cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Aspiring Contributor
981 Views
Message 1 of 10

Sophos UTM over FTTP

Go to solution

Hi all,

Having trouble getting my Sophos UTM Home (9.700-5) to support IPv6 over my BT-supplied FTTP service. Everything works fine with the SmartHub 2, but the UTM will not get an IPv6 address from the BRAS. the UTM will show me a prefix, but it will not assign an address to its WAN interface, so i have no route back to the BRAS. I think this is an issue with the UTM, but I need to compare with someone else before I take the drastic step that is rebuilding the UTM.

Does anyone have a Sophos UTM Home, working over IPv6? if so, does your external interface look like this?

darthmuppet_0-1575655090680.png

I am expecting (I think) to see an IPv6 address alongside the 86.x.x.x address on the WAN interface.

the Sophos community is silent on this, and that's not like them at all. Way back in the past, DHCPv6-PD was definitely not supported, but nobody is making this information available to me. 

TIA

Tags (2)
0 Ratings
Reply
9 REPLIES 9
Highlighted
958 Views
Message 2 of 10

Re: Sophos UTM over FTTP

Go to solution
0 Ratings
Reply
Highlighted
Aspiring Contributor
954 Views
Message 3 of 10

Re: Sophos UTM over FTTP

Go to solution
I'd not seen that one, but I think that's the same thing, and quite likely the same cause. The reason for the post though is that it only takes a single person to have made it work, and i'd dearly love to find that person!
0 Ratings
Reply
Highlighted
Aspiring Contributor
945 Views
Message 4 of 10

Re: Sophos UTM over FTTP

Go to solution
oh. "BT does not allocate IA_NA addresses for the WAN port on the CPE interface, BT expects the link local addresses to be used for this communication. Any request for an IA_NA will always result in a response of no addresses available for IA_NA. This has always been the case from day one of the IPv6 implementation on the platform." So i'm not going to see an IPv6 address there. Funny that BT routers have one....
0 Ratings
Reply
Highlighted
Aspiring Contributor
923 Views
Message 5 of 10

Re: Sophos UTM over FTTP

Go to solution
<cough> oops. Smart Hub 2 still advertising itself as a default gateway, not much good when it's just a wireless access point. I have kind-of made it work, but only until i am assigned a different IPv4 address. This is because on the Sophos UTM, the WAN interface has IPv4 and IPv6 as either DHCP or static - can't have one DHCP and the other static. As i have to assign an IPv6 address to the WAN interface to allow it to pass the traffic, the IPv4 interface must also be static. that's a bit risky, as I have rebooted 5 times today and had 3 different internet-facing IPs.
0 Ratings
Reply
Highlighted
Sage
917 Views
Message 6 of 10

Re: Sophos UTM over FTTP

Go to solution

Keep rebooting and DLM will most likely kick in thinking there's a fault.

0 Ratings
Reply
Highlighted
Aspiring Contributor
651 Views
Message 7 of 10

Re: Sophos UTM over FTTP

Go to solution

Still struggling with this. In light of the earlier post about IA_NA addressing being absent, it became clear that the SH2 makes up its address, just by adding a 1 at the end of the prefix. I can do that too on my LAN interface, set up prefix advertisement, and all my clients get an IPv6 address. ip route shows a correct default route for both IPv4 and IPv6, and I can see the IPv6 traffic leaving via the PPPoE connection to BT, but nothing ever comes back. 

I spent 12 hours yesterday messing with this. The *first* time i did it, with a fresh install of the UTM, I made a specific set of changes:

  1.  add <prefix>00::1 as the IP address on the WAN interface (64-bit mask) (WAN interface connects to the ONT)
  2. add <prefix>01::1 as the IP on my LAN interface (i.e. the interface that is realistically the client's default gateway) (64-bit mask again)
  3. advertise the prefix on the LAN interface
  4. set static PPPoE addresses for IPv4 and IPv6 on the WAN interface (bad form and i know it isn't a long-term answer, but this is just testing)
  5. force the UTM to request a prefix, and watch all the clients correctly obtain an IPv6 address.

and it worked. This was at 8am on Sunday morning. I backed up the config, made the setup look like it should for me (the firewall has 4 ports, 3 of which I have in a bridge, and that is what I changed up at this point), and it broke. 

backed up that 'bad' config, reloaded the good one and....it broke.

Wiped the UTM  again, fresh install from USB, identical config to the first try (apart from a different prefix) and it did not work.

I reloaded configs, wiped the UTM several times and generally messed for 12 hours yesterday, and the only time it worked was the very first time.

At each stage, I always tested IPv4 first (the WAN IP changed almost every time), and had to change the static IP on the WAN interface. the UTM automatically renumbers the IPv6 settings. 

the only conclusion i can draw is that there is something odd going on beyond the PPPoE connection. I can see my IPv6 traffic leave over it, but nothing comes back. No idea what to do next, as BT tell me that's Openreach magic at that point.

0 Ratings
Reply
Highlighted
Distinguished Sage
Distinguished Sage
635 Views
Message 8 of 10

Re: Sophos UTM over FTTP

Go to solution

Couple of things, the first you are probably aware of but just in case BT use /56PD rather than /64PD.

Secondly, I could never get a TP link 9980 to work with IPv6. The weird thing is that it would work for about 2 minutes after configuring and then stop working, which sounds similar to your experience of intermittent working. Assume it was somehow the initial setup connected but subsequent RA/RS messages weren't working correctly.

If you have a managed switch you could mirror your WAN port and see what's happening with Wireshark.

0 Ratings
Reply
Highlighted
Aspiring Contributor
573 Views
Message 9 of 10

Re: Sophos UTM over FTTP

Go to solution

I do have a managed hub, and I did try that, but only to look at the PPPoE setup traffic which it didn't forward to the spanned port for some reason.  I'm going to buy a cheap tap from ebay, something like (Ixia Net Optics TP-CU3-ZD 10/100/1G Copper Ethernet Tap Gig Zero Lag)most likely, as you'll see error traffic with it, and maybe get a better handle on what's happening. I'd really like to get to the bottom of this, as I see no reason why it shouldn't work.

0 Ratings
Reply
Highlighted
Aspiring Contributor
516 Views
Message 10 of 10

Re: Sophos UTM over FTTP

Go to solution

i just do not understand. I had TCP v6 disabled on my desktop since the weekend, and i just re-enabled it. 10/10 on test-ipv6.com.  For the record, this is what I did:

  1. enable IPv6
  2. force the UTM to request a prefix (not sure why I needed to do it)
  3. add <prefix>00::1 as the IP address on the LAN interface (64-bit mask) 
  4. advertise the prefix on the LAN interface using stateless integrated server
  5. enable automatic renumbering

That's it. I have no clue why a 3-day gap makes any difference, but clearly it did. 

0 Ratings
Reply