Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Raudi
New Contributor III

Multiple IPv6 addresses on LAN interface

Hi,

 

i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.

 

WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.

 

My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:

 

config ipv6   set ip6-address fd24:7ed4:3bd5:99::250/64   set ip6-allowaccess ping https ssh     config ip6-extra-addr      edit 2a02:xxxx:xxxx:5b00::250/64      next      edit 2a02:xxxx:xxxx:5500::250/64      next   end   set ip6-send-adv enable   config ip6-delegated-prefix-list     edit 1     set upstream-interface "wan1"     set autonomous-flag enable     set onlink-flag enable     set subnet ::/64   next   end end

 

Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.

 

O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.

 

But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.

 

When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.

 

And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.

 

Is it possible that the seondary ip is limited to one additional ip address?

 

Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.

 

(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)

 

Regards

Stefan

1 Solution
Raudi
New Contributor III

Hi,

 

today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.

 

So problem solved in a few weeks when 6.0.3 is available...

 

Regards

Stefan

View solution in original post

35 REPLIES 35
emnoc
Esteemed Contributor III

Will I never seen dual DHCP wan with ipv6, either way you will need to confirm a  static route6  for the wan link of preference and a firewall6 rule.

 

So are you  auto-delegating a ipv6 prefix to the internal clients ?

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Raudi
New Contributor III

I'm using one of the both prefix for auto delegating in the lan, like you wrote in your first post.

 

But for my servers i disabled that and set a fixed IPv6.

 

For the two prefixes i made two policy routes:

 

source prefix1 -> wan1

source prefix2 -> wan2

 

And i have 2 Firewall policy's:

 

incoming lan / source prefix1 / outgoing wan1 / destination all / Protocols PING6,HTTP,HTTPS etc.

incoming lan / source prefix2 / outgoing wan2 / destination all / Protocols PING6,HTTP,HTTPS etc. 

 

When i had enabled the prefix delegation on both wan interfaces this worked.

 

Is it possible that the FG can't handle 2 wan side autodelegated prefixes? Why is the prefix for WAN2 active on WAN1?

 

Because this problems i disabled the autodelegation on WAN side and want to configure this static.

 

But how to configure the outgoing route, i think this is the part what is missing...

 

With that enabled:

 

diag debug flow filter6 addr 2a02:2e0:3fe:1001:7777:772e:2:85

 

i will get when pinging from a server in the lan the above IP:

 

id=20085 trace_id=1149 func=resolve_ip6_tuple_fast line=4018 msg="vd-root:0 received a packet(proto=58, 2a02:xxxx:xxxx:5500::18:1->2a02:2e0:3fe:1001:7777:772e:2:85:128) from lan."

id=20085 trace_id=1149 func=resolve_ip6_tuple_fast line=4054 msg="Find an existing session, id-0000485a, original direction"

id=20085 trace_id=1149 func=ipv6_fast_cb line=58 msg="enter fast path"

 

This will repeat for every ping...

 

And the routing table shows like that:

 

C       ::1/128 via ::, root, 1d10h38m

C       2a02:xxxx:xxxx:5500::/64 via ::, lan, 1d10h38m

C       2a02:xxxx:xxxx:5b00::/64 via ::, lan, 1d10h38m

C       2a02:xxxx:xxxx:98:5c:f52e:b993:f829/128 via ::, wan1, 11:21:21

C       2a02:xxxx:xxxx:98:6543:28b4:9fdc:dc1/128 via ::, wan2, 10:49:55

S       fd24:7ed4:3bd5:88::/64 [10/0] via fd24:7ed4:3bd5:99::1, lan, 1d10h38m

C       fd24:7ed4:3bd5:99::/64 via ::, lan, 1d10h38m

C       fe80::/64 via ::, wan2, 1d10h00m

K       ff00::/8 via ::, wan2, 1d10h01m

 

The IPv6 addresses for WAN1 and WAN2 are dynamic...

 

Gegards

Stefan

 

emnoc
Esteemed Contributor III

So you want to  auto delegate from two ISPs ? I never heard of that  and it would be interesting to see that work.

 

On why  the one prefix is active on  the other wan interface might need a case with support.  I think it's active probably due to your interface mode is other than "static".

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Raudi
New Contributor III

??? I wrote:

 

"I'm using [style="background-color: #00ccff;"]one[/style] of the both prefix for auto delegating in the lan, like you wrote in your first post."

 

Shure 2 prefixes via auto delegation in the same lan will be problematic...

 

Support i must try, this is a old 100D with expired support i use here in my home office to replace a LANCOM 1781EF+, learning by playing with it.  Not my main competence, but many customers have that and i want to know that products better...

 

But perhaps as a partner and if this can be a bug, perhaps they take a look to it. I will ask our security specialist. (But he has no experience with IPv6.)

 

Thanks!

Stefan

emnoc
Esteemed Contributor III

Try this 1st if this what you did not  do so to begin with.

