WAN IPV6 in XG v17. Is there a trick to it?

Hi,

the XG does not fully support IPv6. The external interface will pickup IPv6 using the DHCP setting and will provide you with IPv6 DNS. The XG will not display or even show you your assigned /56 for your local network use. I was never able to find the assigned /56 so I gave in the hope that a new XG release will at least bring the XG up to the same standard as the IPv6 on the UTM. You will need to setup seperate rules.

Ian

Thanks Ian,

I have setup a very simple IPV6 firewall rule to allow LAN to WAN.  Still not connecting via IPV6.  I have configured IPV4 and IPV6 for the WAN port in Configure->Network->Interfaces (for the same interface).  When  I check the WAN Link Manager, both have green lights.  When I check my firewall rules, the IPV4 rules show traffic but the IPV6 do not.  I cannot ping IPV6 addresses through the XG firewall diagnostics tool.  I am not sure what I've missed.  I have tried setting the DNS IPV6 servers to obtain through DHCP and manual, and neither make a difference.  I have deleted the IPV4 interface leaving the IPV6 and that completely kills my internet access from the XG.  I had hoped that it might force it to connect via IPV6.

One odd thing, on the control centre home page, the interfaces symbol is yellow/orange which to me indicates that there is an issue.  When I click on that symbol it shows green lights for the IPV4 and IPV6 interfaces and their respective IPV4 and IPV6 gateways.  Not sure how one is intended to troubleshoot from there.

Best regards

Yes, dhcp6 doesn't work exactly like dhcp4. Router advertisements are very important and since you don't have default gateways but routers, it gets more confusing. Then, as you noticed, if you don't use static IP addresses via duid, the client may end up with multiple ip addresses. IPv6  improves the connectivity tremendously if you allow your ISP to control everything. As soon as you put a firewall in the middle, its hard to configure even for people like us that have been doing this for years. Some of it is related to us not RTFM and relying on ipv4 concepts and applying them to ipv6 but some of it is in the logic of ipv6. 

You can't rely on your devices to be smart and trust the services that they connect to. IPv6 allows easier connectivity but makes firewalling a lot harder in my opinion and unless you have specific need to run ipv6, stick with ipv4.

Also, as I mentioned earlier, if you create a guest wifi network using sophos AP (with separate zone), there is no option to run ipv6 on that network. So you can't use your guests as guinea pigs for your dual stack ipv6 [;)]

I don't use macs at home but I have been using my iphones as test beds for ipv6 connectivity and they generally work fine. On my windows machines that I use for work, ipv6 is disabled!

Hi Billybob,

I tried applying what I learned on the UTM to the XG and that doesn't work. As far as I can tell you do not need RA on the UTM to get DHCP to work. RA on the XG does not follow the configuration eg you tick allow DHCP to manage addresses, allow DHCP to provide other functions, so if this was working correctly there shouldn't be any assignments by RA. The iphones, the ipad and the windows 10 machines received 3 IPv6 address. Then when the multiple addresses are assigned they are not displayed anywhere.

Ian

More testing results. Turned off the two flags in the RA address entry and now the DHCP controls the address assignments, so only 1 address per device with a default fe80 gateway.

I know rtfm. Being a fiddler doesn't mean I understand the manual.

Well, it’s 2019 now, anyone running IPv6 on a home network? Are there any benefits over IPv4 for a pretty typical home network with no servers? I’m debating if I want to transition to a dual stack setup to start getting familiar with IPv6 mostly for my own learning since my ISP supports it.

Hi Shred,

IPv6 on the XG is a pain, so many features that are in the IP4 are not in the IPv6 implementation. No FQDNs, mail does not seem to work well last time I tried. No indication as to what /56 or /48 you have been assigned I could go on and repeat my previous posts. You can n to make identical firewall rules in IP4 and IPv6 to block access. The IPv6 does not resolve URLs in the exceptions. Get off high horse.

We have been promised (from comments passed by those that know in the forums) that all will be fixed in XG V18 which is due later this year...

Ian

Hi Shred,

I've been running IPv6 for over a year now.  Part of the issue I had was not realizing that I had to reset the interface when I made a change.  At the time, I was experimenting with the IPv6 configuration settings and then days later IPv6 stopped working.  More tweaking didn't get it working until I realized that I had to reset the interface...

With that said, setting up IPv6 is not as intuitive as IPv4.

There is more than that, you cannot apply the same exceptions or even some of the policies.

Ian

Edit: Figured it out! rfkat_vk explains it below.

Hi Shred,

IPv6 on VLANs assumes you have IPv6 enabled on the physical interface. Your VLANs will require a static IPv6 assignment as well as a Static IP4.

Why would you want to change an interface for a LAN port to DHCP, it should be static because it is your gateway?

I just changed my LAN interface which has 4 VLANs working on it to be IPv6 enabled, but using a static address. No issues.

Ian

So I'm seeing my WAN interface being assigned an IPv6 address. I'm not sure what to set in my LAN interface IPv6 settings. I'd imagine I'd want a manual address similar to how I have IPv4 setup for the interface... need to do more research.

Depends on what your ISP provides you with? Mine provides a /56 and the WAN link is one of the /64s within the /56, that is the beauty of the UTM (SG) it shows you your assigned /56 or /48, the XG doesn't.

For your internal networks choose one of the /64s for each LAN and VLAN. Becareful with your your /56 and /64 boundaries. Also internally with this version ox XG what you use is not important because you have to use MASQ with IPv6.

Ian

Depends on what your ISP provides you with? Mine provides a /56 and the WAN link is one of the /64s within the /56, that is the beauty of the UTM (SG) it shows you your assigned /56 or /48, the XG doesn't.

For your internal networks choose one of the /64s for each LAN and VLAN. Becareful with your your /56 and /64 boundaries. Also internally with this version ox XG what you use is not important because you have to use MASQ with IPv6.

Ian

My ISP is assigning an address of XXXX:XXXX:XXXX:XXX:: /64

I configured my LAN interface with a static IPv6 address of XXXX:XXXX:XXXX:XXX::1 / 64 (using the same first 64-bits that was assigned by my ISP).

I then setup an IPv6 Router Advertisement using the default settings but set the Prefix /64 value of XXXX:XXXX:XXXX:XXX:: (as assigned by the ISP).

All of my devices on the network are assigning themselves an IPv6 address.

Created a firewall rule for the device I'm testing. However, when I try to run ipv6-test.com on that device, it's failing. I've tried both enabling and disabling "Rewrite source address (masquerading)" on my firewall rule.

However, if I setup a IPv6 DHCP server and select "Managed flag" on my IPv6 router advertisement with masquerading, ipv6-test.com test passes just fine. I'd prefer to not run a IPv6 DHCP server and utilize IPv6 SLAAC for auto-assigning addresses.

Any ideas? I'm sure I'm messing something up. :) 

Hi Shred,

running SLAAC will give you many IPv6 addresses per device, which is very hard to manage because you never know which address is going to the internet. I run DHCP with RA enabled but untick the options. Surprised your were not supplied with a /56 is the usual practice and recommended by the IPv6 RFC don't know which one).

You can use the /64 internally because the XG NATs it. So you could use XXXX.XXXX.XXxX.XXXX::1 for your external interface and XXXX.XXXX.XXXX.XXXX::1 for your internal interface and all will work well.

Ian