Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Sophos XG Firewall setup, anyone?  (Read 7898 times)

BlackChart

  • Newbie
  • *
  • Posts: 4
Sophos XG Firewall setup, anyone?
« on: September 24, 2017, 08:08:47 AM »

Have anyone of you sucessfully gotten connection to HE.net from a Sophos XG Firewall?

I've tried different configs, but everytime I only get a fe80 address, and not the one I'm supposed to.

My current config:
Tunnel Name: Hurricane
Tunne type: 6in4
Zone: WAN
Local Endpoint: {my-WAN-IP}
Remote Endpoint: 216.66.80.90 (from the HE.net infos)
Logged

bbecker79

  • Newbie
  • *
  • Posts: 3
Re: Sophos XG Firewall setup, anyone?
« Reply #1 on: August 22, 2018, 05:16:21 AM »

have you ever gotten this to work?
Logged

Taurus42

  • Newbie
  • *
  • Posts: 1
Re: Sophos XG Firewall setup, anyone?
« Reply #2 on: March 15, 2021, 09:38:27 AM »

Yes, I know I'm replying to a really old post but since I couldn't find anything when searching this topic myself I wanted to share my findings:

Server IPv4 Address: 216.66.80.90
Server IPv6 Address: 2001:x:27:y::1/64
Client IPv4 Address: 65.x.y.z
Client IPv6 Address: 2001:x:27:y::2/64
Routed IPv6 Prefixes
Routed /64: 2001:x:28:y::/64

Sophos XG 18.0.4

Network -> IP Tunnels -> Add
 - Name: HE Tunnel
 - Tunnel type: 6to4
 - Zone: WAN
 - Remote Endpoint: 216.66.80.90 (HE Server IPv4 Address)
 - Local Endpoint: 65.x.y.z (Client IPv4 Address)

Network -> Interfaces
On your Internal interface add an IPv6 address from one of the routed subnets (i.e 2001:x:28:y::1/64)

Routing -> Static Routing
IPv6 unicast routes -> Add
 - Destination ::/0
 - Interface: HE Tunnel

Routing -> Gateways
IPv6 gateways -> Add
 - Name: HE
 - Gateway IP: 2001:x:27:y::1
 - Interface: None
Health Check
 - Monitoring Condition: Ping 2001:x:27:y::1

To test you can assign a static IPv6 address to a computer on your internal network with the address: 2001:x:28:y::2, gateway: 2001:x:28:y::1, DNS: 2001:x:28:y::1
You should now be able to access IPv6 hosts. (You might need to verify that your firewall policy allows outbound IPv6 traffic first)

Next step would be to enable IPv6 Router Advertisments (Under the Network menu)
I haven't done this part myself yet but it should be enough to select your internal interface and enter your prefix ( 2001:x:28:y:: )
Logged

wfolta

  • Newbie
  • *
  • Posts: 2
Re: Sophos XG Firewall setup, anyone?
« Reply #3 on: May 13, 2022, 05:12:35 PM »

One thing to add: it works for me (v19) without the Routing > Gateways step. Just having the tunnel and static routing ::/0 to that works for me.

You'll also need to add IPv6 Firewall rules for outbound traffic. And it's useful to have an ICMPv6 incoming firewall rule since ICMPv6 is so integral to IPv6 properly functioning.

Also, I created a Local ACL Exception in Administration > Device Access to allow Ping/Pingv6 from the HE IPv4 server. They mention they need to be able to ping your firewall to keep the tunnel up or something.

(When I did try setting up the Gateway, things did not work. But I don't have an IPv6 Gateway now and things work fine.
Logged