The external IPv6 address must be different but in the same range as the public address on the external facing interface.
In this context, the VIP extip is 2404:a800:2a00::b47 and the public IPv6 address on the interface is 2404:a800:2a00::b46.
Create an SNAT IP pool that points to an arbitrary address that is not used anywhere else on the network.
Step 4:
Create the firewall policy enabling NAT64 in the NAT section.
CLI:
config firewall policy
edit 1
set name "policy64-1"
set uuid 0084683e-abf7-51ee-cd9c-fa9e15de6489
set srcintf "port3"
set dstintf "port2"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "test-vip64-1"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set ippool enable
set poolname "Test-ippool"
next
end
Debug flow:
2024-12-30 17:31:02 id=20085 trace_id=21 func=resolve_ip6_tuple_fast line=4840 msg="vd-root:0 received a packet(proto=58, 2001:4860:4861::2:19017->2404:a800:2a00::b47:128) from port3."
2024-12-30 17:31:02 id=20085 trace_id=21 func=resolve_ip6_tuple line=4979 msg="allocate a new session-00000021"
2024-12-30 17:31:02 id=20085 trace_id=21 func=get_vip64_addr line=1178 msg="find DNAT64: IP-172.16.150.162, port-8(fixed port)"
2024-12-30 17:31:02 id=20085 trace_id=21 func=vf_ip6_route_input line=1212 msg="find a route: gw-2001:4860:4860::3 via naf.root err 0 flags 01000001"
2024-12-30 17:31:02 id=20085 trace_id=21 func=fw6_forward_handler line=457 msg="Check policy between port3 -> naf.root"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_fwd_check line=543 msg="in-[port3], out-[naf.root], skb_flags-00000040, vid-1, app_id: 0, url_cat_id: 0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope6_check line=1539 msg="gnum-100004, check-ffffffffa010d512"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_check_one_policy line=1359 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=get_new_addr64 line=1114 msg="find SNAT64: IP-172.16.100.1(from IPPOOL), port-60802"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_check_one_policy line=1516 msg="policy-1 is matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_policy_group_check line=3183 msg="after check: ret-matched, act-accept, flag-08050501, flag2-00204200"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_fwd_check line=562 msg="after iprope6_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_reverse_dnat_check line=131 msg="in-[port3], out-[naf.root], skb_flags-00000040, vid-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope6_check line=1539 msg="gnum-100002, check-ffffffffa010d512"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_policy_group_check line=3183 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-12-30 17:31:02 id=20085 trace_id=21 func=fw6_forward_handler line=591 msg="Allowed by Policy-1: SNAT"
2024-12-30 17:31:02 id=20085 trace_id=21 func=ip6_nat_af_input line=297 msg="nat64 ipv6 received a packet proto=58"
2024-12-30 17:31:02 id=20085 trace_id=21 func=init_ip_session_common line=6046 msg="allocate a new session-0000007e, tun_id=0.0.0.0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_dnat_check line=5336 msg="in-[naf.root], out-[]"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_dnat_tree_check line=827 msg="len=0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-12-30 17:31:02 id=20085 trace_id=21 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-172.16.150.162 via port2"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_fwd_check line=782 msg="in-[naf.root], out-[port2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check line=2272 msg="gnum-100004, check-ffffffffa002c077"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check_one_policy line=2242 msg="policy-1 is matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check line=2289 msg="gnum-100004 check result: ret-matched, act-accept, flag-08010001, flag2-00006200"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
