Skip to main content
echo
echo
Explorer II
April 19, 2016
Solved

Need IPv6 help

  • April 19, 2016
  • 1 reply
  • 14258 views

Hello!

After realising that SLAAC is not supposed to work when ISP gives just a /64 with which I should subnet this into smaller (because I have to define globally routable IPv6 addresses non-overlappingly on both external and internal interfaces), I asked our ISP for a /48 and got it (unlike last time over a year ago). But I still can't get IPv6 working (without NAT). I write down the configuration. It is FG200D with a single internet connection in wan1 port and vlan14 is our test internal vlan for IPv6 which also has IPv4 addressing on it. I use 2001:db:1:: prefix for example conf (replacing the original with it) but prefix lengths are not altered. My main goal at the moment is to get access to IPv6 internet from internal network. Allowing access from internet to internal network will be my next step.

 

If anybody has ideas, thank you in advance!

 

 

1. External interface wan1 (IPv6 part of it).

        config ipv6             set ip6-allowaccess ping             set ip6-address 2001:db8:1::2/64         end

2. Routing.

config router static6     edit 1         set gateway 2001:db8:1::1         set device "wan1"     next end

 

3. Test ping (excerpt) to IPv6 internet.

exec ping6 -I wan1 ipv6.google.com 64 bytes from 2a00:1450:4010:c07::8b: icmp_seq=1 ttl=54 time=62.8 ms 4. Internal interface vlan14 (IPv6 part of it). Since I wanted just SLAAC to work first, I have "unset ip6-manage-flag" for test but it didn't make any difference. I understood from examples that manage-flag should be used when DHCPv6 is also defined in the router so I have tried with or without it but didn't make any difference.

 

        config ipv6             set ip6-allowaccess ping capwap             set ip6-address 2001:db8:1:14::1/64             set ip6-send-adv enable             set ip6-manage-flag enable             set ip6-other-flag enable             config ip6-prefix-list                 edit 2001:db8:1:14::/64                     set autonomous-flag enable                     set onlink-flag enable                 next             end         end

5. With this, autoconf enabled devices in vlan14 really get the SLAAC addresses and they ping each other.

 

6. Policy6 between zones "cloud" with vlan14 and "untrust" (wihtout UUID's), that is from internal network to internet. It gets hits and there is traffic counting up when I try to initiate even pings to IPv6 internet.

 

config firewall address6     edit "ipv6-vlan14"         set ip6 2001:db8:1:14::/64     next end

    edit 1         set name "20160419"         set srcintf "cloud"         set dstintf "untrust"         set srcaddr "ipv6-vlan14"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set logtraffic all     next

7. Diagnostics.

 

7.1 I pinged Google's nameserver from an HP switch and Win2012 server.

diag sniffer packet vlan14 'icmp6' 4 10

 

interfaces=[vlan14] filters=[icmp6] 12.385066 vlan14 -- fe80::a5b:eff:fea0:b849 -> ff02::1: icmp6: router advertisement 24.687527 vlan14 -- 2001:db8:1:14:7646:a0ff:fee1:ec00 -> 2001:db8:1::1: icmp6: echo request seq 41 29.700829 vlan14 -- fe80::7646:a0ff:fee1:ec00 -> fe80::a5b:eff:fea0:b849: icmp6: neighbor sol: who has fe80::a5b:eff:fea0:b849 29.700842 vlan14 -- fe80::a5b:eff:fea0:b849 -> fe80::7646:a0ff:fee1:ec00: icmp6: neighbor adv: tgt is fe80::a5b:eff:fea0:b849 60.114931 vlan14 -- 2001:db8:1:14::2 -> ff02::1:ff00:1: icmp6: neighbor sol: who has 2001:db8:1:14::1 60.114962 vlan14 -- 2001:db8:1:14::1 -> 2001:db8:1:14::2: icmp6: neighbor adv: tgt is 2001:db8:1:14::1 60.115274 vlan14 -- 2001:db8:1:14::2 -> 2001:4860:4860::8888: icmp6: echo request seq 204 64.784896 vlan14 -- 2001:db8:1:14::2 -> 2001:4860:4860::8888: icmp6: echo request seq 205 69.785059 vlan14 -- 2001:db8:1:14::2 -> 2001:4860:4860::8888: icmp6: echo request seq 206 213.764101 vlan14 -- 2001:db8:1:14:8587:8aff:85ab:3535 -> ff02::1:ffa0:b849: icmp6: neighbor sol: who has fe80::a5b:eff:fea0:b849

Here are the participants:

fe80::a5b:eff:fea0:b849 -- Fortigate's LL address. Somehow this gets advertised all the time.

2001:db8:1:14::1 -- Fortigate's manually set address in vlan14.

 

fe80::7646:a0ff:fee1:ec00 -- HP switch with LL address.

