- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPV6 VirtualIP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPV6 VirtualIP
I have a new Fortigate 60D which I am running in NAT for IPV4 and NAT66 for IPV6.
I have successfully tested IPV4 and IPV6 connection to the internet.
I also have a IPV4 mail server set up with a virtual IP and corresponding IPV4 policy which work fine.
However, the problem I am running into is trying to create a virtual IP for the IPV6
I did the following
config firewall vip6
edit " Mail Server IPV6"
set extip 2001:1890:1222:900::32
set mappedip fd03:cd22:4796:9a9d::32
next
end
This created a VirtualIP which i used in the ipv6 policy to mapped the services to the server the same as the ipv4 policy.
However, no traffic is passing through this policy when connecting to the external ip.
I am at a losss.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2001:1890:1222:900::32Is that above prefix fully routed? 2001:1890::/29 *[BGP/170] 5d 17:30:21, localpref 100 AS path: 7018 I, validation-state: unverified > to 2001:1890:111d:111d:12:255:255:31 via fe-0/0/1.0 Have you ran any diag flow and/or sniffer looking for traffic? Does your ipv6 route-table have a default route? Btw can' t ping it nor telnet to port 25, I would check all of the above and the fwpolicy6 rules
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 2001:1890:1222:900::32 is part of a 2001:1890:1222:900::/56 real IPV6 subnet from internet provider
The fd03:cd22:4796:9a9d::32 is part of a fd03:cd22:4796:9a9d::/64 internal private IPV6 subnet
and there is a static route in the routing table
::/0 IPV6_Gateway similar to the IPV4 static route of 0:0:0:0/0.0.0.0 IPV4 gateway
I have tried diag and sniffer and I can see a request at wan1 with xxxx-> 2001:1890:1222:900::32 syn xxx when i try to telnet but it goes nowhere and i get xxx packets filter, 0 kernel packets
I figure the problem is with the VIP6 Virtual ID where it is not correctly translating the ext IPV6 to the Internal IPV6 with NAT.
Has anyone sucessfully set this up?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you have to use a private address space ULA ?
IPv6 was suppose to eliminated and reduce nat, suggestion how is that host configured ?
I' m assuming it' s static and definetely not EUI64, so could try the link-local-address.
If the diag sniffer shows external packets inbound than that' s good, you might want to dump on the backend and see what' s happening.
The diag debug flow filter6 would be helpful here. And I' m assuming you can ping the host from the firewall?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still want to run NAT because it separates the internal IP' s from the external IP' s and allows me to selectively implement external IP' s that map to a certain server.
The internal network is static private addres space of /64 with a unique guid prefix that corresponds to the standard.
I' ve come to the conclusion that the VIP6 function in FortiOS 5 is flawed and does not work. The examples given in the What' s new handbook have typos and the examples just don' t work. The Virtual IP for IPV4 is straight forward and works fine.
I guess I will have to wait for a firmware update to receive traffic over IPV6 and route it to an internal IPV6 server as I have spent way to much time on what should be a 5 minute policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is proof that the VIP6 does not function correctly.
Create VIP for IPV4
config firewall vip
edit " Bryan Server IPV4"
set extip 12.174.50.187
set extintf " wan1"
set mappedip 10.10.0.50
next
end
now telnetting to 12.174.50.187
id=13 trace_id=202 msg=" allocate a new session-0003b3d0"
id=13 trace_id=202 msg=" find SNAT: IP-10.10.0.50(from IPPOOL), port-0"
id=13 trace_id=202 msg=" find SNAT: IP-12.174.50.186, port-21973"
id=13 trace_id=202 msg=" VIP-10.10.0.50:25, outdev-unkown"
id=13 trace_id=202 msg=" DNAT 12.174.50.187:25->10.10.0.50:25"
id=13 trace_id=202 msg=" find a route: gw-10.10.0.50 via internal"
id=13 trace_id=202 msg=" Allowed by Policy-2: SNAT"
id=13 trace_id=202 msg=" SNAT 10.10.0.157->10.10.0.1:21973"
Now performing the same for IPV6
config firewall vip6
edit " Bryan Server IPV6"
set extip 2001:1890:1222:900::32
set mappedip fd03:cd22:4796:9a9d::32
next
end
id=13 trace_id=9 msg=" allocate a new session-00003962"
id=13 trace_id=9 msg=" find NAT: IP-fd03:cd22:4796:9a9d::32, port-25"
id=13 trace_id=9 msg=" DNAT 2001:1890:1222:900::32:25->fd03:cd22:4796:9a9d::32:25"
id=13 trace_id=9 msg=" VIP-fd03:cd22:4796:9a9d::32:25, outdev-unknown"
id=13 trace_id=9 msg=" Check policy between internal -> internal"
id=13 trace_id=9 msg=" Denied by forward policy check"
shows that while the device address is translated it is not forwarded on the internal network. These were created with identical policies one for IPV4 and one for IPV6. The VIP6 policy does not perform the routing of the packet to the destination.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Denied by forward policy checkYou have posted your VIP configuration but what about the fwpolicy6 ? A " Denied by forward policy check" is like 9 out of 10 times related to no policy. It' s been that way with ipv4 and I would assume ipv6 is the same. I would review all of the fwpolicies and ordering of such. See the below reference tips from KB. " http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31702" FWIW ; if it was matching a fwpolicy6 id , it would have presented the policy #.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the IPV6 policy
edit 6
set srcintf " wan1"
set dstintf " internal"
set srcaddr " All IPV6"
set dstaddr " Bryan Server IPV6"
set action accept
set schedule " always"
set service " SMTP"
next
Here is the IPV4 policy
edit 2
set srcintf " wan1"
set dstintf " internal"
set srcaddr " All IPV4"
set dstaddr " Bryan Server IPV4"
set action accept
set schedule " always"
set service " HTTP" " HTTPS" " FTP" " DNS" " SSH" " IMAP & IMAP TLS" " IMAP SSL" " POP3 & POP3 TLS" " POP3 SSL" " SMTP" " SMTP SSL" " SMTP TLS" " XMPP"
next
which are pretty straight forward. The IPV6 policy which is doing the address change as requested is not forwarding it on the internal network even though it is set to accept thus the problem. Configured identically and both IPV6 and IPV4 work internal to external for browsing. This seems like a Fortinet OS problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem, could you help me?
I received a / 56 and put a valid ip server 2804: 150: 11: 9e02 :: 8. I Created an address and created a firewall rule ALL -> 2804: 150: 11: 9e02 :: 8 ICMP / https, the requests hit the firewall, but without external connectivity. Upon debug i saw the traffic:
in 2804: 150: 11: 9e00 :: 1 -> 2804: 150: 11: 9e02 :: 8: icmp6: neighbor sun: who has 2804: 150: 11: 9e02 :: 8 [class 0xc0]
but when I create a VIP, access works normal.
Access would not have to work without the VIP due to the server have a valid ip?
Tnks,
André.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean /56 did you assign this on one interface? What's your topology?
e.g (using your debug )
2804: 150: 11: 9e00 :: 1 -> 2804: 150: 11: 9e02 :: 8: icmp6: neighbor sun: who has 2804: 150: 11: 9e02 :: 8 [class 0xc0]
That's telling a IPv6 ND lookup is taking place for ::8.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- FortiClient EMS Server update port only... 67 Views
- ipv6 - internal lan interface cannot... 226 Views
- FortiClient and T-Mobile 164 Views
- IP Pool 6 interface choices 424 Views
- Which tunnel pool takes presidense? 148 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.