Configuring LAN / DMZ IPv6 Interfaces

03/26/2020 139 14325

DESCRIPTION:

IPv6 interfaces are configured on the Network | Interfaces page by clicking the IPv6 radio button under the View IP Version option at the top right corner of the page.

The following points must be borne in mind when configuring IPv6 interfaces:

• The zone assignment for an interface must be configured through the IPv4 interface page before switching to IPv6 mode.
• Wire mode and Tap mode for IPv6 need to be configured through the IPv4 interface page.
• HA interface cannot be configured for IPv6.
• Only the parent interface of a Switch Port group can be configured as an IPv6 interface, hence all children of a switch port group must be excluded from this list.
• Zone and Layer 2 Bridge groups are shared configurations between by IPv4 and IPv6 on an interface. Once they are configured on the IPv4 side, the IPv6 side of the interface will use the same configuration.
• Default Gateway and DNS Servers can only be configured for WAN zone interfaces.
• VLAN interfaces are supported.
• IPv6 wizard is not supported currently.

RESOLUTION:

NOTE: In this article we use the default LAN Interface X0 for configuration. However, any interface in a zone other than WLAN or WAN can be configured using the method described here.

Configuring an IPv6 Interface in Static Mode

• Login to the SonicWall management GUI.
• Navigate to the Network | Interfaces page.
• Select the radio button IPv6 under View IP Version.
• Click on the Configure icon for the interface you want to configure an IPv6 address for and the Edit Interface window will be displayed.

Options in the General Tab in the Edit Interface window

• In the IP Assignment pulldown menu, select Static.
• IPv6 Address: A unique IPv6 unicast address. EXAMPLE: 2002:c0a8:a8a8:1::1.
• Prefix Length: The network bit. EXAMPLE: a prefix of 64 for the above IPv6 address would mean a network with addresses from 2002:c0a8:a8a8:0001:0000:0000:0000:0000 to 2002:c0a8:a8a8:0001:ffff:ffff:ffff:ffff.
• Enable Router Advertisement: Enable this option to make this an advertising interface that distributes network. Routers Advertisements are sent in ICMPv6 Type 134 packet to the multicast group ff02::1.
• Advertise Subnet Prefix of IPv6 Primary Static Address:  When this option is selected, the SonicWall will add a default prefix into the interface advertising prefix list when sending Router Advertisements. This prefix is the subnet prefix of the interface IPv6 primary static address. This option will help all hosts in the network to auto-configure an IPv6 address based on the subnet prefix. The address is a combination of a subnet prefix and an interface identifier generated by the host. It is not necessary to keep this option enabled or disabled mandatorily even when a DHCPv6 infrastructure is available in the network. If this option is enabled and a DHCPv6 server is deployed, IPv6 hosts will get at least two IPv6 addresses - from DHCPv6 and RA prefix advertising. In other words, we do not advise it but it is not an illegal configuration.
  

Options in the Advanced Tab in the Edit Interface window

• Add Addresses: Click Add Address button to configure multiple static IPv6 addresses for the interface. Note: Multiple IPv6 addresses can only be added for an interface that is configured for Static IPv6 address mode. Multiple IPv6 addresses cannot be configured for DHCPv6 mode.
• Disable all IPv6 Traffic on the Interface: Improves firewall performance for non-IPv6 traffic if the firewall is deployed in a pure IPv4 environment.
• Enable Listening to Router Advertisement: Checking this option would force SonicWall to receive router advertisement. To leave unchecked, if the interface is configured in static mode, as is the case here, and Enable Router Advertisement is checked in the General tab.
• Enable Stateless Address Autoconfiguration: Select this option to allow autonomous IPv6 addresses to be assigned to this interface. To leave unchecked if the interface is configured in static mode. This option would be greyed-out if Enable Listening to Router Advertisement is unchecked.
• Duplicate Address Detection Transmits: Set a numerical value here to specify the number of consecutive Neighbor Solicitation messages sent while performing Duplicate Address Detection (DAD) before assigning a tentative address to interface. A value of 0 indicates that DAD is not performed on the interface. Similar to IPv4 gratuitous ARP, IPv6 node uses Neighbor Solicitation message to detect duplicate IPv6 address on the same link. DAD must be performed on any Unicast address (except Anycast address) before assigning a tentative to an IPv6 interface.
  
