Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up native IPv6?
We have native IPv6 and an address space /64.
How can I reach machines in internal IPv6 network (parallel to IPv4) from outside IPv6 network?
Documentation only describes various alternatives for cases where there is no native IPv6 but tunnels, NATs etc., I don' t want that.
When I set public IPv6 address to wan1 interface of FG 100D 5.0.4, then I can ping this IP from outside, using some web service for pinging. But internal machines can' t ping that address.
When I set public IPv6 address to internal vlan port, then I can ping that internal port from machines and back, but there is no internet connectivity from inside out.
How should I set it up without any NAT? Fortigate should only check services that are reachable from outside to inside IPv6 network, and allow all IPv6 traffic from inside to outside.
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure as to what your problem(s) based on what you provided, but for starters;
1: How are the clients being addressed ( stateless or stateful )
2: Do you have fwpolicy6 for ipv6 allowances of traffic ( diag debug flow filter6 )
3: do you have a static route ipv6 enable pointing to ipv6 next-hop gateway or running ipv6 dynamic protocol ( config router static6 )
Outside of the above and having 2 or more interfaces with public ipv6 address, it' s no different than ipv4.
I would start by ensuring #3 and do a ping/tracert to a public v6 server like google DNS
2001:4860:4860::8888
2001:4860:4860::8844
Then checking the clients ipv6 address
And then lastly, ensure a correct fwpolicy6 for the traffic allowance. As a alternative you can do NAT66 if in a rush or bind, but you shouldn' t need that if everything is correct.
http://socpuppet.blogspot.com/2012/12/ipv6-fortigate-style.html
http://socpuppet.blogspot.com/2014/04/nat66-in-crunch-on-fortigate.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(I didn' t receive any automatic e-mail for this answer... Hence my reply is late.)
1. Clients have static addresses for the beginning. I don' t want all servers end up having public IP-addresses and getting access to/from which I don' t know (because I can misconfigure router with my current knowledge). I don' t know if manually assigned address is " stateful" or not, sorry. It is certainly not stateless autoconfiguration, nor DHCPv6.
2. I tried IPv6 policies in different configurations, which didn' t work, and hence my questions. Actually, I would like to know what interface/zone combinations I should use to create such policy. Is there any figure drawn somewhere about it? This is my main question: where exactly I should define IPv6 addresses in router. An example router configuration would help. IPv4 analogue doens' t help me here because with IPv4 there are two networks involved + NAT, but with IPv6 there is only one and no NAT. IPv4 would help me if I would do NAT between public IPv6 address and internal fe80:blablabla.
3. I configured static route and when I set the IPv6 address on wan1 interface, then these two were connected, ping worked.
Maybe I should present my two different configurations? It may be though that I don' t even know how to ask my question, although I have tried :)
Edit: forgot to add that I also found the first link that you gave, tried it, but it only gave me IPv6-connectivity in internal zone, not to internal->external nor external->internal. Hence I asked my question also in that blog and here. For the second link -- I understand the idea but I don' t want any NAT be involved, even if it works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for #2;
A fwpolicy is need for ipv6 internal to external or vice-versa. So it goes back to what was said earlier, get a diag debug flow filter6 and start doing diagnostics.
And find out what did it output if any ?
for #3, the same applies, but also include a diag debug flow command and/or diag sniffer packet would be very useful.
Also a copy of your fwpolicy here could be of help, or deploying a policy made very simple might allow you to test connectivity to include routing for the internal ipv6-LAN
e.g
( just example YMMV, you might not want this :) )
config firewall address6
edit " all"
next
end
config firewall policy6
edit 1
set srcintf switch
set dstintf wan1
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " always"
set comments " testing to ensure we can get out "
next
end
And then later you build a address group for just that global_prefix
config firewall address6
edit " myipv6_LAN-NET01"
set ip6 2001:111::/64
next
end
Than change the srcadd to be " myipv6_LAN-NET01" or whatever you call it.
