both IPv4 AND IPv6 adresses ...

So ...  Yes you will have to re-write all of your rules and object.  IPv4 rules have no effect on IPv6 in Sophos.

Thanks Ian,

I have setup a very simple IPV6 firewall rule to allow LAN to WAN.  Still not connecting via IPV6.  I have configured IPV4 and IPV6 for the WAN port in Configure->Network->Interfaces (for the same interface).  When  I check the WAN Link Manager, both have green lights.  When I check my firewall rules, the IPV4 rules show traffic but the IPV6 do not.  I cannot ping IPV6 addresses through the XG firewall diagnostics tool.  I am not sure what I've missed.  I have tried setting the DNS IPV6 servers to obtain through DHCP and manual, and neither make a difference.  I have deleted the IPV4 interface leaving the IPV6 and that completely kills my internet access from the XG.  I had hoped that it might force it to connect via IPV6.

One odd thing, on the control centre home page, the interfaces symbol is yellow/orange which to me indicates that there is an issue.  When I click on that symbol it shows green lights for the IPV4 and IPV6 interfaces and their respective IPV4 and IPV6 gateways.  Not sure how one is intended to troubleshoot from there.

Best regards

Big_Buck SG has single rules and definitions. Once you globally enable IPV6, the ipv6 ip field shows up and your firewalls become ipv4/ipv6. XG is running two parallel systems which is a shame. 

@casual_user in your diagnostics, ping ipv6.google.com from your wan port and it will ping correctly if your interface is receiving a valid ipv6 address and you are not looking at linklocal addresses (fe80::). The orange sign indicates that your IPV6 gateway is not pingable and won't stop you from using ipv6 internet. The problem is coming because XG won't work with ipv6 without the correct NAT and your LAN has absolutely no idea what router to use for ipv6.

Try assigning a bogus IP (2001:10:1:1::1) to your LAN interface on XG and then use (2001:10:1:1::2) for your client with your XG LAN as your gateway. Now setup a firewall rule that allows your client through the firewall. It should work fine. Once you get a hang of it, set up router advertisements and use the correct prefix assigned by your ISP. 

Hope this helps.

Thanks for the info BillyBob.  This certainly helps me troubleshoot the issue.  

After some playing, it appears to me that my ISP is binding to the MAC address of my device.  It seems that if I change the MAC of the XG, it will not be permitted to connect at all.  I'm guessing that the Win10 laptop is bound via IPV6 and the XG is bound via IPV4 thereby using up both slots and not permitting anymore devices.  I've submitted a support request to my ISP asking/demanding that they disable MAC binding for my connection.

Thanks again.

Hi,

today braved the IPv6 world on the XG for the nth time. Used the documentation from the UTM and setup the internal /56 using the previously provided details. I expected the internal /56 address to be changed when I reconnected the external interface but the same address range is displayed. Maybe that is still my assigned IPv6 address range, no way to tell?

The IPv6 test site advises all is well with my setup except using the http proxy. I put in place one simple rule to allow everything put on the IPv6 network for the moment with IPS and no ads, porn etc. Same rules as on the IP4 rules.

Ian

Did find an interesting error, I had added the OPENDNS DNS addresses then tried to put the fe80 gateway address in as the 3rd DNS which produces an error about not being allowed, yet it is allowed as the primary IPv6 DNS entry.

In your firewall rule, are you masquerading to external interface? I am only allowing http/s in ipv6 firewall rules. I have not found a way to use ipv6 on guest wifi network. My regular clients that are bridged to LAN get an ipv6 address assigned no problem but I don't know how to use dhcp6 for my guest wifi clients using sophos AP.

Finally got dhcp working with duid for static IP addresses while using ipv6 router advertisements but what a pain ipv6 is. IPV4 is so much more organized whereas ipv6 has so many little things that need to be tweaked. Also ipv6 addressing with (:) is just pain. IETF needs to rewrite ipv6 rules again and make it more firewall friendly because I thought the main reason for using ipv6 was to get away from NAT. If we are still masquerading ipv6 with our firewalls, what is the point other than geek factor of running ipv6. 

Hi Billybob,

I was surprised most of my wifi devices have picked up IPv6 addresses since I setup the DHCP server, some have 3 addresses which I suspect 2 come from the RA function. With the 3 addresses how do you determine which one is going to be used for accessing the internet. At the moment I have an any rule while I play with the configuration. Shortly will start trying out the static address assignments. As you advised the XG runs IP4 and IPv6 in parallel, the DHCP list shows the MAC addresses as well as the duid.

I agree on the NAT thing, I suspect that was put in place for the people with the idea that NAT provides additional security behind the $100 router.

I am running all the tests from my MAC which is wifi connected. I am using NAT at the moment and will turn it off shortly to see what happens.

Ian

Update: Removed NAT, no IPv6 traffic. Turned off web testing had no affect on IPv6 testing. What is the logic behind a web proxy and a NAT (MASQ) especially using IPv6 native dual stack.

NAT was introduced while the wizkids developed IPv6. All my network training in early 90s used real addresses with no mention of NAT and as a network admin I was assigned real C and B class ranges.

And there is more. IPv6 device management is not very easy. I had to manually tell the mbp that I wanted it to use a specific gateway not the fe80 which I think was the external gateway. Turned off well sort of RA, just removed the /56 address (/64) and saved it, strange? The the MAC stopped picking up an extra two IPv6 addresses. The extra addresses take precedence over the statically assigned one. The IPv6 DHCP listings need a format change so you can see the name of the device. Interestingly when you copy the DUID even though it shows .. at the end you get the full DUID.

Conclusion is you can choose any IPv6 range for your internal networks using the XG whereas the UTM will auto renumber them on change of assigned IPv6 address range. So when the XG is eventually updated to NOT use NAT but the correct IPv6 assigned to you, hopefully auto renumbering will be in place?

Another little gotcha, I had to enable RA without an address to get the DHCP addresses assigned otherwise no IPv6 addresses.

Yes, dhcp6 doesn't work exactly like dhcp4. Router advertisements are very important and since you don't have default gateways but routers, it gets more confusing. Then, as you noticed, if you don't use static IP addresses via duid, the client may end up with multiple ip addresses. IPv6  improves the connectivity tremendously if you allow your ISP to control everything. As soon as you put a firewall in the middle, its hard to configure even for people like us that have been doing this for years. Some of it is related to us not RTFM and relying on ipv4 concepts and applying them to ipv6 but some of it is in the logic of ipv6. 

You can't rely on your devices to be smart and trust the services that they connect to. IPv6 allows easier connectivity but makes firewalling a lot harder in my opinion and unless you have specific need to run ipv6, stick with ipv4.

Also, as I mentioned earlier, if you create a guest wifi network using sophos AP (with separate zone), there is no option to run ipv6 on that network. So you can't use your guests as guinea pigs for your dual stack ipv6 [;)]

I don't use macs at home but I have been using my iphones as test beds for ipv6 connectivity and they generally work fine. On my windows machines that I use for work, ipv6 is disabled!