The external IPv6 address must be different but in the same range as the public address on the external facing interface.
In this context, the VIP extip is 2404:a800:2a00::b47 and the public IPv6 address on the interface is 2404:a800:2a00::b46.
Create an SNAT IP pool with an IP address that is not the same as the interface IP or not used anywhere else on the network. The 'arp reply' should be enabled for this address.
Step 4:
Create the firewall policy enabling NAT64 in the NAT section.
CLI:
config firewall policy
edit 1
set name "policy64-1"
set uuid 0084683e-abf7-51ee-cd9c-fa9e15de6489
set srcintf "port3"
set dstintf "port2"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "test-vip64-1"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set ippool enable
set poolname "Test-ippool"
next
end
Debug flow:
2024-12-30 17:31:02 id=20085 trace_id=21 func=resolve_ip6_tuple_fast line=4840 msg="vd-root:0 received a packet(proto=58, 2001:4860:4861::2:19017->2404:a800:2a00::b47:128) from port3."
2024-12-30 17:31:02 id=20085 trace_id=21 func=resolve_ip6_tuple line=4979 msg="allocate a new session-00000021"
2024-12-30 17:31:02 id=20085 trace_id=21 func=get_vip64_addr line=1178 msg="find DNAT64: IP-172.16.150.162, port-8(fixed port)"
2024-12-30 17:31:02 id=20085 trace_id=21 func=vf_ip6_route_input line=1212 msg="find a route: gw-2001:4860:4860::3 via naf.root err 0 flags 01000001"
2024-12-30 17:31:02 id=20085 trace_id=21 func=fw6_forward_handler line=457 msg="Check policy between port3 -> naf.root"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_fwd_check line=543 msg="in-[port3], out-[naf.root], skb_flags-00000040, vid-1, app_id: 0, url_cat_id: 0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope6_check line=1539 msg="gnum-100004, check-ffffffffa010d512"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_check_one_policy line=1359 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=get_new_addr64 line=1114 msg="find SNAT64: IP-172.16.100.1(from IPPOOL), port-60802"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_check_one_policy line=1516 msg="policy-1 is matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_policy_group_check line=3183 msg="after check: ret-matched, act-accept, flag-08050501, flag2-00204200"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_fwd_check line=562 msg="after iprope6_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_reverse_dnat_check line=131 msg="in-[port3], out-[naf.root], skb_flags-00000040, vid-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope6_check line=1539 msg="gnum-100002, check-ffffffffa010d512"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope6_policy_group_check line=3183 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-12-30 17:31:02 id=20085 trace_id=21 func=fw6_forward_handler line=591 msg="Allowed by Policy-1: SNAT"
2024-12-30 17:31:02 id=20085 trace_id=21 func=ip6_nat_af_input line=297 msg="nat64 ipv6 received a packet proto=58"
2024-12-30 17:31:02 id=20085 trace_id=21 func=init_ip_session_common line=6046 msg="allocate a new session-0000007e, tun_id=0.0.0.0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_dnat_check line=5336 msg="in-[naf.root], out-[]"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_dnat_tree_check line=827 msg="len=0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-12-30 17:31:02 id=20085 trace_id=21 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-172.16.150.162 via port2"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_fwd_check line=782 msg="in-[naf.root], out-[port2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check line=2272 msg="gnum-100004, check-ffffffffa002c077"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check_one_policy line=2242 msg="policy-1 is matched, act-accept"
2024-12-30 17:31:02 id=20085 trace_id=21 func=__iprope_check line=2289 msg="gnum-100004 check result: ret-matched, act-accept, flag-08010001, flag2-00006200"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
2024-12-30 17:31:02 id=20085 trace_id=21 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
