Sophos Utm Ipv6

Posted on  by admin

I've tried both with the latest copy of the Sophos client and with a straight OpenVPN install and get the same results, I cannot even ping via IP through the tunnel with IPv6 enabled. I did 2 tests tonight with IPv6 on and IPv6 off and the route statements are different, even the IPv4 side: With IPv6 enabled on the UTM. IPv6 Address: Change the IP address to an address outside the DHCP pool range. Comment (optional): Add a description or other information. Create DNS Mapping (optional): Select the checkbox to automatically create a static DNS mapping for the host (see Network Services DNS Static Entries). If you provide a Hostname, this mapping will use it. As use of IPv6 increases, security requirements evolve. Sophos has invested in capabilities in our endpoint products to restrict the use of IPv6 until you’re ready to use it. The switch to IPv6 may seem overwhelming, but take it step by step and make sure all your bases are covered. This is because on the Sophos UTM, the WAN interface has IPv4 and IPv6 as either DHCP or static - can't have one DHCP and the other static.

I found an issue with Sophos where I was unable to ping from my local network to a public IPv6 address even with the firewall rules in place to allow ICMPv6. The issue is when you enable NAT it enables for both IPv4 and IPv6. You need to create a NAT rule that ensures NAT will not apply to IPv6 and the issue will be resolved.

You really shouldn’t have to use NAT with IPv6 given the amount of IP Addresses available. Comcast for instance was giving me my own /64 block. Which is 2^64 = 18,446,744,073,709,551,616 total addresses but that isn’t counting the network ID and subnet mask so really it’s 18,446,744,073,709,551,614 addresses for my own use. Why use NAT at that point?


You can view my post on the Sophos Community Forums HERE

The ‘issue’ with HA configuration

When you set up High Availability (HA) on a Sophos UTM, you simply select the interface your UTMs are connected with as your ‘Sync NIC’, name your device (e.g. Node1), press apply then change the operation mode to Hot Standby (active-passive), like the below.

This is quick and easy to set up, but it’s also easy to forget future diagnostic information e.g. what if I need to get shell access to the SLAVE node? What is the IP address? How on earth are they communicating?

Behind the scenes both actually do get an IP address, more specifically an RFC 2544 address, which is an address space for special IPV4 benchmark testing, reserved by IANA ranging from to

In order to truly understand what we are doing we need to first SSH to our MASTER node.

First gain access to the master node

Assuming you have shell access enabled on the MASTER, settings found below, this settings and credentials will replicate to the SLAVE node.

Continue to use your favourite utility for shell access, I’m going to use PuTTy in this example.

NOTE: If this is your first time SSHing into a UTM you need to keep in mind that you first need to log into the ‘loginuser’ before you can elevate your privileges to root (via the SU command).

Sophos utm ipv6 einrichten

Now SSH into the MASTER node, you don’t need to gain access to the root account, but if you want to then run the su command when you’re logged in as loginuser.

Now you’re logged into the shell of the MASTER node, we can finally get into the SLAVE node.

Gaining access to the slave node from the master node

There are two powerful commands at our arsenal that help us fully understand what is going on here.

ha_daemon –c status

This will show us the basic status of the HA setup, including the IP address of the MASTER and the IP address of the SLAVE which is assigned across the backup link.

Here we can see that the current mode is HA MASTER, because we are currently logged into the MASTER node.

Sophos Utm Ipv6 Pppoe

ha_utils ssh

This is the most useful of commands as this will automatically find the SLAVE’s IP address and will attempt to login as the loginuser via SSH, which will prompt you for credentials.

Once you’re logged in, that’s it! You can now check it over.


Sophos Utm Ipv6 Dhcp

Sophos Utm Ipv6

It’s not often you’re going to need to gain sole access to the slave, being that all changes on the MASTER are replicated to the SLAVE, but on the off chance that you need to you know can have peace of mind that there is a way.

Stay in the loop

Our how-to guides, cyber security advice and productivity tips help businesses stay on track.

Sophos Utm Ipv6 Prefix Delegation