Hi,
i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.
WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.
My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:
config ipv6 set ip6-address fd24:7ed4:3bd5:99::250/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit 2a02:xxxx:xxxx:5b00::250/64 next edit 2a02:xxxx:xxxx:5500::250/64 next end set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end
Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.
O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.
But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.
When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.
And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.
Is it possible that the seondary ip is limited to one additional ip address?
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.
(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)
Regards
Stefan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.
So problem solved in a few weeks when 6.0.3 is available...
Regards
Stefan
Will I never seen dual DHCP wan with ipv6, either way you will need to confirm a static route6 for the wan link of preference and a firewall6 rule.
So are you auto-delegating a ipv6 prefix to the internal clients ?
Ken
PCNSE
NSE
StrongSwan
I'm using one of the both prefix for auto delegating in the lan, like you wrote in your first post.
But for my servers i disabled that and set a fixed IPv6.
For the two prefixes i made two policy routes:
source prefix1 -> wan1
source prefix2 -> wan2
And i have 2 Firewall policy's:
incoming lan / source prefix1 / outgoing wan1 / destination all / Protocols PING6,HTTP,HTTPS etc.
incoming lan / source prefix2 / outgoing wan2 / destination all / Protocols PING6,HTTP,HTTPS etc.
When i had enabled the prefix delegation on both wan interfaces this worked.
Is it possible that the FG can't handle 2 wan side autodelegated prefixes? Why is the prefix for WAN2 active on WAN1?
Because this problems i disabled the autodelegation on WAN side and want to configure this static.
But how to configure the outgoing route, i think this is the part what is missing...
With that enabled:
diag debug flow filter6 addr 2a02:2e0:3fe:1001:7777:772e:2:85 i will get when pinging from a server in the lan the above IP: id=20085 trace_id=1149 func=resolve_ip6_tuple_fast line=4018 msg="vd-root:0 received a packet(proto=58, 2a02:xxxx:xxxx:5500::18:1->2a02:2e0:3fe:1001:7777:772e:2:85:128) from lan."id=20085 trace_id=1149 func=resolve_ip6_tuple_fast line=4054 msg="Find an existing session, id-0000485a, original direction"id=20085 trace_id=1149 func=ipv6_fast_cb line=58 msg="enter fast path" This will repeat for every ping... And the routing table shows like that: C ::1/128 via ::, root, 1d10h38mC 2a02:xxxx:xxxx:5500::/64 via ::, lan, 1d10h38mC 2a02:xxxx:xxxx:5b00::/64 via ::, lan, 1d10h38mC 2a02:xxxx:xxxx:98:5c:f52e:b993:f829/128 via ::, wan1, 11:21:21C 2a02:xxxx:xxxx:98:6543:28b4:9fdc:dc1/128 via ::, wan2, 10:49:55S fd24:7ed4:3bd5:88::/64 [10/0] via fd24:7ed4:3bd5:99::1, lan, 1d10h38mC fd24:7ed4:3bd5:99::/64 via ::, lan, 1d10h38mC fe80::/64 via ::, wan2, 1d10h00mK ff00::/8 via ::, wan2, 1d10h01m The IPv6 addresses for WAN1 and WAN2 are dynamic... GegardsStefan
So you want to auto delegate from two ISPs ? I never heard of that and it would be interesting to see that work.
On why the one prefix is active on the other wan interface might need a case with support. I think it's active probably due to your interface mode is other than "static".
Ken
PCNSE
NSE
StrongSwan
??? I wrote:
"I'm using [style="background-color: #00ccff;"]one[/style] of the both prefix for auto delegating in the lan, like you wrote in your first post."
Shure 2 prefixes via auto delegation in the same lan will be problematic...
Support i must try, this is a old 100D with expired support i use here in my home office to replace a LANCOM 1781EF+, learning by playing with it. Not my main competence, but many customers have that and i want to know that products better...
But perhaps as a partner and if this can be a bug, perhaps they take a look to it. I will ask our security specialist. (But he has no experience with IPv6.)
Thanks!
