Hi,
i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.
WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.
My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:
config ipv6 set ip6-address fd24:7ed4:3bd5:99::250/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit 2a02:xxxx:xxxx:5b00::250/64 next edit 2a02:xxxx:xxxx:5500::250/64 next end set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end
Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.
O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.
But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.
When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.
And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.
Is it possible that the seondary ip is limited to one additional ip address?
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.
(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)
Regards
Stefan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.
So problem solved in a few weeks when 6.0.3 is available...
Regards
Stefan
This i have aready:
config router policy6
edit 1
set input-device "lan"
set src 2a02:xxxx:xxxx:5b00::/64
set output-device "wan1"
set comments "IPv6 - 5b00 -> WAN1"
next
edit 2
set input-device "lan"
set src 2a02:xxxx:xxxx:5500::/64
set output-device "wan2"
set comments "IPv6 - 5500 -> WAN2"
next
end
Why dual prefix? I have 2 separate WAN interfaces with a prefix. WAN1 must use the delegated prefix from WAN1 and WAN2 must use the prefix of WAN2.
The LAN interface has nothing to do with the prefix delegation on the WAN interface...
i'm a little bit forward in this. I opened a case and i think i have the cause for my problem:
My old LANCOM uses for communicating with the DHCPv6 server on each interface the corresponding hardware address of the interface as client ID.
The Fortigate uses here for all interfaces the same client ID (DUID). If i understand this correct, each interface has a different interface id (IAID), which should be used also to identify.
So the WAN1 asks for a IP with the same DUID as the WAN2 interface, and the provider seems not to respect the IAID value, this causes the problem here.
LANCOM used different DUID's, because this it worked in the past...
I tryed to tell this the provider, but the chance to move something at Vodafone is very low, it is a big problem to find someone who is understanding the problem. All the supporter can only help with their standard matrix. And they say, their responibility ends at the modem, all after that is my problem and they can't help. And now tell a standrad call center supporter the DHCP server sends wrong responses...
The Fortigate Support now searches a way to use different DUID's.
The Fortigate uses here for all interfaces the same client ID (DUID). If i understand this correct, each interface has a different interface id (IAID), which should be used also to identify.
That should be correct for the DHCPv6 services
The Fortigate Support now searches a way to use different DUID'
So what are you trying to accomplish a different DUID per each wan interface or the interface ID? I will share this KB for juniper that I ran into which might be relevent
https://www.juniper.net/d...-duid-configuring.html
Ken
PCNSE
NSE
StrongSwan
Hi Ken,
i need a different DUID for each WAN interface...
Interesting is this on the link you provided:
"The DUID type is specified per routing instance."
WAN1 is a different routing instance as WAN2? So, on a Juniper i will get different DUID on each WAN interface.
I think the FG uses DUID-LL because at the end is the MAC of WAN1. And the DUID on WAN2 has the MAC of WAN1.
Stefan
o.k. just got a feedback from support, no chance to configure something to get different DUID's.
I should contact my sales representative to create a feature request.
They say the FortiGate is RFC 3315 conform.
But at my view each WAN interface should be work as a DHCPv6 client fully independent from other WAN interfaces. A firewall is a special client in my view...
I'm a little bit frustrated at the moment...
What I would do is to take a pcap from each interface. IIRC the DUID is vendor specific but the Identified should be different per interface IIRC, so look at this cloudshark
https://www.cloudshark.org/captures/eeedef4dd779
Do a DHCPv6 client request per-interface and compare
ADD here's what I did with linux a few years back
http://socpuppet.blogspot...pv6-on-fortigates.html
PCNSE
NSE
StrongSwan
Ups... double post... Can be erased...
Oh i found something, this is exacly our problem:
https://www.juniper.net/documentation/en_US/junos/topics/concept/dhcpv6-duplicate-client-duid.html
Per default it is not allowed to have a duplicate DUID, the new request will replace the first.
Only after enabling this feature the IAID will be used to identify the interface and duplicate DUID's are allowed. But this is not default.
At the DHCPv6 Server DUID i can see that my provider uses Cisco, perhaps Cisco has a similar setting, or Ciso is only the relay agent and the DHCPv6 Server is different, who knows.
But i found a bug in the Cisco relay agent:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg03094
Complex problem...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.