cancel
Showing results for 
Search instead for 
Did you mean: 

Sophos XG home user

AlphaB
I'm here a lot
I have (ahem) gigabit service but speed issues aside I am a bit lost on how to configure the IPV6 on it. I have the Hitron in bridge going to Unifi USG then Sophos fanless pc which then connects to a Unifi switch.
Things are running fine and perhaps need a bit more tweaking to improve things (any tips on that would be welcome too!). I was getting IPv6 addresses when running just the Unifi equipment but once sophos was put in then I can’t seem to get it anymore. I know it will need another set of firewall rules but I cannot seem to even enable RA or see any prefix delegation options to replicate into it. I tried all sorts of settings and now am truly lost. I am no expert per se but I am keen to learn by tinkering so any advice would be appreciated.
Thanks
17 REPLIES 17

Re: Sophos XG home user

Datalink
Resident Expert
Resident Expert

@AlphaB not sure if this will help, but, have a look at the following post, specifically the pfsense settings:

 

https://communityforums.rogers.com/t5/Internet/Rogers-IPv6-Status/m-p/373238#M36710

 

And this thread as well, which was started by @JKnott :

 

https://forum.netgate.com/topic/106885/rogers-pfsense-configuration

 

Perhaps @JKnott can offer some advice.

 

 

Re: Sophos XG home user

Thanks and yes I had seen those links a while ago and they helped in the setup of the Unifi USG. The Sophos seems to be speaking a different language: it seems to be hit or miss and I even tried forcing the address but it refuses stubbornly!
I do wish to persist will keep my eyes peeled for any users who have had luck on this one.
Thanks @Datalink for the links and will help to perhaps finally have one resource for future reference as well.

Re: Sophos XG home user

JKnott
I'm a reliable contributor

I don't have any experience with Unifi USG, but it should have some settings comparable to other devices mentioned in the link from Datalink.  Start with the basics and see what's happening without that Sophos device.  Does the USG have a WAN IPv6?  LAN?  Do other devices on the network get an IPv6 address?  Once things are working properly you can then worry about that Sophos device.

 

Incidentally, that WAN address is not used for routing.  It's just a /128 address that's used to provide a WAN address for the router and nothing more.  IPv6 generally uses the link local address for routing.

 

Re: Sophos XG home user

JKnott
I'm a reliable contributor

@AlphaB wrote:
Thanks and yes I had seen those links a while ago and they helped in the setup of the Unifi USG. The Sophos seems to be speaking a different language: it seems to be hit or miss and I even tried forcing the address but it refuses stubbornly!
I do wish to persist will keep my eyes peeled for any users who have had luck on this one.
Thanks @Datalink for the links and will help to perhaps finally have one resource for future reference as well.

I just looked up that Sophos and it's also a firewall.  Are you using both the USG and Sophos firewalls?  If so, that's the problem.  Rogers uses IPv6-PD to provide the LAN prefix.  If you have another firewall/router after the USG, you have to manually configure everything, including  one or more /64 prefixes from the /56 Rogers provideds.

 

Perhaps you could better describe what it is you're trying to do.

 

Re: Sophos XG home user

AlphaB
I'm here a lot
Following this as one reference point:
https://community.sophos.com/kb/en-us/123098

Using Ubiquiti Unifi creates an almost OCD infatuation with seeing all the data points lit up on the admin dashboard: the USG, switch and APs. Some users have succeeded in putting the Sophos as the bump in the middle to manage the firewall aspect.

The rationale is simple: the IPS/IDS on USG slows it down to a crawl or at best a tenth of a gigabit connection. Hence, offload that task to another device, in this case the Sophos XG.

To specifically answer the questions:
1. Yes it seems you flag an important issue, the firewall is not disabled on the USG and actually I confess I don’t know how to do that yet and I have not added any rules to it so whatever is there is probably some default values. Anyone with Unifi experience can advise please? — I haven’t had issues but perhaps this is the stumbling block?

2. I had used the settings from your article in setting up the USG and that worked fine and addresses were being handed out (used 56 instead of 64). However the Sophos seems to get an IPv6 for gateway but does not do anything with it. As a result there is no “interface” to select for RA

I hope the above clarifies adequately

Edit: I have firewall rules set up on the Sophos XG and they work fine. However, I never touched the USG firewall assuming that any default values won’t be anything significant and I had not added any either.

Re: Sophos XG home user

@AlphaB here's some food for thought.  The Hitron modems, in Bridge mode provide 4 active, independent ports.  Two of those ports will provide connected devices with independent IPV4 and IPV6 addresses.  Beyond those two ports, the other ports are only supposed to provide IPV6 addresses only.  So, in theory, with the Sophos and USG connected to their own ports on the modem, you can run two independent networks.  

