For the past 48 hours I have been trying to enable IPv6 on my devices in a data center, but without any success. Its rather apparent at this stage that I don't know what I'm doing. What adds to my confusion, is lots of folks writing about IPv6 in no coherent matter. So when you start with a purely IPv4 network with IPv4 a functional internet access protected by a Sophos UTM device, it isn't exactly clear how to enable IPv6 for internal networks, let alone when you have multiple VLANs. At the risk of going insane due to too an overdose of coffee and too little sleep, I'm hoping someone can guide me through this process. Keep in mind that I'm a software architect, not a network engineer. While I have a grasp of the basics, its the implementation that often stumps me from time to time. [:S] My Understanding My understanding of IPv6 is that a device registers a unique identifier (often derived from the MAC address) with the DHCPv6 server. When combined with a prefix, the result is an IPv6 address. In many cases, "private" networks are /64 based. When your ISP supports IPv6, they may provide you with a prefix that is internet addressable. So each device has its own internet address and there is no need for natting. But here lies the security risk. If the MAC address is part of the IPv6 address, malicious users are able to infer the hardware of the server. So as a result, the gateway may modify the number so that such information is not leaked. In the case where there is no IPv6 internet access, on Sophos UTM you can use 4to6 to NAT IPv6 traffic to IPv4. Objectives: Enable hosts to use IPv6 for communication within a VLAN. Enable hosts to use IPv6 for communication across VLANs, where permitted. Enable hosts with IPv6 to connect to the internet over IPv4. Be ready when my ISP enables IPv6. Maintain the same security posture with IPv6 as I do with IPv4. Environment: Sophos UTM 9.310-11 6 Public IP Addresses eth0, eth2 and eth3 are bridged (br0). The network for the bridge is 172.16.0.1/24. Several VLANs on br0. 172.16.x.1/24 where x is the VLAN number. Assume for this purpose I have 3 VLANs. All communication between VLANs go through the UTM for security reasons. Sophos UTM acts as the DHCP, DNS and NTP server for the environments. Most traffic to and from the internet is blocked, with some exceptions. Country blocking is enabled. HTTP, HTTPS and SMTP are exceptions. DHCP is configured with additional options (e.g. TFTP and NTP) Remote Access (SSL VPN etc) is working and fully functional. IPS is operational WAF is operational SMTP Proxy is operational for all public domains Where possible, all services are protected with an proper certificate. Where possible, all hosts have a DNS entry Hosts running Windows Server 2012 R2, OS X 10.10, Ubuntu Server 14.04 and FreeBSD 9.3. What I have done: [LIST=1] Enabled IPv6 on all Windows Server 2012 R2, OS X and Linux Hosts. Enable IPv6 on the Sophos UTM Visit Private IPv6 address range and generate an IPv6 Range. For example. fde9:515d[:D]b3a:bc00::/64 Configure an IPv6 address for each VLAN interface. The scheme I used was to replace XX with the hex value of the VLAN and assigned fde9:515d[:D]b3a:bcXX::1/64 as the IP address. If I'm on VLAN 1, the IPv4 DNS server and router would be 172.16.1.1. This was assigned by the interface by myself. I assume the same applies to IPv6. Create prefix advertisements for each VLAN, where the DNS Server 1 is fde9:515d[:D]b3a:bcXX::1/64 I left "Stateless integrated server" checked; which prevented me from creating an DHCPv6 server. Configured 4to6 using an external interface. I left the relay server with the default value. Reboot Sophos UTM Reboot hosts (Windows, OS X and Linux) [/LIST] None of the hosts were addressable by IPv6. What I tried Next [LIST=1] For one VLAN, I unchecked the "Stateless integrated server" in the prefix advertisement. Created a new DHCP server for IPv6, which created an IPv6 range of fde9:515d[:D]b3a:bcXX::f000 to fde9:515d[:D]b3a:bcXX::ffff where XX is the VLAN number. Rebooted the hosts. [/LIST] For that VLAN, the hosts (e.g. OS X) did not have an IPv6 address and it couldn't ping fde9:515d[:D]b3a:bcXX::1. Since IPv6 doesn't work, I have not tested whether different VLANs can connect to each other, or whether an IPv6 host is able to connect to the internet. So what am I doing wrong?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting started with IPv6: VLANs, 4to6 and DHCPv6

For the past 48 hours I have been trying to enable IPv6 on my devices in a data center, but without any success. Its rather apparent at this stage that I don't know what I'm doing.