2001:db8:1:14:7646:a0ff:fee1:ec00 -- HP switch with SLAAC address in vlan14.

 

2001:db8:1:14::2 -- Win2012 that had a manually set IPv6 address for a test.

2001:db8:1:14:8587:8aff:85ab:3535 -- Win2012 with SLAAC address.

 

2001:db8:1::1 -- ISP's default gateway.

 

7.2 HP switch information.

 

---------

show running-config (excerpt):

 

vlan 14    name "DMZ14"    tagged 1-2    no ip address    ipv6 enable    ipv6 address autoconfig    exit

---------

 

----------

HP-2530-48G-1# sho ipv6 vlan 14  Internet (IPv6) Service   IPv6 Routing    : Disabled   Default Gateway : fe80::a5b:eff:fea0:b849%vlan14   ND DAD          : Enabled   DAD Attempts    : 3   Interface Name  : DMZ14   IPv6 Status     : Enabled   Layer 3 Status  : Enabled   IPv6 Address/Prefixlength                   Expiry   ------------------------------------------- -------------------------   2001:db8:1:14:7646:a0ff:fee1:ec00/64      Sat Jul 11 21:14:41 1992   fe80::7646:a0ff:fee1:ec00/64                permanent

----------

 

----------

HP-2530-48G-1# sho ipv6 routers  IPv6 Router Table Entries   Router Address : fe80::a5b:eff:fea0:b849   Interface      : DMZ14   MTU            : 1500   Hop Limit      : 64                                               Valid       Preferred   On/Off   Prefix Advertised                           Lifetime(s) Lifetime(s) Link   ------------------------------------------- ----------- ----------- -------   1::/64                                      2592000     604800      Onlink   2001:db8:0:1::1:0/112                   2592000     86400       Onlink   2001:db8:1:14::/64                        2592000     604800      Onlink   dead:beef:cafe::/64                         86400       43200       Onlink ----------

 

 

Here 2001:db8:0:1::1:0/112 is one of my earlier attempts to get the whole thing working with smaller than /64 subnets (worked only with NAT enabled from internal IPv6 to external IPv6).

 

dead:beef:cafe::/64 is another earlier attempt and I got this working with /64 (without being part of some /48) when I had 2001:db8:0:1::2/112 on wan1 interface _with_ NAT enabled from cloud to untrust. I don't know how to delete these entries, maybe it is not necessary anyway.

 

 

---------

HP-2530-48G-1# sho ipv6 route                                                    IPv6 Route Entries  T (Type):   S: Static  C: Connected  Destination/   Gateway                                         T   ST  Distance   Metric  ------------------------------------------------ --- --- ---------- ----------  ::/0   fe80::a5b:eff:fea0:b849%vlan14                  S   NA  254        0  ::1/128     lo0                                           C   NA  0          1  2001:db8:1:14::/64   VLAN14 (DMZ14)                              C   NA  0          1  fe80::%vlan14   VLAN14 (DMZ14)                              C   NA  0          1

---------

 

 

7.2 Win2012 server.

 

C:\Windows\system32>route print =========================================================================== Interface List  12...00 50 56 8a 61 59 ......vmxnet3 Ethernet Adapter   1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== /// Omitted /// =========================================================================== IPv6 Route Table =========================================================================== Active Routes:  If Metric Network Destination      Gateway  12    261 ::/0                     fe80::a5b:eff:fea0:b849   1    306 ::1/128                  On-link  12    261 2001:db8:1:14::/64     On-link  12    261 2001:db8:1:14:8587:8aff:85ab:3535/128                                     On-link  12    261 fe80::/64                On-link  12    261 fe80::8587:8aff:85ab:3535/128                                     On-link   1    306 ff00::/8                 On-link  12    261 ff00::/8                 On-link =========================================================================== Persistent Routes:   None

 

From Win2012, I can ping for example the Fortigate's 2001:db8:1:14::1 address (vlan14), Fortigate's 2001:db8:1::2 address (wan1), but not ISP's 2001:db8:1::1 address, although it pings from wan1 from the router. And I can't ping anything other in IPv6 internet too.

Best answer by emnoc

Okay here's what I would do. I'm betting your /64 are not reachable & your ISP has issues.

 

Goto a ipv6 looking glass router ( I like NTT btw ) and traceroute to one of you /64 address hosts. ( do you see that traceroute inbound)

 

2nd if yes, than plumb a loop interface with a /64 network enabled and with a fwpolicy6 wan1 inbound to that /64 address , ensure set allowacces ping has been enabled. Now can you ping that /64 address on the loopback ? and  from the ipv6 looking glass?