 

You should be able to connect both devices, then restart/reboot the modem so that each device is assigned an IPV4 and IPV6 address.  

Re: Sophos XG home user

That’s quite an interesting insight thank you for sharing. Just to clarify: that means the top 2 are for both and subsequent ones are IPv6 (3 and 4 ports)?

I will certainly try that as I had initially envisioned the Sophos running fine in a house with kids on PS4 and Nintendo but they have been giving me “the look” due to lags, issues with some games etc. As a novice I have become the on-call IT guy getting a hard time from everyone!

Out of intellectual curiosity I would like it to work as one but your alternative is certainly an interesting idea in order to segregate the network. It won’t degrade performance or anything else right?

Additionally, and pardon me if this is a stupid question: will I be able to route both through the same managed switch and isolate them?

Re: Sophos XG home user

As an update: I managed to get IPv6 working on the setup as originally planned (sophos between the USG and switch) and ran a test on IPv6-test.com

The results are a disconcerting: using SLAAC the MAC address and hostname of the sophos device is visible!

I used the same firewall rules etc although I could not enable Router Advertisment since for some reason it did not show an interface to pick (although the online guide says even bridged options will show up)

Needless to say, I disabled IPv6 as it seems it will be a bad idea unless/until some knowledgeable person can guide me on what I missed.

Any advice please?

Re: Sophos XG home user

JKnott
I'm a reliable contributor

First off, IPv6 is not making your MAC or host name available.  That is being done by your browser reading that info and providing it to the site.  There is absolutely no other way for your MAC address to be revealed, unless it edits the MAC based IPv6 address to work out the MAC, and the only other possibility for the host name would be if it's registered on a publicly available DNS server and the site does a reverse lookup.  Normally, something called a "privacy address" is used for outgoing connections, which would have no connection to the MAC address or host name.  There's no reason to not enable IPv6.  As I am not familiar with your hardware, I can't comment on enabling RAs.  However, if you get an IPv6 address and are able to reach the Internet, it's working.

 

Re: Sophos XG home user

AlphaB
I'm here a lot
Thank you for the advice and I agree it’s a challenge to advise when not fully aware of the configuration. If I may provide some additional information and perhaps you may recognize any configuration issue:
1. Under interface, network: the bridged IPv6 is DHCP, auto, stateless and that gives the gateway ip below as fe80. When I close it the IP addresses show as 192.168... and 2607:fea8...
2. Although Sophos guides say RA can be enabled in bridge but no interface option shows from the drop down menu. So I skip that
3. In system/hosts and services I set the DHCP IPv6 as the fe80.. which matches the above. I use that to set up the firewall
4. In firewall I set the LAN to WAN as per the DHCP setting above and it seems to connect.
The only reason I was puzzled was how it’s picking up the firewall vendor and MAC address. Perhaps this link had me worried:
https://www.reddit.com/r/toronto/comments/5nvqib/rogers_rollout_of_ipv6_is_flawed_your_personal/?utm...

My rationale was if the device is getting easy to trace on the web then it can potentially be exposed to malicious attacks.

Again this is all the perspective of a person who is learning so my fears may be unfounded. Intuitively it just didn’t seems right that a MAC address should show, after all when one posts any files even for troubleshooting then care is taken to avoid revealing IP and MAC addresses right?

Sorry I could not post the actual snapshot as I am on mobile but please let me know if you have any advice on this. I can provide more details later if you like.
Thanks

EDIT: yes as per your comment, the MAC address is coming from the IPv6 as it is part of the one that gets recognised in the IPv6 test website. I understood your point by reading:
https://www.ictshore.com/free-ccna-course/dhcpv6-basics/

Re: Sophos XG home user

JKnott
I'm a reliable contributor

As I mentioned, I can't help you with the specifics of your hardware but, IIRC, you had 2 routers in your network and the first router cannot pass the config info onto the other, unless you buy something like Cisco and pay for the appropriate software.  Regardless, if devices on the LAN, that is those connected directly to the first router are getting valid IPv6 addresses, then everything is working properly.  If you want another router behind it, you're on your own, as I am not familiar with your equipment.

