Skip to content
Avanet

Configure IPv6 Prefix Delegation on Sophos Firewall

Sophos Firewall

With IPv6 Prefix Delegation, a Sophos Firewall can obtain an IPv6 prefix from the provider and use it to supply internal networks. This is particularly relevant when the internet connection does not provide a fixed static IPv6 network, but the provider delegates the prefix via DHCPv6.

In IPv4 environments, one often thinks in terms of NAT, private networks, and port forwarding. With IPv6, it’s different: clients can receive public IPv6 addresses, and the firewall controls access through routing, Router Advertisement, DHCPv6 parameters, and firewall rules. Therefore, Prefix Delegation should be planned consciously and not just activated as an additional interface option.

For the basics of interfaces, zones, and VLANs, first refer to Configure Sophos Firewall Zones and Interfaces. If it’s only about classic DHCP options for IPv4 special cases, Sophos Firewall DHCP Options (SFOS) is the better article.

When Prefix Delegation is Useful

Prefix Delegation is useful when the provider dynamically provides an IPv6 prefix over the WAN connection and the Sophos Firewall is to distribute this prefix to internal networks.

Typical scenarios:

  • Dual-stack internet connection with IPv4 and IPv6.
  • The provider delivers an IPv6 prefix via DHCPv6 Prefix Delegation.
  • Internal clients should use IPv6 natively.
  • Multiple internal networks, such as LAN, servers, guests, or DMZ, should receive IPv6.
  • DNS, logging, and firewall rules should consciously consider IPv6.

Not every network immediately needs IPv6. However, if IPv6 is active on clients, it should be cleanly controlled via firewall, rules, and logs. A half-configured IPv6 setup can otherwise lead to clients preferring IPv6, but errors being sought in IPv4 troubleshooting.

Prerequisites

Before configuration, these points should be clarified:

  • The provider supports IPv6 Prefix Delegation on the connection.
  • The WAN connection does not use a PPPoE-over-IPv6 scenario for Prefix Delegation.
  • The desired internal target interface is not a VLAN interface, on which Sophos does not support Prefix Delegation.
  • Internal zones and firewall rules are planned.
  • It is clear whether clients should only use SLAAC or also need DHCPv6 parameters.
  • DNS concept and log evaluation consider IPv6.

⚠️ Two important limitations are documented: Prefix Delegation is not supported over PPPoE over IPv6 and cannot be used on interfaces with VLAN configuration. If internal networks are built as VLANs, the design must be carefully reviewed before implementation.

Understanding the Target Picture

With Prefix Delegation, several things happen in sequence:

  1. The firewall requests an IPv6 address and a delegated prefix from the provider at the WAN interface.
  2. The provider assigns an IPv6 address to the WAN interface and a prefix to the firewall.
  3. The firewall delegates an IPv6 network from this prefix to an internal interface, such as LAN or DMZ.
  4. The internal interface distributes IPv6 information to clients via Router Advertisement.
  5. Optionally, a DHCPv6 server provides additional parameters, such as DNS servers.

The role distribution is important: Router Advertisement ensures that clients learn their IPv6 prefix and the default gateway. DHCPv6 can provide supplementary information. Firewall rules still decide which traffic is allowed.

Preparing the WAN Interface

The first step is the WAN interface. Here, the Sophos Firewall requests the IPv6 prefix from the provider.

Menu path:

Network > Interfaces

Procedure:

  1. Edit the affected WAN interface.
  2. Open IPv6 configuration.
  3. Select DHCP.
  4. Select Manual.
  5. Activate DHCP only.
  6. Turn on DHCP prefix delegation.
  7. Optionally configure Preferred delegated prefix if the provider and your network design allow it.
  8. Set gateway name and gateway IP according to the provider connection.
  9. Save and update the interface.

Be cautious with Preferred delegated prefix. The provider can deliver the desired prefix, but it doesn’t have to. If the prefix or prefix length is changed later, it may be necessary to remove the DHCP lease or rebind the WAN interface so that the firewall updates the prefix.

In practice, you should first clarify with the provider:

  • What prefix length is delegated, for example, /56, /60, or /64?
  • Is the prefix stable or can it change?
  • Does a specific value need to be requested?
  • Are there restrictions with bridge, PPPoE, or router modem setups?

