Fix UTM Licensing To Expire IPv6 Temporary Addresses Faster
Fix UTM licensing to "age out" faster the many IPv6 "temporary addresses" that are created by most devices (running Windows, Mac OS X, iOS, Android, Linux). As an example, I have 12 devices connected to my network, but because I run in an IPv4/IPv6 environment, UTM is currently counting 113 IP addresses and sending me daily warnings that I have exceeded my license count and no new devices can be added to the network.
In the forum post linked below I have gone into greater detail, but the issue essentially is that in 2014 almost every IPv6-capable device is generating a new RFC 4941 "temporary address" **each day**. Given that UTM seems to track IP addresses for 7 days, the licensing system rapidly fills up with temporary addresses that are no longer being used.
I think the fix may be to change the licensing system to deal with IPv6 addresses differently from IPv4. For IPv6 you may want to expire the IPv6 addresses after 24 hours because odds are probably 99% that you won't see those addresses again.
To be more precise, a "permanent" IPv6 address that is built using the MAC address of the device will have "ff:fe" in the middle of the last 4 blocks of the IPv6 address. If the licensing system saw that in an IPv6 address, it could count it as it would for an IPv4 address and could probably assume it could expire in 7 days as an IPv4 address would. However, any IPv6 addresses lacking "ff:fe" between the 6th and 7th address block (or less depending upon IPv6 address compression) could be treated as "temporary addresses" and aged out after 24 hours.
More information and an example can be found here:
This feature is completed as part of XG Firewall that has been released on November 9th 2015.
XG Firewall software licensing is counting CPU cores and RAM, rather than protected IPs
Bill Jones commented
Unfortunately, XG Firewall (Copernicus) does not support DHCP-PD so I cannot use native IPv6 on it, so I'm stuck in a catch-22 scenario
M.D. Klapwijk commented
Why look at IP addresses at all? Why not just use the MAC address instead?
Krisi Luttinen commented
If one goes over the licenses limit, does the UTM drop connection for the extra IP's ? Or just warns?
Andy Neillans commented
I tried contacting Sophos Sales to get a price to up the limit on mine - hoping it would be a modest cost. But never received a response.
Ronnie Cooper commented
I have a family size of 6 at home and am bumping up against the 50 IP limit. I think many would pay for a license increase at home. I'm trying to reach Sophos for an extended license maybe to 100 - not sure if many others have tried that route.
Andrew Kay commented
It used to be 10IPs. And as this is a enterprise level product being offered to home users for *free* (try getting a free ASA from Cisco) I for one am happy I even get 50IPs.
Agree. I have actually looked at buying the UTM, I believe in giving back, but the jump from Free to paid is ridiculous
I agree: ipv6 changes the world somehow, also on this topic.
Jesse Stanford commented
An alternative, simple resolution could be to have separate limits, i.e. 50 ipv4 and 100 ipv6, or something like that. Cmon Sophos, this is an easy one :)
Support LL commented
I think it's not fair, that IPv4 and IPv6 is counted double for a single device, with the temporary feature there are three counts for one device.
If the UTM recognize the same Mac Address there should be only a single license count.
One option would be to allow for an adjustable timeout limit, so you could throttle it down to whatever you would like. (or allow a range of options to elect)
Thomas Zimmermann commented
I second that! In a dual-stack environment of 9 devices I got over the 50 IP limit of the home license in less than two days... :-)
Dan York commented
I will note that this issue is still present in the very latest version of UTM 9.205-12 to which I upgraded today. (Not that I expected it to be fixed but more that I noticed that in my feature request I did not include a version number while reporting the issue.)