Skip to main content
Raudi
Raudi
New Member
April 2, 2018
Solved

Multiple IPv6 addresses on LAN interface

  • April 2, 2018
  • 1 reply
  • 43292 views

Hi,

 

i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.

 

WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.

 

My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:

 

config ipv6   set ip6-address fd24:7ed4:3bd5:99::250/64   set ip6-allowaccess ping https ssh     config ip6-extra-addr      edit 2a02:xxxx:xxxx:5b00::250/64      next      edit 2a02:xxxx:xxxx:5500::250/64      next   end   set ip6-send-adv enable   config ip6-delegated-prefix-list     edit 1     set upstream-interface "wan1"     set autonomous-flag enable     set onlink-flag enable     set subnet ::/64   next   end end

 

Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.

 

O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.

 

But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.

 

When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.

 

And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.

 

Is it possible that the seondary ip is limited to one additional ip address?

 

Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.

 

(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)

 

Regards

Stefan

    Best answer by Raudi

    Hi,

     

    today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.

     

    So problem solved in a few weeks when 6.0.3 is available...

     

    Regards

    Stefan

    1 reply

    emnoc
    emnoc
    New Member
    April 2, 2018

    Hi yes you can do that, I don't know how you could  deploy autoconf if you want a client to  take one prefixes over the other.

     

    In your case, you need to  set the prefixes to be advertise

     

     

    e.g

     

     

                config ip6-prefix-list                         edit 2001:db8:1::/64                             set autonomous-flag enable                             set preferred-life-time 600                             set valid-life-time 600                         next

                          edit 2001:db8:2::/64                             set autonomous-flag enable                             set preferred-life-time 600                             set valid-life-time 600                         next

                            edit 2001:db8:3::/64                             set autonomous-flag enable                             set preferred-life-time 600                             set valid-life-time 600                         next

               end

     

    http://socpuppet.blogspot.com/2015/08/just-how-many-ipv6-prefixes-can-be.html

     

     

    Also for this;

     

      Or where can i look else to check why i can't ping the LAN interface with this specific secondary address

     

     

    try any all of the below

     

    cli-cmd

     

    diag debug flow filter6

    diag sniffer packet <interfacename> icmp6

     

    Raudi
    RaudiAuthor
    New Member
    April 2, 2018

    Thanks for the quick answer, automatically should only the prefix of WAN1 deployed, die IPv6 network of WAN2 should only be used static.

     

    After a reboot i was able to ping both IP's, both addresses where listed in the routing table.

     

    But i got another problem. In the WAN1 i got the delegated-prefix for WAN2 automatically configured?!?

     

    How is this possible? O.k. will take some research...

    Raudi
    RaudiAuthor
    New Member
    April 2, 2018

    I don't get it... For a moment all was fine, WAN1 has the delegated prefix from the provider and i was able to access the internet. WAN2 has his delegated prefix too and i was also able to access the internet with a client in this network.

     

    But now the delegated prefix from WAN1 changed to the prefix which is for WAN2.

     

    How can this be?

     

    I have only 2 firewall policy's for outgoing:

     

    In Interface: LAN

    Out Interface: WAN1

    Source: Prefix WAN1

    Destination: all

     

    In Interface: LAN

    Out Interface: WAN2

    Source: Prefix WAN2

    Destination: all

     

    Now i removed at both "ALL_ICMP6". And i had ping enabled on the WAN interface, this i disabled too.

     

    After disabling the WAN1 for a moment and enabling it again i got the correct prefix again.

     

    Lets see how long the config is now stable...

     

    Why WAN1 get the delegated prefix infos from WAN2? There is no connection between them...

     

    Can i disable the prefix delegation and configure the prefix static?

     

    Kind regards

    Stefan

    Terms & ConditionsAccessibility statement