@AlphaB not sure if this will help, but, have a look at the following post, specifically the pfsense settings:
https://communityforums.rogers.com/t5/Internet/Rogers-IPv6-Status/m-p/373238#M36710
And this thread as well, which was started by @JKnott :
https://forum.netgate.com/topic/106885/rogers-pfsense-configuration
Perhaps @JKnott can offer some advice.
I don't have any experience with Unifi USG, but it should have some settings comparable to other devices mentioned in the link from Datalink. Start with the basics and see what's happening without that Sophos device. Does the USG have a WAN IPv6? LAN? Do other devices on the network get an IPv6 address? Once things are working properly you can then worry about that Sophos device.
Incidentally, that WAN address is not used for routing. It's just a /128 address that's used to provide a WAN address for the router and nothing more. IPv6 generally uses the link local address for routing.
@AlphaB wrote:
Thanks and yes I had seen those links a while ago and they helped in the setup of the Unifi USG. The Sophos seems to be speaking a different language: it seems to be hit or miss and I even tried forcing the address but it refuses stubbornly!
I do wish to persist will keep my eyes peeled for any users who have had luck on this one.
Thanks @Datalink for the links and will help to perhaps finally have one resource for future reference as well.
I just looked up that Sophos and it's also a firewall. Are you using both the USG and Sophos firewalls? If so, that's the problem. Rogers uses IPv6-PD to provide the LAN prefix. If you have another firewall/router after the USG, you have to manually configure everything, including one or more /64 prefixes from the /56 Rogers provideds.
Perhaps you could better describe what it is you're trying to do.
@AlphaB here's some food for thought. The Hitron modems, in Bridge mode provide 4 active, independent ports. Two of those ports will provide connected devices with independent IPV4 and IPV6 addresses. Beyond those two ports, the other ports are only supposed to provide IPV6 addresses only. So, in theory, with the Sophos and USG connected to their own ports on the modem, you can run two independent networks.
You should be able to connect both devices, then restart/reboot the modem so that each device is assigned an IPV4 and IPV6 address.
First off, IPv6 is not making your MAC or host name available. That is being done by your browser reading that info and providing it to the site. There is absolutely no other way for your MAC address to be revealed, unless it edits the MAC based IPv6 address to work out the MAC, and the only other possibility for the host name would be if it's registered on a publicly available DNS server and the site does a reverse lookup. Normally, something called a "privacy address" is used for outgoing connections, which would have no connection to the MAC address or host name. There's no reason to not enable IPv6. As I am not familiar with your hardware, I can't comment on enabling RAs. However, if you get an IPv6 address and are able to reach the Internet, it's working.
As I mentioned, I can't help you with the specifics of your hardware but, IIRC, you had 2 routers in your network and the first router cannot pass the config info onto the other, unless you buy something like Cisco and pay for the appropriate software. Regardless, if devices on the LAN, that is those connected directly to the first router are getting valid IPv6 addresses, then everything is working properly. If you want another router behind it, you're on your own, as I am not familiar with your equipment.
As for that Redit post, that person obviously doesn't know what he's talking about. What is happening is that computers on your LAN are being assigned a public address. This is the way that the Internet was always intended to work. It's only because we're forced to use NAT, to get around the IPv4 address shortage, that it's not happening for most users. There is absolutely no mechanism for IPv6 to transmit the MAC address or host name, unless the MAC based address is used and then it takes a bit of effort to do that. The MAC based address is created by taking the MAC address and inserting FFFE in the middle and then inverting the 7th bit. Then the prefix is preppended to create the 128 bit address. When you use SLAAC on your local network, you will have a fixed address, based on the MAC address or a random number. You will also have up to 7 privacy addresses, with a new one created every day. These privacy addresses are normally used when you have an outgoing connection. The fixed address is normally used only for incoming connections, such as when you have a server. So, when you go to a website, a real address is "revealed", as was always intended. However, with a privacy address, a different one will be used every day, leaving only your prefix exposed. That prefix contains 2^64 addresses, which is the entire IPv4 address space squared! So, even with the prefix, an attacker would have a heck of a lot of work to do, just to find a working address within that prefix and that address would be valid for at most 7 days. Also, knowing the MAC address is worthless, as it's not reachable from anywhere beyond your router. The MAC is used only on the local LAN and nowhere else. Take a look at an Ethernet frame. In it you'll see the MAC addresses and IP packet, which includes the IP addresses. When a packet is forwarded by a router, the Ethernet frame is stripped off, leaving only the IP packet. The packet is then placed in another Ethernet frame, with new MAC addresses, for the next hop. This happens at every hop along the path. You can install Wireshark on your computer to look at the frames and packets.
As for that site determining the MAC from the IP address, it's more likely the browser is providing that info along with the host name. For that site to get the MAC from the IPv6 address, you'd have to contact the site using the MAC based address, not the privacy address. Also, if the fixed address is based on a random number, then that site will not be able to determine the MAC from that IPv6 address. If you're running Windows, you're likely using the random number address. However, you can use Wireshark to verify that.
Bottom line, that site gets your host name and MAC address because your browser told it what they are.
@Datalink wrote:@AlphaB here's some food for thought. The Hitron modems, in Bridge mode provide 4 active, independent ports. Two of those ports will provide connected devices with independent IPV4 and IPV6 addresses. Beyond those two ports, the other ports are only supposed to provide IPV6 addresses only. So, in theory, with the Sophos and USG connected to their own ports on the modem, you can run two independent networks.
You should be able to connect both devices, then restart/reboot the modem so that each device is assigned an IPV4 and IPV6 address.
I just tried an experiment. In addition to my pfSense firewall, I connected 2 notebook computers to the modem in bridge mode. I found that only the first computer connected got public addresses and the 2nd only got link local addresses. It didn't matter which was plugged in first. The modem was rebooted between attempts. So, only 2 devices get any public addresses, either IPv4 or IPv6.
@Datalink wrote:So much for theory......
@JKnott when you rebooted the modem did you have three devices plugged into the modem and if so, which ones ended up with both IPV4 and IPV6 addresses. Did that go by port number or port location, top to bottom first for example?
I left my firewall connected then powered up the modem. I then plugged the computers in one at at time. The first one got the addresses, the 2nd didn't.
Ok, that makes sense. Just wondering if you had the pfsense firewall and two other computers all connected at the same time and if so, after the reboot which devices ended up with both IP addresses? I'm wondering what the modem's port logic is, when more than two devices are connected, not that it matters much as only two of them end up with real world IP addresses.
I usually use the bottom two ports simultaneously and I've never had much of an issue to see both routers receive their respective IPV4 and IPV6 addresses.
It doesn't appear to make any difference which ports are used. It's just a matter of the connection order. I would say those 4 ports are behaving just like a regular Ethernet switch.
-
5287 views
-
8 Likes
-
-
