Technical Tip: Configure Hairpin Net with NAT 46

shahrukh_khan · ‎08-12-2024

Description

The article describes how to grant access to a server hosted on an IPv6 address to LAN users located on an IPv4 subnet.

Scope

FortiGate.

Solution

Below is a scenario explaining the configuration steps for Hairpin Net with NAT 46:

Enable NAT46 in the CLI:

config system global
set gui-ipv6 enable
end

Interface Configuration:

config system interface
edit "port4"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 4
config ipv6
set ip6-address 2000:172:16:101::1/64
set ip6-allowaccess ping
end

VIP Configuration:

config firewall VIP
edit "VIP-NAT_46"
set uuid a08c9ff4-570a-51ef-0826-c8449bd795d2
set extip 172.16.16.1
set nat44 disable
set nat46 enable
set extintf "any"
set ipv6-mappedip 2000:172:16:101::2
next
end

Configure the IPv6 IP pool:

config firewall ippool6
edit "IPv6_Pool"
set startip 2000:172:16:200::
set endip 2000:172:16:200::
set nat46 enable
next
end

Configure the firewall policy:

Firewall Policy-1:

config firewall policy
edit 1
set name "Lan-to-Wan"
set uuid ae8f1afc-570d-51ef-2a9f-cb2da02616e3
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "Lan_Subnet"
set dstaddr "Wan_IP"
set schedule "always"
set service "ALL"
set nat enable
next
end

Firewall Policy-2:

config firewall policy
edit 2
set name "Wan-to-Dmz"
set uuid 1648871c-5715-51ef-9577-e12c06e66794
set srcintf "port3"
set dstintf "port4"
set action accept
set nat46 enable
set srcaddr "Lan_Subnet"
set dstaddr "VIP-NAT_46"
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set ippool enable
set poolname6 "IPv6_Pool"
next
end

Verify the VIP46 traffic by flow debug:

diagnose debug flow filter saddr 192.168.1.2
diagnose debug flow show function-name enable
show function name
diagnose debug flow show iprope enable
show trace messages about iprope
diagnose debug flow trace start 255
diagnose debug enable

FortiGate # id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:29572->172.16.16.1:2184) tun_id=0.0.0.0 from port2. type=8, code=0, id=8524, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-000007fd, tun_id=0.0.0.0"
id=65308 trace_id=1 func=iprope_dnat_check line=5331 msg="in-[port2], out-[]"
id=65308 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=1"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find DNAT46: IP-2000:172:16:101::52, port-29572"
id=65308 trace_id=1 func=__iprope_check_one_dnat_policy line=5286 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
id=65308 trace_id=1 func=iprope_fwd_check line=789 msg="in-[port2], out-[port3], skb_flags-02000000, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find SNAT: IP-172.16.16.1(from IPPOOL), port-29572"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2262 msg="policy-1 is matched, act-accept"
id=65308 trace_id=1 func=fw_pre_route_handler line=178 msg="VIP-172.16.16.1:29572, outdev-unknown"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3515 msg="DNAT 172.16.16.1->2000:172:16:101::2"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-2000:172:16:101::1 via port4"
id=65308 trace_id=1 func=iprope_fwd_check line=789 msg="in-[port4], out-[port2], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2044 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
id=65308 trace_id=1 func=__iprope_user_identity_check line=1819 msg="ret-matched"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find SNAT46: IP-2000:172:16:200::1(from IPPOOL), port-29572"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2262 msg="policy-2 is matched, act-accept"
id=65308 trace_id=1 func=iprope_reverse_dnat_check line=1307 msg="in-[port4], out-[port2], skb_flags-020000c0, vid-1"