PCNSE
NSE
StrongSwan
1. Clients have static addresses for the beginning. I don' t want all servers end up having public IP-addresses and getting access to/from which I don' t know (because I can misconfigure router with my current knowledge). I don' t know if manually assigned address is " stateful" or not, sorry. It is certainly not stateless autoconfiguration, nor DHCPv6.That' s a mute point if we are talking about a firewall. The firewall controls where you allow traffic to. Servers should be static assigned for shared resource but even that' s mute if your using dynamic dns updates ( which is the norm btw for ipv6 ) It sounds like a NAT66 would be ideal for 1st level testing and using a site-local addressing schema and then adding your /64 ( assuming /64 ) global prefixes later imho And lastly, I would really execute a ping6 from the fortigate directly sourcing the inside iv6 address and see if that works. e.g execute ping6 -I <insert address interface here> Try pinging your upstream ipv6 gateway or googlepublic ipv6 DNS servers. If this FAILS, than you have a routing issues. Fix your routing issues before moving on .
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
config router static6 edit 1 set device " wan1" set gateway ---::1 next endIs that wrong? The other ping6 gave 100% packet loss: # exec ping6 -I vlan1 ---::1 But there actually is connectivity because in my previous tests where ---::2 was set to my wan1 interface, outside pings were fine. Q3 Do you have a ipv6 -nd entry for link-local address of the next-hop ipv6 gateway? Yes or No A3 No. What on earth is that? Or more precisely, what is " ipv6 -nd" ? Some additional configuration for IPv6 connectivity? Also, what is " link-local address of the next-hop ipv6 gateway" ? I understand that next-hop IPv6 gateway is my ISP-s device/port/whatever that has address ---::1, but what has link-local addresses to do with it? Or, as I tried a little bit before in my previous tests, do I have to add link-local addresses to internal, external or both interfaces (in addition to routable public address on internal interface)? Thank you for bearing with me! :) I have read a lot about IPv6 in the past but the gap between really configuring it on a live firewall has remained so far.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.