Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 4199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My Sophos UTM 9 IPv6 epic fail

AdamTyler

Hello all.  This is a quick and dirty post after spending most the day with a Sophos UTM 9 attempting to get IPv6 working.  I am beginning to think my approach may be misinformed.  My goal is to have two different IPv6 networks, one private that never changes and routes through my internal environment.  I would use these internal addresses for printers, NAS, Servers, etc... FD00:192:168:99::/64 for example.

The other subnet would be publicly routable and provided by the ISP or Tunnel Broker..  The idea here is that if I had multiple ISPs at any point and wanted to flip between them without using BGP, when it readdresses all my systems the internal subnet will still route throughout my infrastructure reliably.

I attempted to configure the publicly routable connection using stateless autoconfig and using DHCPv6 "M" to address my internal subnets.  Unfortunately, I can only ever get one or the other to work.  I can't for the life of me get a client machine to receive both IPs from each subnet simultaneously.  Although the RFC reads you should be able to run each addressing mechanism (stateless and DHCPv6) at the same time, I'm not sure if that was meant for a single subnet for client compatibility or if it is actually supposed to be able to service two different address schemes on the same network.

Anyone else been down this road that can shed some light?  Have I run into a limitation of the Sophos UTM or is this just not how it is done?

Regards,

Adam Tyler



This thread was automatically locked due to age.
  • 0

    Hi,

    have you trried the auto renumbering function. I haven't tried any of what you want to do. But if both ISPs have IPv6 you shouldn't need to renumber your network.

    You will have a link local address on all your IPv6 devices if they are IPv6 enabled.

  • 0 in reply to rfcat_vk

    rfcat_vk,

    Thanks for your reply!  Sadly I do not have two ISPs in my test / lab deployment.  In fact my single ISP doesn't even provide native support for IPv6.  So I was just trying to prep for ISP failover by deploying a private and public addressing scheme.  That said, in theory it sounds like renumbering is easy enough to understand, but have you actually used it?  As far as I can tell there is no problem with your IPv6 network adapters to have multiple IPv6 addresses on different subnets (/64), why would you use this renumbering mechanism rather than just relying on the routers advertisement?

    Is the "renumbering" happening only on the firewall?  Meaning that all the clients still maintain the same IPv6 address, but when they hit the router it is doing some kind of NAT to make it look like requests are using the new prefix you've configured in the renumbering tab?

    Regards,

    Adam Tyler

  • 0 in reply to AdamTyler

    From my experience IPv6 will not work without an external IPv6 connection otherwise you have to NAT all traffic that is not proxied.

  • 0 in reply to rfcat_vk

    Right, in my lab I am using the IPv6 tunnel broker to get IPv6 connectivity.  My questions surrounding the renumbering mechanism were geared toward a scenario where you did actually have two different ISPs serving IPv6 connectivity with different subnets.

     

    Regards,

    Adam Tyler

  • 0 in reply to AdamTyler

    I can setup two links, but only one is native IPv6, the other uses a sixxs tunnel and I can't have both running at the same time, so I ma not able to test any of this.