Configuring the Internal Interface

After the WAN interface, an internal interface is supplied with the delegated prefix.

Menu path:

Network > Interfaces

Procedure:

  1. Edit the internal interface, such as LAN or DMZ.
  2. Open IPv6 configuration.
  3. Select Delegated.
  4. Under Upstream interface, select the WAN interface that uses Prefix Delegation.
  5. Check which IPv6 prefix appears in the IPv6/prefix field.
  6. Activate Router advertisement.
  7. Optionally activate DHCPv6 server if clients should receive additional parameters.
  8. Save and update the interface.

According to documentation, Sophos allows adjusting the IPv6 address in the IPv6/prefix field, but not the prefix length. This is important when planning multiple internal networks. The provider prefix must be large enough to sensibly supply multiple internal segments.

Realistically Checking VLAN Design

Many productive networks use VLANs for clients, servers, guests, and management. This is where Prefix Delegation quickly becomes complicated because Sophos does not support the function on interfaces with VLAN configuration.

If the internal target network is a VLAN, you should not simply try to bypass the existing VLAN structure. A brief design review is better:

  • Should IPv6 really be activated in this VLAN?
  • Is there an alternative interface or provider design?
  • Is static IPv6 offered by the provider?
  • Are multiple internal IPv6 networks planned?
  • Do firewall rules, DNS, monitoring, and documentation already fit IPv6?

For VLAN basics, Configure VLAN on Sophos Firewall and UniFi Switch helps. The article primarily explains IPv4, but zone, trunk, and rule planning is also relevant for IPv6.

Checking Router Advertisement

When Prefix Delegation is activated on the internal interface, the Sophos Firewall automatically creates a Router Advertisement for this interface.

Menu path:

Network > IPv6 router advertisement

There you should check:

  • Is there an automatically created RA server for the internal interface?
  • Is the expected prefix announced?
  • Do the RA flags match the planned client behaviour?
  • Should the Other flag be set so that DHCPv6 provides additional parameters?

The Prefix Advertisement Configuration of the automatically generated RA server cannot be changed. If an additional prefix is to be announced, a separate RA server must be created.

For most environments, it applies: First check if clients receive IPv6 addresses cleanly with the automatically generated RA before adding additional RA servers or special configurations.

Using DHCPv6 Only for the Right Purpose

DHCPv6 is not the same as DHCPv4. In many IPv6 designs, clients receive their address via SLAAC and additional information via DHCPv6. Therefore, before activation, clarify what DHCPv6 should achieve.

Typical DHCPv6 parameters are:

  • DNS servers.
  • DNS search domain.
  • Further DHCPv6 options, if a client really needs them.

If clients receive an IPv6 address but cannot resolve names, Prefix Delegation is not automatically wrong. Often the appropriate DNS server is missing, the RA/DHCPv6 combination is unclear, or the client uses a different DNS path than expected.

For internal domains and split-DNS scenarios, Configure DNS Request Routes on Sophos Firewall remains relevant. IPv6 does not change the fundamental question of which DNS server is responsible for which domain.

Checking Firewall Rules and Device Access

IPv6 traffic needs appropriate firewall rules. An existing IPv4 rule set is not automatically a complete IPv6 security concept.

Before approval, check:

  • Are there rules for the affected source zone and destination zone?
  • Is IPv6 traffic logged where it is necessary for troubleshooting or compliance?
  • Are DNS, NTP, web, and required applications allowed?
  • Are incoming connections from the internet still consciously blocked or specifically allowed?
  • Are there separate rules for client, server, guest, and management zones?

With IPv6, you should particularly avoid making internal clients uncontrollably directly accessible from the internet. Public IPv6 addresses do not mean that incoming connections must be allowed. Firewall rules remain the central boundary.

Device Access must also be considered. If internal clients are to use the firewall as a DNS server, DNS must be allowed for the appropriate zone. Management services like WebAdmin or SSH should not become more broadly accessible through a new IPv6 configuration. Hardening local firewall services is described in Device Access and Local Service ACL on Sophos Firewall.

