Multiple IPv6 addresses on LAN interface

Raudi · ‎04-02-2018

Hi,

i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.

WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.

My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:

config ipv6 set ip6-address fd24:7ed4:3bd5:99::250/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit 2a02:xxxx:xxxx:5b00::250/64 next edit 2a02:xxxx:xxxx:5500::250/64 next end set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end

Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.

O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.

But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.

When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.

And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.

Is it possible that the seondary ip is limited to one additional ip address?

Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.

(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)

Regards

Stefan

Raudi · ‎09-04-2018

Hi,

today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.

So problem solved in a few weeks when 6.0.3 is available...

Regards

Stefan

View solution in original post

emnoc · ‎06-18-2018

So what's providing your DHCPv6 server assignment? I did mine ( with a linux box ) and had mix result hence why I did that blog post. I can retest now & provide update

Ken

PCNSE

NSE

StrongSwan

Raudi · ‎06-18-2018

Hello Ken,

sorry i don't understand that question, i have no access to the DHCPv6 Server, the server is at my internet service provider, vodafone...

Stefan

emnoc · ‎06-18-2018

What's the upstream DHCP v6 server ?

PCNSE

NSE

StrongSwan

Raudi · ‎06-18-2018

As i say, i can't say what they use, from the server DUID i can say that the vendor is Cisco.

Shure if i can identify what they use i can search for the default behavior.

I think the default is that they do not allow duplicate DUID's, our problem looks very close to the behavior which is in the Juniper web site described.

The second DHCP request replaces the first request. And then the renew from the first request provide the info that the informations he used are invalid.

Raudi · ‎07-08-2018

Hi,

Vodafone confirms my problem, the problem is, they identify a customer by the DUID and don't allow multiple DUID's.

As i talked with a Vodafone technican, we are able to see on their DHCP server exectly the behavior we discovered before. The second WAN interface overwrites the lease from the first WAN interface and the DUID walks from the first customer number to the second. When now the first WAN want's to renew the lease it is getting the info that the IP is invalid and gets the infos from the second WAN...

I think Fortinet will now change their behavior, that both WAN interfaces will be able to use different DUID's...

Kind regards

Stefan

Raudi · ‎09-04-2018

Hi,

today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.

So problem solved in a few weeks when 6.0.3 is available...

Regards

Stefan