• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Sophos XG Firewall setup, anyone?

Started by BlackChart, September 24, 2017, 08:08:47 AM

Previous topic - Next topic


Have anyone of you sucessfully gotten connection to HE.net from a Sophos XG Firewall?

I've tried different configs, but everytime I only get a fe80 address, and not the one I'm supposed to.

My current config:
Tunnel Name: Hurricane
Tunne type: 6in4
Zone: WAN
Local Endpoint: {my-WAN-IP}
Remote Endpoint: (from the HE.net infos)



Yes, I know I'm replying to a really old post but since I couldn't find anything when searching this topic myself I wanted to share my findings:

Server IPv4 Address:
Server IPv6 Address: 2001:x:27:y::1/64
Client IPv4 Address: 65.x.y.z
Client IPv6 Address: 2001:x:27:y::2/64
Routed IPv6 Prefixes
Routed /64: 2001:x:28:y::/64

Sophos XG 18.0.4

Network -> IP Tunnels -> Add
- Name: HE Tunnel
- Tunnel type: 6to4
- Zone: WAN
- Remote Endpoint: (HE Server IPv4 Address)
- Local Endpoint: 65.x.y.z (Client IPv4 Address)

Network -> Interfaces
On your Internal interface add an IPv6 address from one of the routed subnets (i.e 2001:x:28:y::1/64)

Routing -> Static Routing
IPv6 unicast routes -> Add
- Destination ::/0
- Interface: HE Tunnel

Routing -> Gateways
IPv6 gateways -> Add
- Name: HE
- Gateway IP: 2001:x:27:y::1
- Interface: None
Health Check
- Monitoring Condition: Ping 2001:x:27:y::1

To test you can assign a static IPv6 address to a computer on your internal network with the address: 2001:x:28:y::2, gateway: 2001:x:28:y::1, DNS: 2001:x:28:y::1
You should now be able to access IPv6 hosts. (You might need to verify that your firewall policy allows outbound IPv6 traffic first)

Next step would be to enable IPv6 Router Advertisments (Under the Network menu)
I haven't done this part myself yet but it should be enough to select your internal interface and enter your prefix ( 2001:x:28:y:: )


One thing to add: it works for me (v19) without the Routing > Gateways step. Just having the tunnel and static routing ::/0 to that works for me.

You'll also need to add IPv6 Firewall rules for outbound traffic. And it's useful to have an ICMPv6 incoming firewall rule since ICMPv6 is so integral to IPv6 properly functioning.

Also, I created a Local ACL Exception in Administration > Device Access to allow Ping/Pingv6 from the HE IPv4 server. They mention they need to be able to ping your firewall to keep the tunnel up or something.

(When I did try setting up the Gateway, things did not work. But I don't have an IPv6 Gateway now and things work fine.


First sorry for my bad english.

With your Setup was my ipv6 tunnel not work.

I take anythink and only 30 seconds was the gateway up and after this 30 seconds down.

I have a Sophos XG with v19

Can you add a step by step tutorial to add a ipv6 Tunnel in Sophos XG v19

Example: at 6to4 i can only add the local ipv4 address not remote
And then come a popup where i can only add the destination IP/Prefix.
If you can post an example ipv6 infos from HE.NET and the Sophos XG v19 pictures step by step??
Please add the Rules(ipv4, ipv6 and nat) pictures too.
Thank you