  
  

• Neighbor Discovery BaseReachableTime (seconds): The appliance sets the neighbor reachability status to Reachable, when the IPv6 interface receives a Neighbor Advertisement message within BaseReachableTime. A value of 0 indicates the parameter is not specified and the global setting in Network | Neighbor Discovery page will be used.  (For 5.9 and 6.2 above).
   

Options in the Router Advertisement Tab in the Edit Interface window

• Enable Router Advertisement: This would be automatically checked if Enable Router Advertisement in the General tab is checked.

Optionally, you can modify the following Router Advertisement settings

• Router Adv Interval Range - The time interval allowed between sending unsolicited multicast Router Advertisements from the interface, in seconds.
• Link MTU - The recommended MTU for the interface link. A value of 0 means firewall will not advertise link MTU for the link.
• Reachable Time - The time that a node assumes a neighbor is reachable after having received a reachability confirmation. A value of 0 means this parameter is unspecified by this firewall.
• Retrans Time - The time between retransmitted Neighbor Solicitation messages. A value of 0 means this parameter is unspecified by this firewall.
• Current Hop Limit - The default value that should be placed in the Hop Count field of the IP header for outgoing IP packets. A value of 0 means this parameter is unspecified by this firewall.
• Router Lifetime - The lifetime when firewall is accepted as a default router. A value of 0 means that the router is not a default router.
• Router Preference  The parameter indicates the preference level (primary or secondary) for the firewall, when a host receives the RA from the firewall IPv6 interface and other IPv6 default routers as well.
• Managed checkbox:  Enabling this option will make the SonicWall send Managed Address Configuration Flag, also known as the M flag, set to 1 in their Router Advertisements. When an IPv6 host receives a Router Advertisement with this flag set, and if SonicWall DHCPv6 server is enabled with an IPv6 address range, IPv6 hosts can obtain IPv6 addresses from within the range. This need not be checked if the SonicWall DHCPv6 Server is not enabled. If this option is checked and the SonicWall DHCPv6 server is not enabled, IPv6 hosts configure their own IPv6 addresses based on the subnet prefix in Router Advertisements.
• Other Configuration checkbox: Enabling this option will make the SonicWall send the Other Stateful Configuration Flag, also known as the O flag, set to 1 in its Router Advertisements. When an IPv6 host receives a Router Advertisement with this flag set, and if a DHCPv6 server is available, IPv6 hosts can obtain configuration settings other than their IPv6 address, such as the DNS server address. This need not be checked if the SonicWall DHCPv6 Server is not enabled.
• Prefix List Settings: Click the Add Prefix button to configure an advertising prefix. Advertising prefixes are used for providing hosts with prefixes for on-link determination and Address Autoconfiguration.
  
  

Configuring an IPv6 Interface in DHCPv6 Mode

DHCPv6 (DHCP for IPv6) is a client/server protocol that provides Stateful address configuration or stateless configuration setting for IPv6 hosts. DHCPv6 client is enabled to learn IPv6 address and network parameters when interface is configured to DHCPv6 mode. When an interface in the SonicWall is configured in the DHCPv6 mode, it obtains IPv6 address and other network parameters from a DHCPv6 Server in the network.

DHCPv6 defines two different configuration modes

• DHCPv6 Stateful mode: DHCPv6 clients require IPv6 address together with other network parameters (e.g. DNS Server, Domain Name, etc.).
• DHCPv6 stateless mode: DHCPv6 client only obtains network parameters other than IPv6 address.

Choosing which kind of those modes depends on Managed (M) Address Configuration and Other (O) Configuration flag in the advertised Router Advertisement message:

• M = 0, O = 0: No DHCPv6 infrastructure. Hosts configure IPv6 addresses based on Router Advertisements (RA). If the RA has the prefix information, hosts combine the prefix and a unique Interface Identifier address to derive an IPv6 address.
• M = 1, O = 1: IPv6 hosts use DHCPv6 for both IPv6 address and other network parameter settings.
• M = 0, O = 1: IPv6 hosts use DHCPv6 only for other network parameter settings and not for address configuration. Hosts derive stateless addresses using address prefixes in Router Advertisements. If the RA has the prefix information, hosts combine the prefix and a unique Interface Identifier address to derive an IPv6 address. This is known as DHCPv6 stateless because the server is not assigning Stateful addresses.
• M = 1, O = 0: IPv6 hosts use DHCPv6 only for address configuration. However, as per RFC 2462, It is not a valid configuration for a host to use Stateful address autoconfiguration to request addresses only, without also accepting other configuration information.
  