 

As for that Redit post, that person obviously doesn't know what he's talking about.  What is happening is that computers on your LAN are being assigned a public address.  This is the way that the Internet was always intended to work.  It's only because we're forced to use NAT, to get around the IPv4 address shortage, that it's not happening for most users.  There is absolutely no mechanism for IPv6 to transmit the MAC address or host name, unless the MAC based address is used and then it takes a bit of effort to do that.  The MAC based address is created by taking the MAC address and inserting FFFE in the middle and then inverting the 7th bit.  Then the prefix is preppended to create the 128 bit address.  When you use SLAAC on your local network, you will have a fixed address, based on the MAC address or a random number.  You will also have up to 7 privacy addresses, with a new one created every day.  These privacy addresses are normally used when you have an outgoing connection.  The fixed address is normally used only for incoming connections, such as when you have a server.  So, when you go to a website, a real address is "revealed", as was always intended.  However, with a privacy address, a different one will be used every day, leaving only your prefix exposed.  That prefix contains 2^64 addresses, which is the entire IPv4 address space squared!  So, even with the prefix, an attacker would have a heck of a lot of work to do, just to find a working address within that prefix and that address would be valid for at most 7 days.  Also, knowing the MAC address is worthless, as it's not reachable from anywhere beyond your router.  The MAC is used only on the local LAN and nowhere else.  Take a look at an Ethernet frame.  In it you'll see the MAC addresses and IP packet, which includes the IP addresses.  When a packet is forwarded by a router, the Ethernet frame is stripped off, leaving only the IP packet.  The packet is then placed in another Ethernet frame, with new MAC addresses, for the next hop.  This happens at every hop along the path.  You can install Wireshark on your computer to look at the frames and packets.

 

As for that site determining the MAC from the IP address, it's more likely the browser is providing that info along with the host name.  For that site to get the MAC from the IPv6 address, you'd have to contact the site using the MAC based address, not the privacy address.  Also, if the fixed address is based on a random number, then that site will not be able to determine the MAC from that IPv6 address.  If you're running Windows, you're likely using the random number address.  However, you can use Wireshark to verify that.

 

Bottom line, that site gets your host name and MAC address because your browser told it what they are.

 

Re: Sophos XG home user

AlphaB
I'm here a lot
Thank you for such a detailed reply. I appreciate the clarification. Also I think your reply will be tremendously useful for others like myself who will likely see the post as they troubleshoot their setup.
I think I can confidently proceed then as I am getting the IPv6 and this advice has allayed my fears. Indeed a little bit of knowledge is a dangerous thing and that’s where I stand!
Thank you

Re: Sophos XG home user

JKnott
I'm a reliable contributor

@Datalink wrote:

@AlphaB here's some food for thought.  The Hitron modems, in Bridge mode provide 4 active, independent ports.  Two of those ports will provide connected devices with independent IPV4 and IPV6 addresses.  Beyond those two ports, the other ports are only supposed to provide IPV6 addresses only.  So, in theory, with the Sophos and USG connected to their own ports on the modem, you can run two independent networks.  

 

You should be able to connect both devices, then restart/reboot the modem so that each device is assigned an IPV4 and IPV6 address.  


I just tried an experiment.  In addition to my pfSense firewall, I connected 2 notebook computers to the modem in bridge mode.  I found that only the first computer connected got public addresses and the 2nd only got link local addresses.  It didn't matter which was plugged in first. The modem was rebooted between attempts.  So, only 2 devices get any public addresses, either IPv4 or IPv6.

Re: Sophos XG home user

So much for theory......

 

 

@JKnott when you rebooted the modem did you have three devices plugged into the modem and if so, which ones ended up with both IPV4 and IPV6 addresses.  Did that go by port number or port location, top to bottom first for example?

Re: Sophos XG home user

JKnott
I'm a reliable contributor

@Datalink wrote:

So much for theory......

 

 

@JKnott when you rebooted the modem did you have three devices plugged into the modem and if so, which ones ended up with both IPV4 and IPV6 addresses.  Did that go by port number or port location, top to bottom first for example?


I left my firewall connected then powered up the modem.  I then plugged the computers in one at at time.  The first one got the addresses, the 2nd didn't.

 

Re: Sophos XG home user

Ok, that makes sense.  Just wondering if you had the pfsense firewall and two other computers all connected at the same time and if so, after the reboot which devices ended up with both IP addresses?  I'm wondering what the modem's port logic is, when more than two devices are connected, not that it matters much as only two of them end up with real world IP addresses.  

 

I usually use the bottom two ports simultaneously and I've never had much of an issue to see both routers receive their respective IPV4 and IPV6 addresses. 

Re: Sophos XG home user

JKnott
I'm a reliable contributor

 It doesn't appear to make any difference which ports are used.  It's just a matter of the connection order.  I would say those 4 ports are behaving just like a regular Ethernet switch.

 

 

Topic Stats
  • 17 replies
  • 5511 views
  • 8 Likes
  • 3 in conversation