I have the UTM Home Edition licensed for 50 users. Ever since I obtained native IPv6 connectivity and started using IPv6 on my internal network, I am getting notification messages such as the one included below indicating I have exceeded my user count. However, in looking at the text file associated with the email, I show:
- 10 IPv4 addresses
- 57 IPv6 addresses
I know that I only have *10* devices on my home network because I can go around and count them. However, almost all of them are dual-stack with both IPv4 and IPv6 addresses.
In looking at a couple of the devices (a MacBook Pro and an iPhone) they all have multiple IPv6 addresses assigned per network interface. One is the autoconfigured IPv6 address (using the /64 prefix and the device MAC address) and the second is an autoconfigured temporary IPv6 address that I am assuming uses the /64 prefix with RFC 4941 Privacy Extensions ( RFC 4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6 ). I believe most operating systems these days are generating privacy addresses automatically for IPv6 interfaces.
I don't know how closely the operating systems I use adhere to RFC 4941, but in that document the "preferred lifetime" of a temporary IPv6 address is suggested to default to "1 day". What this means is that each day the operating system will generate a new temporary IPv6 address for the network interface.
I suspect that what is going on here is that the licensing mechanism within Sophos UTM is counting the IPv4 and IPv6 addresses - and then not accounting for the fact that new IPv6 addresses are being generated each day and also that each device is typically going to have 2 IPv6 addresses.
I am guessing that for IP addresses the licensing mechanism keeps track of the IP addresses for a certain period of time - one week? More? Less? This probably works fine for IPv4 addresses and also prevents people from spoofing too many additional addresses to try to get around the 50-user license restriction.
However, with IPv6 that week-long (or whatever time period) retention period is too long given the temporary addresses that are being created daily.
Additionally, the presence of dual-stacked devices means that each device is going to count for 2 "users" just by the fact it is turned on. So the 50-user limit is immediately a 25-user limit, even before temporary addresses become a factor.
It would seem the license counting algorithm needs to be refactored for IPv6.
P.S. If you need someone to test a potential solution, I'd be glad to help.
----
This email was sent by your Sophos UTM software to notify
you that you have exceeded 110% of the user count for your license!
Licensed Users/IPs: 50
Counted Users/IPs: 69
All additional users/ips except the ones listed below will be blocked.
A 10% tolerance has already been deducted.
Please contact your Sophos Partner or Sophos to upgrade your license.
----
This thread was automatically locked due to age.