If the above works than we now your inside ipv6 lan has reach
If that doesn' t work, than start traceroute6 from the inside ipv6 lan to the outside address and the 1st next-hop
That would at least get you pointed into the right direction ( IF it fwpolicy6 or routing issues )
2nd , I would highly recommend using auto-conf 1st foripv6 clients and then move to static address. Static address is a bitch imho
3rd, why do you need a zone or think you need a zone? Do you have 2 or more interfaces to bundle in a zone
4th yes static addressing is NOT statefull :)
and for the following;
1. Clients have static addresses for the beginning. I don' t want all servers end up having public IP-addresses and getting access to/from which I don' t know (because I can misconfigure router with my current knowledge). I don' t know if manually assigned address is " stateful" or not, sorry. It is certainly not stateless autoconfiguration, nor DHCPv6.That' s a mute point if we are talking about a firewall. The firewall controls where you allow traffic to. Servers should be static assigned for shared resource but even that' s mute if your using dynamic dns updates ( which is the norm btw for ipv6 ) It sounds like a NAT66 would be ideal for 1st level testing and using a site-local addressing schema and then adding your /64 ( assuming /64 ) global prefixes later imho And lastly, I would really execute a ping6 from the fortigate directly sourcing the inside iv6 address and see if that works. e.g execute ping6 -I <insert address interface here> Try pinging your upstream ipv6 gateway or googlepublic ipv6 DNS servers. If this FAILS, than you have a routing issues. Fix your routing issues before moving on .
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for suggestions!
I' ll show what I did before and what didn' t work.
# sho sys int wan1
config system interface
edit " wan1"
set vdom " root"
set ip <IPv4-address/mask>
set allowaccess https ssh
set type physical
set listen-forticlient-connection enable
set snmp-index 1
config ipv6
set ip6-address ---::2/64
end
next
end
# sho router static6
config router static6
edit 1
set device " wan1"
set gateway ---::1
next
end
# exec ping6-options source auto
# exec ping6 -I wan1 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) from ---::2 wan1: 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=55 time=42.2 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=55 time=38.7 ms
Now to internal part.
# sho firewall policy6 2
config firewall policy6
edit 2
set srcintf " trust"
set dstintf " untrust"
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set logtraffic all
set nat enable
next
end
First I tried it without NAT, didn' t work. Then with NAT, still didn' t work. Firewall logs no packets for this rule (in GUI). And I don' t see that it should work anyway because IPv6-address is on wan1+untrust zone, but machine behind the router is connected to a port that is in trust zone and there is no (public) IPv6 address in trust zone.
About zones: for me, firewall allows or denies traffic between zones, and networks having similar policies applied to belong to the same zone. Yes, I can put my server with public IPv6-address into untrust zone, but then that server is open to everybody, for all hackers, port knockers etc.! Since I don' t want that, I want firewall to check which services are allowed from internet to reach the server. Is this way of thinking wrong regarding IPv6? All servers have to have their own firewalls and then be put straight into the public network (with another NIC)? Sounds absurd. But please clarify what did you mean that " think you need a zone" ? Should it be all better without them? We' ve found them very convenient.
OK, I thought about NAT again. I added link-local fe80 to internal
# sho sys int vlan1
config system interface
edit " vlan1"
set vdom " root"
set ip <IPv4/mask>
set allowaccess ping https ssh
set snmp-index 29
config ipv6
set ip6-allowaccess ping
set ip6-address fe80::209:fff:feb9:18ac/10
end
set interface " port1"
set vlanid 1
next
end
Ping from server to 2001:4860:4860::8888 didn' t work... Same from router:
# exec ping6 -I vlan1 2001:4860:4860::8888
connect: Network is unreachable
OK, let' s add the route (even though it doesn' t look good).
# sho router static6 2
config router static6
edit 2
set device " vlan1"
set dst fe80::/10
set gateway fe80::209:fff:feb9:18ac
next
end
I don' t know why this route didn' t appear as connected after I set address to vlan1.
Well, now I can ping this router' s fe80 address from server too (after adding fe80::/10 to one of the admin' s trusted hosts' list), but ping to outside still doesn' t work. Hmm... I changed server' s IPv6 address manually to link-local address and added fe80::209:fff:feb9:18ac as gateway, but now when pinging outside, I got " general failure" instead of former " Destination host unreachable" . Perhaps Windows Firewall blocks? I added special rule, no success, and " general failure" actually points to some other problem than to a local firewall rule anyway. So I changed my server address back to ---::10/64, gateway to ---::2, but I can' t ping firewall' s public IPv6-address nor Google servers, just like before.
I even created a policy route for test, but that didn' t help.
