Description
This article describes how to configure NAT64 to allow IPv6 traffic to reach IPv4-only traffic domains when central SNAT is enabled.
Scope
FortiGate.
Solution
Topology:
- Enable Central SNAT by navigating to System -> Settings -> System Operation Settings -> Enable Central SNAT.
-
Configure an IPv6 VIP; the external IPv6 address must be different from the interface address configured. To configure, navigate to DNAT & Virtual IPs -> IPv6 Virtual IP and select 'Create New'.
CLI:
config firewall vip6
edit "VIP64"
set uuid 827245da-5c92-51f0-93ca-1ea303e3c75b
set extip 2abc:abc:a::1a
set nat66 disable
set nat64 enable
set ipv4-mappedip 10.190.3.21
next
end
-
Create an IP pool with an IP address that is not the same as the interface IP or not used anywhere else on the network. The 'arp reply' should be enabled for this address.
CLI:
config firewall ippool
edit "Test-64"
set startip 10.190.3.200
set endip 10.190.3.200
set arp-reply enable
set nat64 enable
next
end
- Configure a Central NAT policy to translate the IPv6 address to the IPv4 address pool, and then configure a firewall policy to allow NAT64 Traffic.
Note:
When Central NAT is enabled, the user cannot add a VIP object as a destination address in the firewall policy. Hence, it is recommended to use the actual mapped address, i.e., 2abc:abc:a::1a.
Debug flow :
FW1 # diagnose de flow filter6 addr 2abc:abc:a::1a
FW1 # diagnose de flow show function-name enable
show function name
FW1 # diagnose de flow trace start6 100
FW1 # diagnose de enable
FW1 # id=65308 trace_id=184 func=resolve_ip6_tuple_fast line=5109 msg="vd-root:0 received a packet(proto=6, 2abc:abc:a::ab:60075->2abc:abc:a::1a:80) from port4. flag [S], seq 3790127118, ack 0, win 64800"
id=65308 trace_id=184 func=resolve_ip6_tuple line=5260 msg="allocate a new session-0001ee4c"
id=65308 trace_id=184 func=get_new_addr6 line=1361 msg="find NAT: IP-::, port-0(fixed port)"
id=65308 trace_id=184 func=get_vip64_addr line=1296 msg="find DNAT64: IP-10.190.3.21, port-0(fixed port)"
id=65308 trace_id=184 func=__ip6_session_run_tuple line=2832 msg="DNAT 2abc:abc:a::1a:80->2abc:abc:a::1a:80"
id=65308 trace_id=184 func=fw6_pre_route_handler line=143 msg="VIP-2abc:abc:a::1a:80, outdev-unknown"
id=65308 trace_id=184 func=ip6_route_input line=2208 msg="find a route: gw-:: via naf.root err 0 flags 40000001"
id=65308 trace_id=184 func=fw6_forward_handler line=577 msg="Check policy between port4 -> naf.root"
id=65308 trace_id=184 func=get_new_addr64 line=1232 msg="find SNAT64: IP-10.190.3.200(from IPPOOL), port-52261"
id=65308 trace_id=184 func=fw6_forward_handler line=706 msg="Allowed by Policy-3: SNAT"
id=65308 trace_id=184 func=ip6_nat_af_input line=299 msg="nat64 ipv6 received a packet proto=6"
id=65308 trace_id=184 func=init_ip_session_common line=6204 msg="allocate a new session-000726ee"
id=65308 trace_id=184 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=184 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=125, len=2"
id=65308 trace_id=184 func=fw_forward_handler line=1002 msg="Allowed by Policy-3:"
id=65308 trace_id=184 func=ip_session_confirm_final line=3179 msg="npu_state=0x100, hook=4"
id=65308 trace_id=185 func=resolve_ip6_tuple_fast line=5109 msg="vd-root:0 received a packet(proto=6, 2abc:abc:a::ab:60076->2abc:abc:a::1a:80) from port4. flag [S], seq 2798286337, ack 0, win 64800"
id=65308 trace_id=185 func=resolve_ip6_tuple line=5260 msg="allocate a new session-0001ee4d"
id=65308 trace_id=185 func=get_new_addr6 line=1361 msg="find NAT: IP-::, port-0(fixed port)"
id=65308 trace_id=185 func=get_vip64_addr line=1296 msg="find DNAT64: IP-10.190.3.21, port-0(fixed port)"
id=65308 trace_id=185 func=__ip6_session_run_tuple line=2832 msg="DNAT 2abc:abc:a::1a:80->2abc:abc:a::1a:80"
id=65308 trace_id=185 func=fw6_pre_route_handler line=143 msg="VIP-2abc:abc:a::1a:80, outdev-unknown"
id=65308 trace_id=185 func=ip6_route_input line=2208 msg="find a route: gw-:: via naf.root err 0 flags 40000001"
id=65308 trace_id=185 func=fw6_forward_handler line=577 msg="Check policy between port4 -> naf.root"
id=65308 trace_id=185 func=get_new_addr64 line=1232 msg="find SNAT64: IP-10.190.3.200(from IPPOOL), port-52898"
id=65308 trace_id=185 func=fw6_forward_handler line=706 msg="Allowed by Policy-3: SNAT"
id=65308 trace_id=185 func=ip6_nat_af_input line=299 msg="nat64 ipv6 received a packet proto=6"
id=65308 trace_id=185 func=init_ip_session_common line=6204 msg="allocate a new session-000726ef"
id=65308 trace_id=185 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=185 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=125, len=2"
id=65308 trace_id=185 func=fw_forward_handler line=1002 msg="Allowed by Policy-3:"
id=65308 trace_id=185 func=ip_session_confirm_final line=3179 msg="npu_state=0x100, hook=4"
Session Info:
FW1 # diaGNOSE sys session6 list
session6 info: proto=6 proto_state=01 duration=3 expire=3596 timeout=3600 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty
statistic(bytes/packets/allow_err): org=789/4/0 reply=275/2/0 tuples=2
tx speed(Bps/kbps): 197/1 rx speed(Bps/kbps): 68/0
orgin->sink: org pre->post, reply pre->post dev=6->15/15->6
hook=pre dir=org act=dnat 2abc:abc:a::ab:60071->2abc:abc:a::1a:80(2abc:abc:a::1a:80)
hook=post dir=reply act=snat 2abc:abc:a::1a:80->2abc:abc:a::ab:60071(2abc:abc:a::1a:80)
peer=10.190.3.200:27561->10.190.3.21:80 naf=1
hook=pre dir=org act=noop 10.190.3.200:27561->10.190.3.21:80(0.0.0.0:0)
hook=post dir=reply act=noop 10.190.3.21:80->10.190.3.200:27561(0.0.0.0:0)
misc=0 policy_id=3 pol_uuid_idx=16064 auth_info=0 chk_client_info=0
serial=00018012 tos=ff/ff ips_view=13874 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
Related articles:
Technical Tip: How to Create a NAT64 Firewall Policy for a VIP
