Networking → [ipv6] [IPv6] ipv6 - Sophos/Astaro configuration

Hey there,

I've noticed that I'm getting the IPv6 addresses from Comcast (they're showing up on the modem config page), however, I can't figure out how to get them into the Sophos UTM.. I'm using a SiXXs tunnel right now.. I've tried turning that off and it doesn't appear to autoconfigure. Am I doing something wrong? Any ideas? If someone's used Comcast Business with ipv6 and Sophos, and have the ipv6 configured and could let me know, that would be awesome..

You need DHCPv6 w/PD support to get an v6 address does "Sophos UTM" Support DHCPv6?

I did a quick Google search and there were a couple of posts in the Astaro forums about using it with Comcast IPv6. I'm not sure that Sophos supports requesting a smaller prefix (giving you multiple IPv6 subnets to work with), but at a minimum it should support DHCPv6 on the WAN with a /64 prefix for your LAN.

Enabling IPv6
IPv6 PD and DHCP

Don't read too far into that second one... they get into things like using NAT and other things in order to use IPv6 for multiple subnets. If Sophos supports requesting a smaller prefix (like a /60), then that would be the best way to go, giving you 16 /64 subnets to use as you see fit. Such a setting would likely be on your WAN connection settings.

Don't forget to disable your SIXXS tunnel and remove its IPv6 info from your LAN.

I am currently using Sophos UTM 9 and it is working well.

On the interface that you are using for your WAN side IPv6, it MUST be set for DHCP. That means you must use DHCP for IPv4 and IPv6. I have found no way around the DHCP option.

All I had to do beyond that is turn on IPv6 in the "Interfaces & Routing" section and add a prefix advertisement to the internal LAN. Make sure you also put in a firewall rule to allow outbound IPv6 traffic.

You should see something like below on the main IPv6 tab:

Native over IPv6: 2601:xxxx:xxxx:800:250:56ff:febd:366d
Subnet: 2601:xxxx:xxxx:800::/64
Delegated Prefix: 2601:xxxx:xxxx:8f0::/60
 

Now, this is the the Netgear device from Comcast that I am using with the Sophos.

Can I use another interface for just IPV6 traffic? I can't use dhcp for the wan side as I have statics that are assigned to the WAN interface.. but I do have an extra interface on the appliance that I could connect a new cable to the modem and get dhcp off of that for IPV6...would that work?

Hmmm...

I have two devices from Comcast so I have two interfaces. However, there are two ways I can think of for you to try. Have not been thought completely through as I have not yet had my coffee this morning.

First option:

1. If you have an additional NIC available add it in and tie it to your Comcast device.
2. Set it for DHCP and make sure that IPv6 default GW is set and IPv4 default gateway is not set. You should get a local 10.xxx.xxx.xxx for IPv4 (wich will not be used) and an IPv6 DHCP address.
3. Setup your IPv6 as explained above.

All your firewall rules should be tied to addresses or interfaces anyway so it should not pose a problem with your current setup.

Second option:

1. Set your current WAN interface for DHCP. It will pull an IPv4 10.xxx.xxx.xxx address from the Comcast device. It will also pull the needed IPv6 info and setup.
2. Add each of you static IP's as additional addresses and tie them to the WAN nic
3. Setup your IPv6 as explained above.

I currently have this setup now with my Sophos even though I am using a different interface for the IPv6 currently. My WAN interface is DHCP, has IPv4 default GW checked, IPv6 default gateway unchecked, and have added my statics as additional IP's. I am having no issues running this way.

The only thing I have not checked is to see how my IP traffic is flowing. From the outside in, it should come through the IP that is set as the default GW for my statics, in my case a .190 address. I have not verified how the out packets are behaving on the return. Do not know if they are using the .190 or the IP assigned to the SMC itself. This is something I still need to investigate.

Remember that with the Sophos when you are initiating the connection from the inside and using NAT, you choose which external IP your source address is being translated to.

I use static for my v4 and DHCPv6 for v6..

You cannot do that with the Sophos UTM's on the same interface.

Just wanted to add an update to this. From some of the things I have read, and I have not had time to try this, apparently just by setting up the ipv6 tab, turn on ipv6 and setup a prefix assignment, and setting the ipv6 default gw box, that is all you need to do even when you have static IP's on the same interface.

I will probably not get any time to look at this until the weekend. So if anyone tries this, please leet us know the results.

Ok, so I tried this - and I'm getting a link local address instead of the native over ipv6 address. However, when I go to 10.1.10.1, it shows that it should be handing out ipv6 over dhcpv6 with a 2601::/64 block.. I even tried it with dhcp assigning my wan ip's and that didn't do any different... any ideas? Also, being semi familiar with IPV6, do I need to do a different ip block internally (nat)? or should this provide the IP's and the route?

It's almost like my modem isn't handing out ipv6 by dhcp.. yet it's setup for it.

NetDog Is there anything about the Cisco wireless gateways that can't hand out ipv6 addresses?

Sounds like gateway gets a ::/64 ::/60 or ::/56 block, it doesn't turn around and assign a ::/64 to router behind it. The router with 2001:558::/31 IPv6 WAN addres needs to be same one with LAN interfaces that use the DHCP-PD assignment. At current time there is no IPv6 equivalent of Cascading NAT setup with non-static DHCP-PD assignments. The 2nd ::/64 would have to be manually added along with routes based on a static DHCP-PD prefix, or Gateway will need to be in BRIDGE mode.

#IPv4
PUBLIC IPv4 address 10.1.10.1 Cisco-Linksys Router 10.1.10.X -> 192.168.1.1 -> LAN

#IPv6
::/128 WAN addreses from 2001:558::/31 block ::/64 assigned from 2601::/28 DHCP-PD pool -> ::/128 from that ::/64 WAN address -> Cisco-Linksys Router -> NO ROUTE/IPv6 address

#in bridge mode
Gateway Bridge mode -> ::/128 WAN addreses from 2001:558::/31 block -> Cisco-Linksys -> ::/64 assigned from 2601::/28 DHCP-PD pool -> LAN

#linksys in AP mode with Sophos Firewall
Gateway Bridge mode -> ::/128 WAN addreses from 2001:558::/31 block -> Firewall w/ DHCP-PD -> ::/64 assigned from 2601::/28 DHCP-PD pool -> LAN -> Cisco-Linksys in AP mode

Send me the CM-MAC and i will take a quick look..The Cisco device's should work with v6..

This is very true.. The only CCR that will assign a sub-prefix is the NetGear and as of today no residential gateway models will either.. We are working with the vendors to correct this for the CCR's..