Sophos XG home user

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I'm Here A Lot
Posts: 7

Sophos XG home user

I have (ahem) gigabit service but speed issues aside I am a bit lost on how to configure the IPV6 on it. I have the Hitron in bridge going to Unifi USG then Sophos fanless pc which then connects to a Unifi switch.
Things are running fine and perhaps need a bit more tweaking to improve things (any tips on that would be welcome too!). I was getting IPv6 addresses when running just the Unifi equipment but once sophos was put in then I can’t seem to get it anymore. I know it will need another set of firewall rules but I cannot seem to even enable RA or see any prefix delegation options to replicate into it. I tried all sorts of settings and now am truly lost. I am no expert per se but I am keen to learn by tinkering so any advice would be appreciated.
Thanks
Highlighted
Resident Expert
Resident Expert
Posts: 6,229

Re: Sophos XG home user

@AlphaB not sure if this will help, but, have a look at the following post, specifically the pfsense settings:

 

https://communityforums.rogers.com/t5/Internet/Rogers-IPv6-Status/m-p/373238#M36710

 

And this thread as well, which was started by @JKnott :

 

https://forum.netgate.com/topic/106885/rogers-pfsense-configuration

 

Perhaps @JKnott can offer some advice.

 

 



I'm Here A Lot
Posts: 7

Re: Sophos XG home user

Thanks and yes I had seen those links a while ago and they helped in the setup of the Unifi USG. The Sophos seems to be speaking a different language: it seems to be hit or miss and I even tried forcing the address but it refuses stubbornly!
I do wish to persist will keep my eyes peeled for any users who have had luck on this one.
Thanks @Datalink for the links and will help to perhaps finally have one resource for future reference as well.
I Plan to Stick Around
Posts: 271

Re: Sophos XG home user

I don't have any experience with Unifi USG, but it should have some settings comparable to other devices mentioned in the link from Datalink.  Start with the basics and see what's happening without that Sophos device.  Does the USG have a WAN IPv6?  LAN?  Do other devices on the network get an IPv6 address?  Once things are working properly you can then worry about that Sophos device.

 

Incidentally, that WAN address is not used for routing.  It's just a /128 address that's used to provide a WAN address for the router and nothing more.  IPv6 generally uses the link local address for routing.

 

I Plan to Stick Around
Posts: 271

Re: Sophos XG home user


@AlphaB wrote:
Thanks and yes I had seen those links a while ago and they helped in the setup of the Unifi USG. The Sophos seems to be speaking a different language: it seems to be hit or miss and I even tried forcing the address but it refuses stubbornly!
I do wish to persist will keep my eyes peeled for any users who have had luck on this one.
Thanks @Datalink for the links and will help to perhaps finally have one resource for future reference as well.

I just looked up that Sophos and it's also a firewall.  Are you using both the USG and Sophos firewalls?  If so, that's the problem.  Rogers uses IPv6-PD to provide the LAN prefix.  If you have another firewall/router after the USG, you have to manually configure everything, including  one or more /64 prefixes from the /56 Rogers provideds.

 

Perhaps you could better describe what it is you're trying to do.

 

I'm Here A Lot
Posts: 7

Re: Sophos XG home user

Following this as one reference point:
https://community.sophos.com/kb/en-us/123098

Using Ubiquiti Unifi creates an almost OCD infatuation with seeing all the data points lit up on the admin dashboard: the USG, switch and APs. Some users have succeeded in putting the Sophos as the bump in the middle to manage the firewall aspect.

The rationale is simple: the IPS/IDS on USG slows it down to a crawl or at best a tenth of a gigabit connection. Hence, offload that task to another device, in this case the Sophos XG.

To specifically answer the questions:
1. Yes it seems you flag an important issue, the firewall is not disabled on the USG and actually I confess I don’t know how to do that yet and I have not added any rules to it so whatever is there is probably some default values. Anyone with Unifi experience can advise please? — I haven’t had issues but perhaps this is the stumbling block?

2. I had used the settings from your article in setting up the USG and that worked fine and addresses were being handed out (used 56 instead of 64). However the Sophos seems to get an IPv6 for gateway but does not do anything with it. As a result there is no “interface” to select for RA

I hope the above clarifies adequately

Edit: I have firewall rules set up on the Sophos XG and they work fine. However, I never touched the USG firewall assuming that any default values won’t be anything significant and I had not added any either.
Resident Expert
Resident Expert
Posts: 6,229

Re: Sophos XG home user

@AlphaB here's some food for thought.  The Hitron modems, in Bridge mode provide 4 active, independent ports.  Two of those ports will provide connected devices with independent IPV4 and IPV6 addresses.  Beyond those two ports, the other ports are only supposed to provide IPV6 addresses only.  So, in theory, with the Sophos and USG connected to their own ports on the modem, you can run two independent networks.  

 

You should be able to connect both devices, then restart/reboot the modem so that each device is assigned an IPV4 and IPV6 address.  



I'm Here A Lot
Posts: 7

Re: Sophos XG home user

That’s quite an interesting insight thank you for sharing. Just to clarify: that means the top 2 are for both and subsequent ones are IPv6 (3 and 4 ports)?

I will certainly try that as I had initially envisioned the Sophos running fine in a house with kids on PS4 and Nintendo but they have been giving me “the look” due to lags, issues with some games etc. As a novice I have become the on-call IT guy getting a hard time from everyone!

Out of intellectual curiosity I would like it to work as one but your alternative is certainly an interesting idea in order to segregate the network. It won’t degrade performance or anything else right?

Additionally, and pardon me if this is a stupid question: will I be able to route both through the same managed switch and isolate them?
I'm Here A Lot
Posts: 7

Re: Sophos XG home user

As an update: I managed to get IPv6 working on the setup as originally planned (sophos between the USG and switch) and ran a test on IPv6-test.com

The results are a disconcerting: using SLAAC the MAC address and hostname of the sophos device is visible!

I used the same firewall rules etc although I could not enable Router Advertisment since for some reason it did not show an interface to pick (although the online guide says even bridged options will show up)

Needless to say, I disabled IPv6 as it seems it will be a bad idea unless/until some knowledgeable person can guide me on what I missed.

Any advice please?
I Plan to Stick Around
Posts: 271

Re: Sophos XG home user

First off, IPv6 is not making your MAC or host name available.  That is being done by your browser reading that info and providing it to the site.  There is absolutely no other way for your MAC address to be revealed, unless it edits the MAC based IPv6 address to work out the MAC, and the only other possibility for the host name would be if it's registered on a publicly available DNS server and the site does a reverse lookup.  Normally, something called a "privacy address" is used for outgoing connections, which would have no connection to the MAC address or host name.  There's no reason to not enable IPv6.  As I am not familiar with your hardware, I can't comment on enabling RAs.  However, if you get an IPv6 address and are able to reach the Internet, it's working.

 

Order Now!
Wilder vs. Ortiz II Live
LIVE: Saturday, November 23, 2019 8PM ET
Channels: 348 (HD) | 350 (SD) | Ignite TV 499
Price: $74.99 (HD) | $69.99 (SD) | Ignite TV $74.99
DTV can order on Nov. 21st & Ignite TV customers can order now!

Reigning heavyweight world champion Deontay "The Bronze Bomber'' Wilder takes on his most dangerous challenger as he defends his WBC title in a rematch against once-beaten Cuban slugger Luis "King Kong'' Ortiz.

Topic Stats
  • 17 replies
  • 336 views
  • 8 Likes
  • 3 in conversation