WAN IPV6 in XG v17. Is there a trick to it?

Hi,

the XG does not fully support IPv6. The external interface will pickup IPv6 using the DHCP setting and will provide you with IPv6 DNS. The XG will not display or even show you your assigned /56 for your local network use. I was never able to find the assigned /56 so I gave in the hope that a new XG release will at least bring the XG up to the same standard as the IPv6 on the UTM. You will need to setup seperate rules.

Ian

Thanks Ian,

I have setup a very simple IPV6 firewall rule to allow LAN to WAN.  Still not connecting via IPV6.  I have configured IPV4 and IPV6 for the WAN port in Configure->Network->Interfaces (for the same interface).  When  I check the WAN Link Manager, both have green lights.  When I check my firewall rules, the IPV4 rules show traffic but the IPV6 do not.  I cannot ping IPV6 addresses through the XG firewall diagnostics tool.  I am not sure what I've missed.  I have tried setting the DNS IPV6 servers to obtain through DHCP and manual, and neither make a difference.  I have deleted the IPV4 interface leaving the IPV6 and that completely kills my internet access from the XG.  I had hoped that it might force it to connect via IPV6.

One odd thing, on the control centre home page, the interfaces symbol is yellow/orange which to me indicates that there is an issue.  When I click on that symbol it shows green lights for the IPV4 and IPV6 interfaces and their respective IPV4 and IPV6 gateways.  Not sure how one is intended to troubleshoot from there.

Best regards

Thanks for the info BillyBob.  This certainly helps me troubleshoot the issue.  

After some playing, it appears to me that my ISP is binding to the MAC address of my device.  It seems that if I change the MAC of the XG, it will not be permitted to connect at all.  I'm guessing that the Win10 laptop is bound via IPV6 and the XG is bound via IPV4 thereby using up both slots and not permitting anymore devices.  I've submitted a support request to my ISP asking/demanding that they disable MAC binding for my connection.

Thanks again.

Hi,

today braved the IPv6 world on the XG for the nth time. Used the documentation from the UTM and setup the internal /56 using the previously provided details. I expected the internal /56 address to be changed when I reconnected the external interface but the same address range is displayed. Maybe that is still my assigned IPv6 address range, no way to tell?

The IPv6 test site advises all is well with my setup except using the http proxy. I put in place one simple rule to allow everything put on the IPv6 network for the moment with IPS and no ads, porn etc. Same rules as on the IP4 rules.

Ian

Did find an interesting error, I had added the OPENDNS DNS addresses then tried to put the fe80 gateway address in as the 3rd DNS which produces an error about not being allowed, yet it is allowed as the primary IPv6 DNS entry.

In your firewall rule, are you masquerading to external interface? I am only allowing http/s in ipv6 firewall rules. I have not found a way to use ipv6 on guest wifi network. My regular clients that are bridged to LAN get an ipv6 address assigned no problem but I don't know how to use dhcp6 for my guest wifi clients using sophos AP.

Finally got dhcp working with duid for static IP addresses while using ipv6 router advertisements but what a pain ipv6 is. IPV4 is so much more organized whereas ipv6 has so many little things that need to be tweaked. Also ipv6 addressing with (:) is just pain. IETF needs to rewrite ipv6 rules again and make it more firewall friendly because I thought the main reason for using ipv6 was to get away from NAT. If we are still masquerading ipv6 with our firewalls, what is the point other than geek factor of running ipv6. 

Hi Billybob,

I was surprised most of my wifi devices have picked up IPv6 addresses since I setup the DHCP server, some have 3 addresses which I suspect 2 come from the RA function. With the 3 addresses how do you determine which one is going to be used for accessing the internet. At the moment I have an any rule while I play with the configuration. Shortly will start trying out the static address assignments. As you advised the XG runs IP4 and IPv6 in parallel, the DHCP list shows the MAC addresses as well as the duid.

I agree on the NAT thing, I suspect that was put in place for the people with the idea that NAT provides additional security behind the $100 router.

I am running all the tests from my MAC which is wifi connected. I am using NAT at the moment and will turn it off shortly to see what happens.