 

config system interface     edit "LAN.wan1"         config ipv6             set ip6-mode delegated             set ip6-allowaccess ping                set ip6-send-adv enable             set ip6-manage-flag enable             set ip6-upstream-interface "wan1"             set ip6-subnet ::1/64             config ip6-delegated-prefix-list                 edit 1                     set upstream-interface "wan1"                     set autonomous-flag enable                     set onlink-flag enable                     set subnet ::/64                 next             end         end     next       edit "LAN.wan2"         config ipv6             set ip6-mode delegated             set ip6-allowaccess ping                set ip6-send-adv enable             set ip6-manage-flag enable             set ip6-upstream-interface "wan2"             set ip6-subnet ::1/64             config ip6-delegated-prefix-list                 edit 1                     set upstream-interface "wan1"                     set autonomous-flag enable                     set onlink-flag enable                     set subnet ::/64                 next             end         end     next end

 

 

 

 

Now if the clients on lan1 and lan2 gets a DHCPv6PD from wan1 and wan2 , than you know delegation is working, BUT this will probably break from a routing aspect unless you pbr- routes for prefixes for internal.wan2 two thru WAN2.

 

 

Next, if both lans get a  prefix from wan1/wan2 isp  you know can enable multiples. You will need static routes  and PBR for routing the inside LAN clients to the ipv6-internet.

 

I have the above lab up and working  but it's not working on a real internet so I can test clients machines.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Raudi
New Contributor III

Hello Ken,

 

this is almost exact what i configured before, i had WAN1 and WAN2 configured for auto delegation, so i got my prefix from the ISP:

config ipv6
      set ip6-mode dhcp
      set dhcp6-prefix-delegation enable
      set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end

Then i configured the LAN interface to use the delegated prefix from WAN1, like you wrote above.

 

Yes this works, sometimes...

 

But sometimes the delegated prefix i got from the ISP on WAN1 changes to the prefix which is on WAN2, so the internet access stops working.

 

So i think, if the both WAN interfaces are not stable with the prefix, so i don't need to configure the LAN side.

 

Because this i was thinking about to configure this static.

 

At the moment i'm thinking about to configure only one WAN interface for IPv6, on the second i disable it completely. If this works a few days, i can enable it on WAN2 again. When i got again the problems with the prefix it mus be a BUG...

 

Regards

Stefan

emnoc
Esteemed Contributor III

good ;), I thought that was what you did but your description was not clear to me ;)

 

So I think with that earlier config &  pbr6  you could maybe get it working.

 

e.g 

#  for the prefix on the 2nd ISP.

#

#

config router policy6    edit 0        set comment" PBR6  WAN2 prefix from LAN.wan2 "        set src 2001:db8:11::/64        set output wan2        set gateway <blablahisp2>

   end

 

 

Could you do that? What a client of mine did by accident was to place LAN.1/LAN.2 into the same physical LAN. So some clients gain  prefix1 and others prefix2. What was different than you, prefix1/2 was from the same ISP-WAN upstream.

 

I bet you could try that, I will drop a  diagram up later  when I get back to my MAC and send it to be more clear. In the above description since prefix#1 and prefix#2 was using the same WAN.ISP pbr6 was not need or required.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Raudi
New Contributor III

So this is my current config with one WAN working:

 

config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping
        set type physical
        set estimated-upstream-bandwidth 400000
        set estimated-downstream-bandwidth 25000
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
        end
        set defaultgw disable
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set allowaccess ping
        set type physical
        set estimated-upstream-bandwidth 400000
        set estimated-downstream-bandwidth 25000
        set role wan
        set snmp-index 5
        config ipv6
        end
        set defaultgw disable
    next
    edit "lan"
        set vdom "root"
        set ip 192.168.99.250 255.255.255.0
        set allowaccess ping https ssh
        set type hard-switch
        set stp enable
        set role lan
        set snmp-index 9
        set secondary-IP enable
        config ipv6
            set ip6-address fd24:xxxx:xxxx:99::250/64
            set ip6-allowaccess ping https ssh
            set dhcp6-prefix-delegation enable
            config ip6-extra-addr
                edit 2a02:xxxx:xxxx:5b00::250/64
                next
                edit 2a02:xxxx:xxxx:5500::250/64
                next
            end
            set ip6-send-adv enable
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next
end
config router policy6
    edit 1
        set input-device "lan"
        set src 2a02:xxxx:xxxx:5b00::/64
        set output-device "wan1"
        set comments "IPv6 - 5b00 -> WAN1"
    next
    edit 2
        set input-device "lan"
        set src 2a02:xxxx:xxxx:5500::/64
        set output-device "wan2"
        set comments "IPv6 - 5500 -> WAN2"
    next
end

 

My Servers with fixed IP are able to communicate with the internet and my MAC Book gets a IP via autoconfig and goes into internet too.

 

Now i will test and see if this config is stable.

Raudi
New Contributor III

After 22 hours perfectly working i have enabled IPv6 in DHCP mode on the WAN2 interface and set this on WAN2:

 

set dhcp6-prefix-delegation enable

 

20 minutes later internet access through WAN1 stops because the delegated prefix on WAN1 changes to the prefix which belongs to WAN2.

 

To get this on WAN1 working again i disabled IPv6 on WAN2, set IPv6 on the WAN1 to static, removed the address and enabled it on WAN1 again. A moment later IPv6 internet access was possible again.

 

This behavior must be a bug.

emnoc
Esteemed Contributor III

Don't think so but open a case. When you  enable wan2, the traffic is probably going to go out WAN2, unless you do some PBR6 routing.

 

you could do some   PBR6 rules

 

e.g

 

src prefixes from ISP1 go out WAN1

src prefixes from ISP2 go out WAN2

 

And see if that fixes the issues. I have a hunch dual PREFIXESdelegation is not  supported in a  FGT

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors