IPv6 binding Mobile users

With more and more mobile data providers moving to IPv6 as default, how do we bind our firebox SSL to an IPv6 address to allow these IPv6 only clients to connect?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Adam_Witwicki
    At this current point in time the SSLVPN doesn't support IPV6 connections. There is an open feature request (FBX-8767) to support this in the future.

    Please create a support case and mention FBX-8767 somewhere in the case if you'd like to follow that feature request.

    -James Carson
    WatchGuard Customer Support

  • @Adam_Witwicki said:
    With more and more mobile data providers moving to IPv6 as default, how do we bind our firebox SSL to an IPv6 address to allow these IPv6 only clients to connect?

    I believe one specific mobile provider setup here is IPv6 only in that they only provide an IPv6 address to the endpoint, however those networks do have a IPv6 to v4 gateway to allow for access to IPv4 only resources, of which there are still quite a few in the world.
    If that's not the case for the network/s you describe that is quite strange.

    Good to know there is an open feature request to support IPv6 connections for SSLVPN in any case.

  • With IPv6 as old as it is, I am surprised its not fully supported by WG

  • We are running into issues with users connecting to the SSL VPN because of this. Our corporate office has a T-Mobile (USA) cell plan with hot spot and T-Mobile passes IPv4 AND IPv6 addresses to the laptop which has joined the hotspot. This causes the SSL VPN connections to fail 50% of the time unless we disable IPv6 on the wireless network adapter in Windows. Also have a user in Denmark whose ISP hands out IPv6 alongside IPv4 and we had to do the same for them.

    WatchGuard needs to work on supporting this (Yes, I saw there is already a feature request) as this is going to be more problematic in the future. Even though all the ISPs have not moved us to the great IPv6 that was going to solve all our IP addressing issues years ago.

  • edited May 2023

    It worries me that if watchguard implementation is so far behind openvpn main branch (which does support ipv6) are WG at risk to any vulnerabilities by using old code?

    The response I have been getting in relation to this from watchguard is a firm we know about it but are not fixing it, which is very disappointing

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Adam_Witwicki
    WatchGuard is currently working with an older version of OpenVPN due to multiple issues the newer versions introduce. Supporting these services is simply not a matter of slapping the latest code onto the firewall. The latest OpenVPN versions drop support for bridge mode (which many of our customers use) as well as introduce performance issues (which many of our customers would be sensitive to.) We maintain and patch the version we run as needed.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.