Stefan
Try this 1st if this what you did not do so to begin with.
config system interface edit "LAN.wan1" config ipv6 set ip6-mode delegated set ip6-allowaccess ping set ip6-send-adv enable set ip6-manage-flag enable set ip6-upstream-interface "wan1" set ip6-subnet ::1/64 config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end next edit "LAN.wan2" config ipv6 set ip6-mode delegated set ip6-allowaccess ping set ip6-send-adv enable set ip6-manage-flag enable set ip6-upstream-interface "wan2" set ip6-subnet ::1/64 config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end next end
Now if the clients on lan1 and lan2 gets a DHCPv6PD from wan1 and wan2 , than you know delegation is working, BUT this will probably break from a routing aspect unless you pbr- routes for prefixes for internal.wan2 two thru WAN2.
Next, if both lans get a prefix from wan1/wan2 isp you know can enable multiples. You will need static routes and PBR for routing the inside LAN clients to the ipv6-internet.
I have the above lab up and working but it's not working on a real internet so I can test clients machines.
Ken
PCNSE
NSE
StrongSwan
Hello Ken,
this is almost exact what i configured before, i had WAN1 and WAN2 configured for auto delegation, so i got my prefix from the ISP:
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end
Then i configured the LAN interface to use the delegated prefix from WAN1, like you wrote above.
Yes this works, sometimes...
But sometimes the delegated prefix i got from the ISP on WAN1 changes to the prefix which is on WAN2, so the internet access stops working.
So i think, if the both WAN interfaces are not stable with the prefix, so i don't need to configure the LAN side.
Because this i was thinking about to configure this static.
At the moment i'm thinking about to configure only one WAN interface for IPv6, on the second i disable it completely. If this works a few days, i can enable it on WAN2 again. When i got again the problems with the prefix it mus be a BUG...
Regards
Stefan
good ;), I thought that was what you did but your description was not clear to me ;)
So I think with that earlier config & pbr6 you could maybe get it working.
e.g
# for the prefix on the 2nd ISP.
#
#
config router policy6 edit 0 set comment" PBR6 WAN2 prefix from LAN.wan2 " set src 2001:db8:11::/64 set output wan2 set gateway <blablahisp2>
end
Could you do that? What a client of mine did by accident was to place LAN.1/LAN.2 into the same physical LAN. So some clients gain prefix1 and others prefix2. What was different than you, prefix1/2 was from the same ISP-WAN upstream.
I bet you could try that, I will drop a diagram up later when I get back to my MAC and send it to be more clear. In the above description since prefix#1 and prefix#2 was using the same WAN.ISP pbr6 was not need or required.
Ken
PCNSE
NSE
StrongSwan
So this is my current config with one WAN working:
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end
set defaultgw disable
next
edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 5
config ipv6
end
set defaultgw disable
next
edit "lan"
set vdom "root"
set ip 192.168.99.250 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
set snmp-index 9
set secondary-IP enable
config ipv6
set ip6-address fd24:xxxx:xxxx:99::250/64
set ip6-allowaccess ping https ssh
set dhcp6-prefix-delegation enable
config ip6-extra-addr
edit 2a02:xxxx:xxxx:5b00::250/64
next
edit 2a02:xxxx:xxxx:5500::250/64
next
end
set ip6-send-adv enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
next
end
config router policy6
edit 1
set input-device "lan"
set src 2a02:xxxx:xxxx:5b00::/64
set output-device "wan1"
set comments "IPv6 - 5b00 -> WAN1"
next
edit 2
set input-device "lan"
set src 2a02:xxxx:xxxx:5500::/64
set output-device "wan2"
set comments "IPv6 - 5500 -> WAN2"
next
end
My Servers with fixed IP are able to communicate with the internet and my MAC Book gets a IP via autoconfig and goes into internet too.
Now i will test and see if this config is stable.
After 22 hours perfectly working i have enabled IPv6 in DHCP mode on the WAN2 interface and set this on WAN2:
set dhcp6-prefix-delegation enable
20 minutes later internet access through WAN1 stops because the delegated prefix on WAN1 changes to the prefix which belongs to WAN2.
To get this on WAN1 working again i disabled IPv6 on WAN2, set IPv6 on the WAN1 to static, removed the address and enabled it on WAN1 again. A moment later IPv6 internet access was possible again.
This behavior must be a bug.
Don't think so but open a case. When you enable wan2, the traffic is probably going to go out WAN2, unless you do some PBR6 routing.
you could do some PBR6 rules
e.g
src prefixes from ISP1 go out WAN1
src prefixes from ISP2 go out WAN2
And see if that fixes the issues. I have a hunch dual PREFIXESdelegation is not supported in a FGT
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.