 

config sys interface

     edit loop6

       set vdom root

         config ipv6

            set ip6-allowaccess ping             set ip6-address 2001:db8:11::1/64       end

3rd do you see  session6 entry in the firewall session table ( or diag debug flow if you like diag debug flow )

 

 

These steps will ensure that 1> the /64s are reachable via your ISP and FGT, and allow you to focus on the internal-inside and narrow the area of the troubleshooting. If you can ping that /64 on the loopback than your problem(s) are local to your FGT. If not they are external to the FGT.

 

I must have turned up  at least  70 ipv6 networks in the last 2-3 years and always did the above when isolation with  SRX or FGTs.

 

 

1 reply

emnoc
emnoc
New Member
April 19, 2016

Wow

 

A very good details collection  for t-shooting. Others should catch your method of data collection, actually I wish my  day job staff would do like you with 90% of the stuff give me ;)

 

1st can you ping from the "FGT inside sourced ipv6" address to goog ipv6 DNS servers or the ISP gateway?

 

2nd, in the rtr advt to the windows  and/hp are you 100% sure the default routes is present? From your output it  looks like no

 

3rd, in the diag debug flow filter6  can you execute the diag debug flow using "6" to get and ideal if your matching any policy?

e.g

 

diag debug reset

diag debug enable

diag debug flow filter6 addr <ipv6 addres here >

diag debug flow show console enable

diag debug flow trace start6  100

 

If your not matching any fwpolicy6, it's probably due to lack of forward routes lookup.

 

 

This might shed some help on fgt ipv6

 

http://socpuppet.blogspot...6-fortigate-style.html

echo
echoAuthor
Explorer II
April 19, 2016

Thanks for quick response :) Answers to questions:

 

1. No, it doesn't work.

$ exec ping6-options source 2001:db8:1:14::1 $ exec ping6 2001:4860:4860::8888 PING 2001:4860:4860::8888(2001:4860:4860::8888) from 2001:db8:1:14::1 : 56 data bytes --- 2001:4860:4860::8888 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss, time 7996ms

 

I'm not sure if it is related, but it has never worked with IPv4 as well when I set the source IP-address the internal IPv4 address of the router (behind the NAT) and ping something outside. Maybe it is different for IPv6 though (maybe it must work).

 

But setting the wan1 interface IPv6 address for source, ping works.

 

2. True, that was my question too that why are there only Fortigate's LL addresses visible as routers in both cases and not the one in advertised global network. This can be the reason why my stuff actually doesn't work. If SLAAC works already, then how come the router's address itself is not advertised?

 

 

3. Yes, policy matches as I've seen before.

 

id=20085 trace_id=1 func=resolve_ip6_tuple_fast line=3251 msg="vd-root received a packet(proto=17, 2001:db8:1:14:8587:8aff:85ab:3535:58028->2001:4860:4860::8888:53) from vlan14." id=20085 trace_id=1 func=resolve_ip6_tuple line=3352 msg="allocate a new session-006d0549" id=20085 trace_id=1 func=vf_ip6_route_input line=535 msg="find a route: gw-2001:db8:1::1 via wan1 err 0 flags 00000003" id=20085 trace_id=1 func=fw6_forward_handler line=311 msg="Check policy between vlan14 -> wan1" id=20085 trace_id=1 func=fw6_forward_handler line=435 msg="Allowed by Policy-1:"

4. For the link to the blog post, you use 2001:11::1/64 as for internal part. But what address have you configured for external interface and what is the whole allocated (possibly /48) network from ISP in that example case? Could it be eg 2001:11:0:1::2/64 assuming you are given 2001:11::/48, and the default route being 2001:11:0:1::1? Also, are there any additional parameters in external interface? Mine has just IP-address and allowing ping.

emnoc
emnocAnswer
New Member
April 19, 2016

Okay here's what I would do. I'm betting your /64 are not reachable & your ISP has issues.

 

Goto a ipv6 looking glass router ( I like NTT btw ) and traceroute to one of you /64 address hosts. ( do you see that traceroute inbound)

 

2nd if yes, than plumb a loop interface with a /64 network enabled and with a fwpolicy6 wan1 inbound to that /64 address , ensure set allowacces ping has been enabled. Now can you ping that /64 address on the loopback ? and  from the ipv6 looking glass?

 

config sys interface

     edit loop6

       set vdom root

         config ipv6

            set ip6-allowaccess ping             set ip6-address 2001:db8:11::1/64       end

3rd do you see  session6 entry in the firewall session table ( or diag debug flow if you like diag debug flow )

 

 

These steps will ensure that 1> the /64s are reachable via your ISP and FGT, and allow you to focus on the internal-inside and narrow the area of the troubleshooting. If you can ping that /64 on the loopback than your problem(s) are local to your FGT. If not they are external to the FGT.

 

I must have turned up  at least  70 ipv6 networks in the last 2-3 years and always did the above when isolation with  SRX or FGTs.

 

 

Terms & ConditionsAccessibility statement