What adds to my confusion, is lots of folks writing about IPv6 in no coherent matter. So when you start with a purely IPv4 network with IPv4 a functional internet access protected by a Sophos UTM device, it isn't exactly clear how to enable IPv6 for internal networks, let alone when you have multiple VLANs.

At the risk of going insane due to too an overdose of coffee and too little sleep, I'm hoping someone can guide me through this process. Keep in mind that I'm a software architect, not a network engineer. While I have a grasp of the basics, its the implementation that often stumps me from time to time. [:S]

My Understanding
My understanding of IPv6 is that a device registers a unique identifier (often derived from the MAC address) with the DHCPv6 server. When combined with a prefix, the result is an IPv6 address. In many cases, "private" networks are /64 based. When your ISP supports IPv6, they may provide you with a prefix that is internet addressable. So each device has its own internet address and there is no need for natting. But here lies the security risk. If the MAC address is part of the IPv6 address, malicious users are able to infer the hardware of the server. So as a result, the gateway may modify the number so that such information is not leaked. In the case where there is no IPv6 internet access, on Sophos UTM you can use 4to6 to NAT IPv6 traffic to IPv4.

Objectives:

Enable hosts to use IPv6 for communication within a VLAN.
Enable hosts to use IPv6 for communication across VLANs, where permitted.
Enable hosts with IPv6 to connect to the internet over IPv4.
Be ready when my ISP enables IPv6.
Maintain the same security posture with IPv6 as I do with IPv4.

Environment:

Sophos UTM 9.310-11
6 Public IP Addresses
eth0, eth2 and eth3 are bridged (br0). The network for the bridge is 172.16.0.1/24.
Several VLANs on br0. 172.16.x.1/24 where x is the VLAN number. Assume for this purpose I have 3 VLANs.
All communication between VLANs go through the UTM for security reasons.
Sophos UTM acts as the DHCP, DNS and NTP server for the environments.
Most traffic to and from the internet is blocked, with some exceptions.
Country blocking is enabled. HTTP, HTTPS and SMTP are exceptions.
DHCP is configured with additional options (e.g. TFTP and NTP)
Remote Access (SSL VPN etc) is working and fully functional.
IPS is operational
WAF is operational
SMTP Proxy is operational for all public domains
Where possible, all services are protected with an proper certificate.
Where possible, all hosts have a DNS entry
Hosts running Windows Server 2012 R2, OS X 10.10, Ubuntu Server 14.04 and FreeBSD 9.3.

What I have done:
[LIST=1]

Enabled IPv6 on all Windows Server 2012 R2, OS X and Linux Hosts.
Enable IPv6 on the Sophos UTM
Visit Private IPv6 address range and generate an IPv6 Range. For example. fde9:515d[:D]b3a:bc00::/64
Configure an IPv6 address for each VLAN interface. The scheme I used was to replace XX with the hex value of the VLAN and assigned fde9:515d[:D]b3a:bcXX::1/64 as the IP address. If I'm on VLAN 1, the IPv4 DNS server and router would be 172.16.1.1. This was assigned by the interface by myself. I assume the same applies to IPv6.
Create prefix advertisements for each VLAN, where the DNS Server 1 is fde9:515d[:D]b3a:bcXX::1/64
I left "Stateless integrated server" checked; which prevented me from creating an DHCPv6 server.
Configured 4to6 using an external interface. I left the relay server with the default value.
Reboot Sophos UTM
Reboot hosts (Windows, OS X and Linux)

[/LIST]

None of the hosts were addressable by IPv6.

What I tried Next
[LIST=1]

For one VLAN, I unchecked the "Stateless integrated server" in the prefix advertisement.
Created a new DHCP server for IPv6, which created an IPv6 range of fde9:515d[:D]b3a:bcXX::f000 to fde9:515d[:D]b3a:bcXX::ffff where XX is the VLAN number.
Rebooted the hosts.

[/LIST]

For that VLAN, the hosts (e.g. OS X) did not have an IPv6 address and it couldn't ping fde9:515d[:D]b3a:bcXX::1. Since IPv6 doesn't work, I have not tested whether different VLANs can connect to each other, or whether an IPv6 host is able to connect to the internet.

So what am I doing wrong?

This thread was automatically locked due to age.