# sho router policy6
config router policy6
edit 1
set input-device " vlan1"
set src fe80::/10
set gateway ---::1
set output-device " wan1"
next
end
I can try " diag debug flow filter6" but I have to make clear how to make filters and how to read output, I haven' t done debugging with filters so far on FG CLI. I tried recently with some IPv4 problem but I realised it wasn' t as natural as I thought. I still think my " topology" is principally wrong and I don' t know how to make it right.
Then I removed fe80-stuff from router. This is after removing:
# exec ping6 -I vlan1 2001:4860:4860::8888
connect: Network is unreachable
So much testing for now. I' ll try to find time and see debugging with filters. I didn' t try any 46/64/66 NAT' s yet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m so confused now on what your doing. Do you have a topology for the inside/external interfaces or trust/untrust?
You need to configure a route-able ipv6 address on the inside interface(s) and source a ping to your next-hop ipv6 gateway.
does that pass?
If no, than you have a routing issue. But for entertainment, can you ping the same next-hop ipv6 gateway using the external(untrust) interface?
does that pass?
If no, than you have a routing issue or possible ipv6-nd issues?
Do you have a ipv6 -nd entry for link-local address of the next-hop ipv6 gateway?
Yes or No
If no, than have you confirm physical and data-link on the link to next-hop ipv6 gateway
Once you have successfully ping from the src interface(s) of the inside hosts pan, but using the fortunate " assigned ipv6 addresses" than you can look at stageful/stateless/static assignments & fwpolicy6 rules.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was just my attempt to do something that was logical for me. I just wrote it down.
I' ve also tried to configure routable IPv6 to internal interface before, unsuccessfully, but since you tell that it has to be done that way, I will certainly do it and let you know. Thanks! (Before I just didn' t know, do I have to configure it on external or internal interface, that' s why I configured it on external and wrote down all my tests here.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My last big ipv6 with fortigate was with NTT, then gave us a /48 and I divided that up in /64s that I plumbed on my inside-intfs.
They also gave us a /127 for my BGP instance ( we peer' d with them for both ipv6+4 ) and I shared my common /64 in my area0 backbone as summary route. When we had routing issues and b4 trouble-shooting any fwpolicy6 issues, I always sourced' pings from the inside to the outside to ensure routing was intact 1st.
Always correct any routing issues 1st , & b4 doing anything else.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q1
You need to configure a route-able ipv6 address on the inside interface(s) and source a ping to your next-hop ipv6 gateway.
does that pass?
Q2
If no, than you have a routing issue. But for entertainment, can you ping the same next-hop ipv6 gateway using the external(untrust) interface?
does that pass?
A1-2
I added ---::2 to my internal vlan1 interface. But I didn' t get what means " source a ping to your next-hop ipv6 gateway" ? The only next-hop that I can think of should be my wan1 interface or ISP-s address ---::1.
# exec ping6 -I wan1 ---::1
connect: Network is unreachable
I expected that because now there is no IPv6 address present on wan1 interface. And what should the routing be? This one is still in the place:
config router static6 edit 1 set device " wan1" set gateway ---::1 next endIs that wrong? The other ping6 gave 100% packet loss: # exec ping6 -I vlan1 ---::1 But there actually is connectivity because in my previous tests where ---::2 was set to my wan1 interface, outside pings were fine. Q3 Do you have a ipv6 -nd entry for link-local address of the next-hop ipv6 gateway? Yes or No A3 No. What on earth is that? Or more precisely, what is " ipv6 -nd" ? Some additional configuration for IPv6 connectivity? Also, what is " link-local address of the next-hop ipv6 gateway" ? I understand that next-hop IPv6 gateway is my ISP-s device/port/whatever that has address ---::1, but what has link-local addresses to do with it? Or, as I tried a little bit before in my previous tests, do I have to add link-local addresses to internal, external or both interfaces (in addition to routable public address on internal interface)? Thank you for bearing with me! :) I have read a lot about IPv6 in the past but the gap between really configuring it on a live firewall has remained so far.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide the ipv6 address? Santized? I will show you all of the commands to validate the next-hop gateway. If you want to send me the FGT external/wan1 ip_address and your next-hop gateway address send me a private email with those details.
ND is NeighborDsicovery, it' s the most critical aspect with neighbor discovery
You can monitor this via the cli cmd;
diag ipv6 neighbor-cache list
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan