WAN IPV6 in XG v17. Is there a trick to it?

Yes, dhcp6 doesn't work exactly like dhcp4. Router advertisements are very important and since you don't have default gateways but routers, it gets more confusing. Then, as you noticed, if you don't use static IP addresses via duid, the client may end up with multiple ip addresses. IPv6  improves the connectivity tremendously if you allow your ISP to control everything. As soon as you put a firewall in the middle, its hard to configure even for people like us that have been doing this for years. Some of it is related to us not RTFM and relying on ipv4 concepts and applying them to ipv6 but some of it is in the logic of ipv6. 

You can't rely on your devices to be smart and trust the services that they connect to. IPv6 allows easier connectivity but makes firewalling a lot harder in my opinion and unless you have specific need to run ipv6, stick with ipv4.

Also, as I mentioned earlier, if you create a guest wifi network using sophos AP (with separate zone), there is no option to run ipv6 on that network. So you can't use your guests as guinea pigs for your dual stack ipv6 [;)]

I don't use macs at home but I have been using my iphones as test beds for ipv6 connectivity and they generally work fine. On my windows machines that I use for work, ipv6 is disabled!

Quick update,

I've got IPV4/IPV6 dual stack working.  Once the binding issue was resolved with the ISP and having them turn on dual stack at their end, I got it up and running.  I managed to get the router advertisement working too.  The most difficult part at my end was getting the connection with the ISP.  My connection does not work if I have it on "Auto".  The only way it works is if I have it set to "DHCP" + "Manual" + "DHCP Only".

Documentation is quite inadequate.  While there seems no end of information that explains the intricacies of IPV6 addressing and the history of the IP protocols, there is definitely a lack of simple information as to what IP to assign your internal LAN and the prefix that should be used by the router advertisement.

I definitely have no immediate plans on using IPV6 for my LAN setup.  Too many bits to worry about when assigning IP addresses to the couple of servers that I have.  IPV4 is far easier for me to track mentally.

My guest WiFi network cannot use IPV6 but the home WiFi that is bridged to LAN has no issues using IPV6.  I'm not sure why there would be a difference.  Perhaps an oversight on behalf of Sophos?

Thanks.

Hi Billybob,

I tried applying what I learned on the UTM to the XG and that doesn't work. As far as I can tell you do not need RA on the UTM to get DHCP to work. RA on the XG does not follow the configuration eg you tick allow DHCP to manage addresses, allow DHCP to provide other functions, so if this was working correctly there shouldn't be any assignments by RA. The iphones, the ipad and the windows 10 machines received 3 IPv6 address. Then when the multiple addresses are assigned they are not displayed anywhere.

Ian

More testing results. Turned off the two flags in the RA address entry and now the DHCP controls the address assignments, so only 1 address per device with a default fe80 gateway.

I know rtfm. Being a fiddler doesn't mean I understand the manual.

Well, it’s 2019 now, anyone running IPv6 on a home network? Are there any benefits over IPv4 for a pretty typical home network with no servers? I’m debating if I want to transition to a dual stack setup to start getting familiar with IPv6 mostly for my own learning since my ISP supports it.

Hi Shred,

IPv6 on the XG is a pain, so many features that are in the IP4 are not in the IPv6 implementation. No FQDNs, mail does not seem to work well last time I tried. No indication as to what /56 or /48 you have been assigned I could go on and repeat my previous posts. You can n to make identical firewall rules in IP4 and IPv6 to block access. The IPv6 does not resolve URLs in the exceptions. Get off high horse.

We have been promised (from comments passed by those that know in the forums) that all will be fixed in XG V18 which is due later this year...

Ian

Hi Shred,

I've been running IPv6 for over a year now.  Part of the issue I had was not realizing that I had to reset the interface when I made a change.  At the time, I was experimenting with the IPv6 configuration settings and then days later IPv6 stopped working.  More tweaking didn't get it working until I realized that I had to reset the interface...

With that said, setting up IPv6 is not as intuitive as IPv4.

There is more than that, you cannot apply the same exceptions or even some of the policies.

Ian

Edit: Figured it out! rfkat_vk explains it below.

Hi Shred,

IPv6 on VLANs assumes you have IPv6 enabled on the physical interface. Your VLANs will require a static IPv6 assignment as well as a Static IP4.

Why would you want to change an interface for a LAN port to DHCP, it should be static because it is your gateway?

I just changed my LAN interface which has 4 VLANs working on it to be IPv6 enabled, but using a static address. No issues.

Ian

So I'm seeing my WAN interface being assigned an IPv6 address. I'm not sure what to set in my LAN interface IPv6 settings. I'd imagine I'd want a manual address similar to how I have IPv4 setup for the interface... need to do more research.