Ian

Update: Removed NAT, no IPv6 traffic. Turned off web testing had no affect on IPv6 testing. What is the logic behind a web proxy and a NAT (MASQ) especially using IPv6 native dual stack.

NAT was introduced while the wizkids developed IPv6. All my network training in early 90s used real addresses with no mention of NAT and as a network admin I was assigned real C and B class ranges.

And there is more. IPv6 device management is not very easy. I had to manually tell the mbp that I wanted it to use a specific gateway not the fe80 which I think was the external gateway. Turned off well sort of RA, just removed the /56 address (/64) and saved it, strange? The the MAC stopped picking up an extra two IPv6 addresses. The extra addresses take precedence over the statically assigned one. The IPv6 DHCP listings need a format change so you can see the name of the device. Interestingly when you copy the DUID even though it shows .. at the end you get the full DUID.

Conclusion is you can choose any IPv6 range for your internal networks using the XG whereas the UTM will auto renumber them on change of assigned IPv6 address range. So when the XG is eventually updated to NOT use NAT but the correct IPv6 assigned to you, hopefully auto renumbering will be in place?

Another little gotcha, I had to enable RA without an address to get the DHCP addresses assigned otherwise no IPv6 addresses.

Yes, dhcp6 doesn't work exactly like dhcp4. Router advertisements are very important and since you don't have default gateways but routers, it gets more confusing. Then, as you noticed, if you don't use static IP addresses via duid, the client may end up with multiple ip addresses. IPv6  improves the connectivity tremendously if you allow your ISP to control everything. As soon as you put a firewall in the middle, its hard to configure even for people like us that have been doing this for years. Some of it is related to us not RTFM and relying on ipv4 concepts and applying them to ipv6 but some of it is in the logic of ipv6. 

You can't rely on your devices to be smart and trust the services that they connect to. IPv6 allows easier connectivity but makes firewalling a lot harder in my opinion and unless you have specific need to run ipv6, stick with ipv4.

Also, as I mentioned earlier, if you create a guest wifi network using sophos AP (with separate zone), there is no option to run ipv6 on that network. So you can't use your guests as guinea pigs for your dual stack ipv6 [;)]

I don't use macs at home but I have been using my iphones as test beds for ipv6 connectivity and they generally work fine. On my windows machines that I use for work, ipv6 is disabled!

Hi Billybob,

I tried applying what I learned on the UTM to the XG and that doesn't work. As far as I can tell you do not need RA on the UTM to get DHCP to work. RA on the XG does not follow the configuration eg you tick allow DHCP to manage addresses, allow DHCP to provide other functions, so if this was working correctly there shouldn't be any assignments by RA. The iphones, the ipad and the windows 10 machines received 3 IPv6 address. Then when the multiple addresses are assigned they are not displayed anywhere.

Ian

More testing results. Turned off the two flags in the RA address entry and now the DHCP controls the address assignments, so only 1 address per device with a default fe80 gateway.

I know rtfm. Being a fiddler doesn't mean I understand the manual.

Well, it’s 2019 now, anyone running IPv6 on a home network? Are there any benefits over IPv4 for a pretty typical home network with no servers? I’m debating if I want to transition to a dual stack setup to start getting familiar with IPv6 mostly for my own learning since my ISP supports it.

Hi Shred,

IPv6 on the XG is a pain, so many features that are in the IP4 are not in the IPv6 implementation. No FQDNs, mail does not seem to work well last time I tried. No indication as to what /56 or /48 you have been assigned I could go on and repeat my previous posts. You can n to make identical firewall rules in IP4 and IPv6 to block access. The IPv6 does not resolve URLs in the exceptions. Get off high horse.

We have been promised (from comments passed by those that know in the forums) that all will be fixed in XG V18 which is due later this year...

Ian

Hi Shred,

I've been running IPv6 for over a year now.  Part of the issue I had was not realizing that I had to reset the interface when I made a change.  At the time, I was experimenting with the IPv6 configuration settings and then days later IPv6 stopped working.  More tweaking didn't get it working until I realized that I had to reset the interface...

With that said, setting up IPv6 is not as intuitive as IPv4.

There is more than that, you cannot apply the same exceptions or even some of the policies.

Ian

There is more than that, you cannot apply the same exceptions or even some of the policies.

Ian