Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=e1fdc679-3d39-47e6-8b73-a605cb57b30e

DHCP prefix delegation

You can use DHCP prefix delegation to simplify IPv6 provisioning in your environment. The firewall can assign IPv6 addresses to the internal interfaces using this prefix.

DHCP prefix delegation lets the firewall request an IPv6 address and prefix from an ISP. The firewall can delegate IPv6 addresses to the internal interfaces using this prefix. The internal interfaces assign IPv6 addresses to endpoint computers using the delegated prefix.

Restrictions

  • Sophos Firewall doesn't support PPPoE over IPv6. You can't use prefix delegation over PPPoE.
  • You can't use prefix delegation on any interface with VLAN configured.

Overview

Here's an example of DHCP prefix delegation:

DHCP prefix delegation network diagram.

  1. The firewall requests a delegated prefix from the ISP.
  2. The ISP responds with an IPv6 address for the WAN interface and an IPv6 prefix.
  3. The firewall delegates the prefix to an internal interface and assigns the interface an IPv6 address.
  4. The internal interface assigns IPv6 addresses to endpoint devices using router advertisement and additional parameters, such as DNS, using an optional DHCPv6 server.

To configure DHCP prefix delegation, you must do the following:

  1. Configure the WAN interface to request an IPv6 address and prefix.
  2. Configure the internal interfaces, such as LAN and DMZ, to distribute IPv6 addresses to endpoint devices.
  3. Confirm the IPv6 router advertisement for the internal interfaces.

Configure the WAN interface

You must configure the WAN interface to request an IPv6 address and prefix from an ISP. Do as follows:

  1. Go to Network > Interfaces.
  2. Click the WAN interface on which you want to configure prefix delegation.
  3. Select IPv6 configuration.
  4. Click DHCP.
  5. Click Manual.
  6. Click DHCP only.
  7. Turn on DHCP prefix delegation.

  8. (Optional) Turn on Preferred delegated prefix. You must enter a prefix length of 48, 52, 56, or 60. The prefix address is optional.

    Note

    The ISP may delegate the preferred prefix or a different one. We recommend configuring the preferred prefix after consulting your ISP based on your network requirements. It prevents the need for subsequent changes to the configuration.

    If you want to change the preferred prefix or prefix length later, you must do one of the following for the firewall to update the IPv6 prefix:

    • Remove the DHCP lease.
    • Unbind the WAN interface.

    See Sophos Firewall: DHCP prefix delegation does not send a request when the preferred prefix and length are updated later.

  9. Enter the Gateway name.

  10. Enter the Gateway IP.

    Here's an example:

    DHCP prefix delegation WAN settings.

  11. Click Save.

  12. Click Update interface.

Configure the LAN interface

Once you've configured the WAN interface to receive an IPv6 address and prefix from the ISP, you must delegate the prefix to an internal interface, for example, LAN or DMZ, so the firewall can assign IPv6 addresses to endpoint devices. Do as follows:

  1. Go to Network > Interfaces.
  2. Click the internal interface you want to delegate an IPv6 prefix to.
  3. Select IPv6 configuration.
  4. Click Delegated.

  5. For Upstream interface, select the WAN interface you've configured with prefix delegation. The firewall automatically delegates an IPv6 address and prefix to this interface. It appears in the IPv6 address field.

    Note

    You can change the Subnet ID and Interface ID. You can't change the prefix length.

  6. Turn on Router advertisement to advertise the prefix to devices on this network.

    Here's an example:

    DHCP prefix delegation LAN settings.

  7. (Optional) Turn on DHCPv6 server if you want to assign other parameters to your endpoint devices, for example, DNS.

  8. Click Save.
  9. Click Update interface.

Confirm the IPv6 router advertisement

The firewall automatically creates a router advertisement (RA) for the internal interface. Do as follows:

  1. Go to Network > IPv6 router advertisement.
  2. Click on the automatically created RA server for the delegated interface.

  3. Confirm the Prefix advertisement configuration details.

    Note

    You can't edit the Prefix advertisement configuration for the automatically created RA server. If you want to advertise another prefix, you must manually create an RA server and configure it to advertise that prefix. See Add an IPv6 router advertisement.

  4. (Optional) Select Other flag if you want the DHCPv6 server to assign other DHCP parameters.

  5. Click Save.

More resources