Sophos XG home user

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
I'm Here A Lot
Posts: 7

Re: Sophos XG home user

Thank you for the advice and I agree it’s a challenge to advise when not fully aware of the configuration. If I may provide some additional information and perhaps you may recognize any configuration issue:
1. Under interface, network: the bridged IPv6 is DHCP, auto, stateless and that gives the gateway ip below as fe80. When I close it the IP addresses show as 192.168... and 2607:fea8...
2. Although Sophos guides say RA can be enabled in bridge but no interface option shows from the drop down menu. So I skip that
3. In system/hosts and services I set the DHCP IPv6 as the fe80.. which matches the above. I use that to set up the firewall
4. In firewall I set the LAN to WAN as per the DHCP setting above and it seems to connect.
The only reason I was puzzled was how it’s picking up the firewall vendor and MAC address. Perhaps this link had me worried:
https://www.reddit.com/r/toronto/comments/5nvqib/rogers_rollout_of_ipv6_is_flawed_your_personal/?utm...

My rationale was if the device is getting easy to trace on the web then it can potentially be exposed to malicious attacks.

Again this is all the perspective of a person who is learning so my fears may be unfounded. Intuitively it just didn’t seems right that a MAC address should show, after all when one posts any files even for troubleshooting then care is taken to avoid revealing IP and MAC addresses right?

Sorry I could not post the actual snapshot as I am on mobile but please let me know if you have any advice on this. I can provide more details later if you like.
Thanks

EDIT: yes as per your comment, the MAC address is coming from the IPv6 as it is part of the one that gets recognised in the IPv6 test website. I understood your point by reading:
https://www.ictshore.com/free-ccna-course/dhcpv6-basics/
Highlighted
I Plan to Stick Around
Posts: 297

Re: Sophos XG home user

As I mentioned, I can't help you with the specifics of your hardware but, IIRC, you had 2 routers in your network and the first router cannot pass the config info onto the other, unless you buy something like Cisco and pay for the appropriate software.  Regardless, if devices on the LAN, that is those connected directly to the first router are getting valid IPv6 addresses, then everything is working properly.  If you want another router behind it, you're on your own, as I am not familiar with your equipment.

 

As for that Redit post, that person obviously doesn't know what he's talking about.  What is happening is that computers on your LAN are being assigned a public address.  This is the way that the Internet was always intended to work.  It's only because we're forced to use NAT, to get around the IPv4 address shortage, that it's not happening for most users.  There is absolutely no mechanism for IPv6 to transmit the MAC address or host name, unless the MAC based address is used and then it takes a bit of effort to do that.  The MAC based address is created by taking the MAC address and inserting FFFE in the middle and then inverting the 7th bit.  Then the prefix is preppended to create the 128 bit address.  When you use SLAAC on your local network, you will have a fixed address, based on the MAC address or a random number.  You will also have up to 7 privacy addresses, with a new one created every day.  These privacy addresses are normally used when you have an outgoing connection.  The fixed address is normally used only for incoming connections, such as when you have a server.  So, when you go to a website, a real address is "revealed", as was always intended.  However, with a privacy address, a different one will be used every day, leaving only your prefix exposed.  That prefix contains 2^64 addresses, which is the entire IPv4 address space squared!  So, even with the prefix, an attacker would have a heck of a lot of work to do, just to find a working address within that prefix and that address would be valid for at most 7 days.  Also, knowing the MAC address is worthless, as it's not reachable from anywhere beyond your router.  The MAC is used only on the local LAN and nowhere else.  Take a look at an Ethernet frame.  In it you'll see the MAC addresses and IP packet, which includes the IP addresses.  When a packet is forwarded by a router, the Ethernet frame is stripped off, leaving only the IP packet.  The packet is then placed in another Ethernet frame, with new MAC addresses, for the next hop.  This happens at every hop along the path.  You can install Wireshark on your computer to look at the frames and packets.

 

As for that site determining the MAC from the IP address, it's more likely the browser is providing that info along with the host name.  For that site to get the MAC from the IPv6 address, you'd have to contact the site using the MAC based address, not the privacy address.  Also, if the fixed address is based on a random number, then that site will not be able to determine the MAC from that IPv6 address.  If you're running Windows, you're likely using the random number address.  However, you can use Wireshark to verify that.

 

Bottom line, that site gets your host name and MAC address because your browser told it what they are.

 

Highlighted
I'm Here A Lot
Posts: 7

Re: Sophos XG home user

Thank you for such a detailed reply. I appreciate the clarification. Also I think your reply will be tremendously useful for others like myself who will likely see the post as they troubleshoot their setup.
I think I can confidently proceed then as I am getting the IPv6 and this advice has allayed my fears. Indeed a little bit of knowledge is a dangerous thing and that’s where I stand!
Thank you
Highlighted
I Plan to Stick Around
Posts: 297

Re: Sophos XG home user


@Datalink wrote:

@AlphaB here's some food for thought.  The Hitron modems, in Bridge mode provide 4 active, independent ports.  Two of those ports will provide connected devices with independent IPV4 and IPV6 addresses.  Beyond those two ports, the other ports are only supposed to provide IPV6 addresses only.  So, in theory, with the Sophos and USG connected to their own ports on the modem, you can run two independent networks.  

 

You should be able to connect both devices, then restart/reboot the modem so that each device is assigned an IPV4 and IPV6 address.  


I just tried an experiment.  In addition to my pfSense firewall, I connected 2 notebook computers to the modem in bridge mode.  I found that only the first computer connected got public addresses and the 2nd only got link local addresses.  It didn't matter which was plugged in first. The modem was rebooted between attempts.  So, only 2 devices get any public addresses, either IPv4 or IPv6.

Highlighted
Resident Expert
Resident Expert
Posts: 6,986

Re: Sophos XG home user

So much for theory......

 

 

@JKnott when you rebooted the modem did you have three devices plugged into the modem and if so, which ones ended up with both IPV4 and IPV6 addresses.  Did that go by port number or port location, top to bottom first for example?



Highlighted
I Plan to Stick Around
Posts: 297

Re: Sophos XG home user


@Datalink wrote:

So much for theory......

 

 

@JKnott when you rebooted the modem did you have three devices plugged into the modem and if so, which ones ended up with both IPV4 and IPV6 addresses.  Did that go by port number or port location, top to bottom first for example?


I left my firewall connected then powered up the modem.  I then plugged the computers in one at at time.  The first one got the addresses, the 2nd didn't.

 

Highlighted
Resident Expert
Resident Expert
Posts: 6,986

Re: Sophos XG home user

Ok, that makes sense.  Just wondering if you had the pfsense firewall and two other computers all connected at the same time and if so, after the reboot which devices ended up with both IP addresses?  I'm wondering what the modem's port logic is, when more than two devices are connected, not that it matters much as only two of them end up with real world IP addresses.  

 

I usually use the bottom two ports simultaneously and I've never had much of an issue to see both routers receive their respective IPV4 and IPV6 addresses. 



Highlighted
I Plan to Stick Around
Posts: 297

Re: Sophos XG home user

 It doesn't appear to make any difference which ports are used.  It's just a matter of the connection order.  I would say those 4 ports are behaving just like a regular Ethernet switch.