• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Sophos XG Firewall setup, anyone?

Started by BlackChart, September 24, 2017, 08:08:47 AM

Previous topic - Next topic


Have anyone of you sucessfully gotten connection to HE.net from a Sophos XG Firewall?

I've tried different configs, but everytime I only get a fe80 address, and not the one I'm supposed to.

My current config:
Tunnel Name: Hurricane
Tunne type: 6in4
Zone: WAN
Local Endpoint: {my-WAN-IP}
Remote Endpoint: (from the HE.net infos)



Yes, I know I'm replying to a really old post but since I couldn't find anything when searching this topic myself I wanted to share my findings:

Server IPv4 Address:
Server IPv6 Address: 2001:x:27:y::1/64
Client IPv4 Address: 65.x.y.z
Client IPv6 Address: 2001:x:27:y::2/64
Routed IPv6 Prefixes
Routed /64: 2001:x:28:y::/64
(I highly recommend getting a routed /48 and using that instead of the default /64)

Sophos XG 20.0.1 (before my edit: 18.0.4)

Network -> IP Tunnels -> Add
 - Name: HE Tunnel
 - Tunnel type: 6in4
 - Zone: WAN
 - Remote Endpoint: (HE Server IPv4 Address)
 - Local Endpoint: 65.x.y.z (Client IPv4 Address)

Network -> Interfaces
On your Internal interface add an IPv6 address from one of the routed subnets (i.e 2001:x:28:y::1/64)

Routing -> Static Routing
IPv6 unicast routes -> Add
 - Destination ::/0
 - Interface: HE Tunnel

Network -> IPv6 Router Advertisment -> Add
 - Select your internal interface
 - Enter your network prefix: (ie 2001:x:28:y) (*)
 - Expand Advanced and enter a lower MTU to match your HE tunnel (ie 1480)

* Be aware that if you assign a prefix to the RA your computers will pick up this and try to use IPv6. Leave the prefix blank and instead assign a static IPv6 on a computer for testing.

Under Rules and policies -> IPv6
 - create a rule to allow traffic from LAN to WAN.
 - create a rule to allow ICMPv6 from WAN to LAN

You should now be able to access IPv6 hosts.

(finally edited post to correct a few things)


One thing to add: it works for me (v19) without the Routing > Gateways step. Just having the tunnel and static routing ::/0 to that works for me.

You'll also need to add IPv6 Firewall rules for outbound traffic. And it's useful to have an ICMPv6 incoming firewall rule since ICMPv6 is so integral to IPv6 properly functioning.

Also, I created a Local ACL Exception in Administration > Device Access to allow Ping/Pingv6 from the HE IPv4 server. They mention they need to be able to ping your firewall to keep the tunnel up or something.

(When I did try setting up the Gateway, things did not work. But I don't have an IPv6 Gateway now and things work fine.


First sorry for my bad english.

With your Setup was my ipv6 tunnel not work.

I take anythink and only 30 seconds was the gateway up and after this 30 seconds down.

I have a Sophos XG with v19

Can you add a step by step tutorial to add a ipv6 Tunnel in Sophos XG v19

Example: at 6to4 i can only add the local ipv4 address not remote
And then come a popup where i can only add the destination IP/Prefix.
If you can post an example ipv6 infos from HE.NET and the Sophos XG v19 pictures step by step??
Please add the Rules(ipv4, ipv6 and nat) pictures too.
Thank you



I have been away from Sophos for about three year but now I am back. I did a detour to pFSense.
Thanks for the input. I have now updated my old post with this new information. Perhaps it may be of use to someone in the future.

I am switching ISP in about a month and with a little luck they will support native IPv6 in my area. My current ISP's helpdesk doesn't even understand what it is...