Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: IPV6 VirtualIP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPV6 VirtualIP
I have a new Fortigate 60D which I am running in NAT for IPV4 and NAT66 for IPV6.
I have successfully tested IPV4 and IPV6 connection to the internet.
I also have a IPV4 mail server set up with a virtual IP and corresponding IPV4 policy which work fine.
However, the problem I am running into is trying to create a virtual IP for the IPV6
I did the following
config firewall vip6
edit " Mail Server IPV6"
set extip 2001:1890:1222:900::32
set mappedip fd03:cd22:4796:9a9d::32
next
end
This created a VirtualIP which i used in the ipv6 policy to mapped the services to the server the same as the ipv4 policy.
However, no traffic is passing through this policy when connecting to the external ip.
I am at a losss.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2001:1890:1222:900::32Is that above prefix fully routed? 2001:1890::/29 *[BGP/170] 5d 17:30:21, localpref 100 AS path: 7018 I, validation-state: unverified > to 2001:1890:111d:111d:12:255:255:31 via fe-0/0/1.0 Have you ran any diag flow and/or sniffer looking for traffic? Does your ipv6 route-table have a default route? Btw can' t ping it nor telnet to port 25, I would check all of the above and the fwpolicy6 rules
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 2001:1890:1222:900::32 is part of a 2001:1890:1222:900::/56 real IPV6 subnet from internet provider
The fd03:cd22:4796:9a9d::32 is part of a fd03:cd22:4796:9a9d::/64 internal private IPV6 subnet
and there is a static route in the routing table
::/0 IPV6_Gateway similar to the IPV4 static route of 0:0:0:0/0.0.0.0 IPV4 gateway
I have tried diag and sniffer and I can see a request at wan1 with xxxx-> 2001:1890:1222:900::32 syn xxx when i try to telnet but it goes nowhere and i get xxx packets filter, 0 kernel packets
I figure the problem is with the VIP6 Virtual ID where it is not correctly translating the ext IPV6 to the Internal IPV6 with NAT.
Has anyone sucessfully set this up?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you have to use a private address space ULA ?
IPv6 was suppose to eliminated and reduce nat, suggestion how is that host configured ?
I' m assuming it' s static and definetely not EUI64, so could try the link-local-address.
If the diag sniffer shows external packets inbound than that' s good, you might want to dump on the backend and see what' s happening.
The diag debug flow filter6 would be helpful here. And I' m assuming you can ping the host from the firewall?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still want to run NAT because it separates the internal IP' s from the external IP' s and allows me to selectively implement external IP' s that map to a certain server.
The internal network is static private addres space of /64 with a unique guid prefix that corresponds to the standard.
I' ve come to the conclusion that the VIP6 function in FortiOS 5 is flawed and does not work. The examples given in the What' s new handbook have typos and the examples just don' t work. The Virtual IP for IPV4 is straight forward and works fine.
I guess I will have to wait for a firmware update to receive traffic over IPV6 and route it to an internal IPV6 server as I have spent way to much time on what should be a 5 minute policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is proof that the VIP6 does not function correctly.
Create VIP for IPV4
config firewall vip
edit " Bryan Server IPV4"
set extip 12.174.50.187
set extintf " wan1"
set mappedip 10.10.0.50
next
end
now telnetting to 12.174.50.187
id=13 trace_id=202 msg=" allocate a new session-0003b3d0"
id=13 trace_id=202 msg=" find SNAT: IP-10.10.0.50(from IPPOOL), port-0"
id=13 trace_id=202 msg=" find SNAT: IP-12.174.50.186, port-21973"
id=13 trace_id=202 msg=" VIP-10.10.0.50:25, outdev-unkown"
id=13 trace_id=202 msg=" DNAT 12.174.50.187:25->10.10.0.50:25"
id=13 trace_id=202 msg=" find a route: gw-10.10.0.50 via internal"
id=13 trace_id=202 msg=" Allowed by Policy-2: SNAT"
id=13 trace_id=202 msg=" SNAT 10.10.0.157->10.10.0.1:21973"
Now performing the same for IPV6
config firewall vip6
edit " Bryan Server IPV6"
set extip 2001:1890:1222:900::32
set mappedip fd03:cd22:4796:9a9d::32
next
end
id=13 trace_id=9 msg=" allocate a new session-00003962"
id=13 trace_id=9 msg=" find NAT: IP-fd03:cd22:4796:9a9d::32, port-25"
id=13 trace_id=9 msg=" DNAT 2001:1890:1222:900::32:25->fd03:cd22:4796:9a9d::32:25"
id=13 trace_id=9 msg=" VIP-fd03:cd22:4796:9a9d::32:25, outdev-unknown"
id=13 trace_id=9 msg=" Check policy between internal -> internal"
id=13 trace_id=9 msg=" Denied by forward policy check"
shows that while the device address is translated it is not forwarded on the internal network. These were created with identical policies one for IPV4 and one for IPV6. The VIP6 policy does not perform the routing of the packet to the destination.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Denied by forward policy checkYou have posted your VIP configuration but what about the fwpolicy6 ? A " Denied by forward policy check" is like 9 out of 10 times related to no policy. It' s been that way with ipv4 and I would assume ipv6 is the same. I would review all of the fwpolicies and ordering of such. See the below reference tips from KB. " http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31702" FWIW ; if it was matching a fwpolicy6 id , it would have presented the policy #.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the IPV6 policy
edit 6
set srcintf " wan1"
set dstintf " internal"
set srcaddr " All IPV6"
set dstaddr " Bryan Server IPV6"
set action accept
set schedule " always"
set service " SMTP"
next
Here is the IPV4 policy
edit 2
set srcintf " wan1"
set dstintf " internal"
set srcaddr " All IPV4"
set dstaddr " Bryan Server IPV4"
set action accept
set schedule " always"
set service " HTTP" " HTTPS" " FTP" " DNS" " SSH" " IMAP & IMAP TLS" " IMAP SSL" " POP3 & POP3 TLS" " POP3 SSL" " SMTP" " SMTP SSL" " SMTP TLS" " XMPP"
next
which are pretty straight forward. The IPV6 policy which is doing the address change as requested is not forwarding it on the internal network even though it is set to accept thus the problem. Configured identically and both IPV6 and IPV4 work internal to external for browsing. This seems like a Fortinet OS problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem, could you help me?
I received a / 56 and put a valid ip server 2804: 150: 11: 9e02 :: 8. I Created an address and created a firewall rule ALL -> 2804: 150: 11: 9e02 :: 8 ICMP / https, the requests hit the firewall, but without external connectivity. Upon debug i saw the traffic:
in 2804: 150: 11: 9e00 :: 1 -> 2804: 150: 11: 9e02 :: 8: icmp6: neighbor sun: who has 2804: 150: 11: 9e02 :: 8 [class 0xc0]
but when I create a VIP, access works normal.
Access would not have to work without the VIP due to the server have a valid ip?
Tnks,
André.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean /56 did you assign this on one interface? What's your topology?
e.g (using your debug )
2804: 150: 11: 9e00 :: 1 -> 2804: 150: 11: 9e02 :: 8: icmp6: neighbor sun: who has 2804: 150: 11: 9e02 :: 8 [class 0xc0]
That's telling a IPv6 ND lookup is taking place for ::8.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,688 -
FortiClient
1,760 -
5.2
801 -
FortiManager
728 -
5.4
639 -
FortiAnalyzer
557 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1711 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.