Rob's Ramblings

Wednesday 12 June 2024

IPv6 on a Sophos UTM

 This has been bugging me for a while... I accidentally clicked on a long forgotten tab in my browser that was set to which was failing, so I decided I might as well look into it again.

I am currently with BT Internet as an ISP.  Their router admits that it has an IPv6 address.  I don't really use the router, though - WiFi is OFF, and all incoming connections are forwarded to the single device, (set as DMZ host in Advanced>Firewall>Configuration,) connected to it, a box running Sophos UTM as my main firewall/router.  This is IPv6 capable, but it's been a bit confusing as to how to set it up. I could never find a simple "set these things and it should work" guide... so having managed to get it working, here's the simple guide I wish I'd been able to find in the first place..

Ok. Obviously, under Interfaces & Routing > IPv6 > General, make sure IPv6 is actually enabled. 

On the Interfaces & Routing > Interfaces tab, for your upstream connection, make sure you've got Dynamic IPv6 and IPv6 Default Gateway on:

Now, for the interface for your LAN, make sure Dynamic IPv6 is OFF, and set yourself a fixed IPv6 address.  Unless you need to make all the machines on your LAN visible to the world, you should pick a private range for this.  This post details how you can pick this, but TL;DR, use fdxx:xxxx:xxxx:yyyy:zzzz:zzzz:zzzz:zzzz where xxx... is ten random hexadecimal digits, yyyy is a network number, and will usually be 0001. The zzz... is the number that identifies the individual device on the network.  I used 0000:0000:0000:0001 for the UTM, which compresses down to ::1

Under IPv6 > Prefix Advertisement, create a record for the LAN interface, and enable Stateless Integrated Server. The DNS Entry here was picked up from that advertised by the BT router, and will be their server, but you can put any valid addresses in here.

Under IPv6 > Interfaces > Multipath Rules, create a new entry to route everything out via the uplink interfaces.  This seems to be the equivalent of setting a default gateway. Until I did this, I could ping the UTM, but not get any further:

You can obviously customise this as you see fit!  But after doing this, it all seems to work!!