As required by the relevant RFC, DHCPv6 clients depend on Router Advertisement message to decide which mode (Stateful or stateless) it should choose. This definition will limit user's choice if they want to determine DHCPv6 mode by itself. SonicWall's implementation of DHCPv6 defines two different modes to balance the conformance and flexibility:

DHCPv6 in Automatic mode

 In this mode, IPv6 interface configures IPv6 addresses using stateless/ Stateful autoconfiguration in accord with the M and O settings in the most recently received router advertisement message.

To configure an interface in IPv6 DHCPv6 Automatic mode, perform the following steps

1. Navigate to  Network | Interfaces page.
2. Click  IPv6 radio button at the top right corner of the page. IPv6 addresses for the appliance are displayed.
3. Click  Configure icon for the interface you want to configure an IPv6 address for. The Edit Interface window displays.The following options can be set when configuring the interface in DHCPv6 in Automatic mode.

• IP Assignment: DHCPv6.
• DHCPv6 Mode: Automatic.
• Use Rapid Commit Option - If enabled, DHCPv6 clients use Rapid Commit Option to use the two message exchange for address assignment.
• Send hints for renewing previous IP on startup - If enabled, DHCPv6 clients will try to renew the address assigned before when SonicWall starts up.
  
  
  
  
  
  

  NOTE: Following options are available in the version of 5.9.0.X and 6.2.0.X.

• Enable DHCPv6 prefix delegation: If enabled, the complete IPv6 subnet addresses and other parameters will be applied to the DHCPv6 interface (If not enabled, the whole IPv6 addresses will be applied to the DHCPv6 interface). Usually, this option will be configured on the upstream interfaces attached to WAN zone. When the upstream interface learns the prefix delegation, firewall will applies the prefixes to all the downstream interfaces.
• Send preferred delegated prefix: This option requires DHCPv6 client to send the preferred delegated prefix. This option would be greyed-out if Enable DHCPv6 prefix delegation is not ticked.
• Send hints for renewing previous delegated prefix on startup: This option requires DHCPv6 client to renew the delegated prefix after firewall startup. The option would be greyed-out if Enable DHCPv6 prefix delegation is not ticked.
  
  
  
  

• Click  Advanced tab and check the box under Enable Listening to Router Advertisement.
• Click OK.
  
  
  
• Click  Protocol tab to view DHCPv6 Stateful and stateless configuration information. 
   

DHCPv6 in Manual Mode

In Manual mode, DHCPv6 mode is manually configured regardless of any received Router Advertisement. The Only Request Stateless Information option will determine which DHCPv6 mode is used. If this option is unchecked, DHCPv6 client is under Stateful mode; if it is checked, DHCPv6 client is under stateless mode and only obtains network parameters.

To configure an interface in IPv6 DHCPv6 Manual mode, perform the following steps:

1. Navigate to  Network | Interfaces page.
2. Click IPv6 radio button at the top right corner of the page.
3. Click  Configure icon for the interface you want to configure an IPv6 address for. The Edit Interface window displays.The following options can be set when configuring the interface in DHCPv6 in Manual mode

• IP Assignment: DHCPv6
• Use Rapid Commit Option - Not selected.
• Send hints for renewing previous IP on startup - Not selected.
• DHCPv6 Mode: Manual
• Only Request Stateless Information: Enable this check box. When selected, the interface will be in stateless mode and will request only network parameters like recursive DNS servers, DNS search domains, NTP servers, etc. If this check box is not enabled the interface will be in Stateful mode.
  

• Click Advanced tab and check the box under Enable Listening to Router Advertisement.
• Select check box Enable Stateless Address Autoconfiguration.
• Click OK.
• Click Protocol tab to view DHCPv6 stateless configuration information.