Tests After Configuration

After implementation, you should not only check whether a client has received any IPv6 address. What matters is whether the entire path works in a controlled manner.

Meaningful tests:

  1. WAN interface shows an IPv6 address and a delegated prefix.
  2. Internal interface shows a delegated IPv6 prefix.
  3. Under Network > IPv6 router advertisement, the automatic RA server is visible.
  4. Test client receives an IPv6 address from the expected prefix.
  5. Test client has an IPv6 default gateway.
  6. DNS resolution works for internal and external names.
  7. IPv6 ping or HTTPS to a known external target works.
  8. Log Viewer shows the appropriate firewall rule for the test traffic.
  9. An incoming IPv6 test from the internet is only allowed if there is a specific rule for it.

For individual connections, Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture helps. If there are fundamental interface or DNS issues, you should first check interface status, Router Advertisement, and DNS configuration.

Common Errors

Clients Do Not Receive an IPv6 Address

First, check if the WAN interface has actually received a prefix. If no prefix is visible there, the problem is usually with the provider, the WAN interface, PPPoE/bridge designs, or the prefix delegation request.

If a prefix is present on the WAN but clients do not receive an address, you should check the internal interface, Router Advertisement, and client network.

Clients Have IPv6, But No Internet

Then Prefix Delegation is not necessarily the problem. Common causes are:

  • No appropriate firewall rule,
  • DNS does not work,
  • Client prefers IPv6, but the target site or path is disrupted,
  • Incorrect internal interface,
  • RA or DHCPv6 provides incomplete parameters,
  • Return path or provider routing does not fit.

DNS Only Works Partially

With IPv6, DNS problems are often seen late because some applications switch between IPv4 and IPv6. You should test separately:

  • External DNS resolution,
  • Internal domains,
  • Reverse lookups, if logs or reports should display names,
  • DNS server that the client actually uses.

Prefix Changes After Provider Change or Restart

If the provider assigns a dynamic prefix, the prefix can change. Then static IPv6 addresses, manual DNS entries, external releases, or monitoring rules can break.

For productive servers, published services, or complex site networks, you should therefore check whether a stable provider prefix or another IPv6 design is necessary.

VLAN Network Should Receive IPv6

Here you must take the Sophos limitation seriously. If Prefix Delegation is not possible on the desired VLAN interface, you should not work with random workarounds. A clean design decision is better: static IPv6, different interface design, provider clarification, or conscious renunciation of IPv6 in this segment.

Operational Checklist

  • Provider prefix length and stability documented.
  • WAN interface receives IPv6 address and delegated prefix.
  • Internal interface uses Delegated with the correct upstream interface.
  • Router Advertisement is active and visible.
  • DHCPv6 is only activated if additional parameters are needed.
  • DNS concept for internal and external names checked.
  • Firewall rules for IPv6 consciously created or confirmed.
  • Device Access not unnecessarily expanded by IPv6.
  • Log Viewer shows test traffic traceably.
  • Changes to prefix or provider are documented.

FAQ

What is IPv6 Prefix Delegation on the Sophos Firewall?

IPv6 Prefix Delegation means that the firewall requests an IPv6 prefix from the provider and uses it to supply internal interfaces with IPv6. Clients then receive their IPv6 information via Router Advertisement and optionally DHCPv6.

Does Prefix Delegation work over PPPoE?

PPPoE over IPv6 is not supported for Prefix Delegation. If the internet connection uses PPPoE, the provider and modem/router design must be checked in advance.

Can Prefix Delegation be used on VLAN interfaces?

An important limitation is that Prefix Delegation cannot be used on interfaces with VLAN configuration. In VLAN environments, the IPv6 design should therefore be particularly carefully planned.

Is a DHCPv6 server needed for Prefix Delegation?

Not always. Router Advertisement can provide clients with the prefix and gateway. DHCPv6 is mainly relevant when additional parameters such as DNS servers or other DHCPv6 options need to be distributed.

Why do clients get IPv6, but some services do not work?

Then you should check firewall rules, DNS, Router Advertisement, DHCPv6 parameters, and logs. An existing IPv6 address only proves that addressing works, not that the entire path is correctly allowed and resolvable.