Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Multiple IPv6 addresses on LAN interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple IPv6 addresses on LAN interface
Hi,
i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.
WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.
My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:
config ipv6 set ip6-address fd24:7ed4:3bd5:99::250/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit 2a02:xxxx:xxxx:5b00::250/64 next edit 2a02:xxxx:xxxx:5500::250/64 next end set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end
Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.
O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.
But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.
When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.
And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.
Is it possible that the seondary ip is limited to one additional ip address?
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.
(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)
Regards
Stefan
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.
So problem solved in a few weeks when 6.0.3 is available... 
Regards
Stefan
35 REPLIES 35
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi yes you can do that, I don't know how you could deploy autoconf if you want a client to take one prefixes over the other.
In your case, you need to set the prefixes to be advertise
e.g
config ip6-prefix-list edit 2001:db8:1::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next
edit 2001:db8:2::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next
edit 2001:db8:3::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next
end
http://socpuppet.blogspot.com/2015/08/just-how-many-ipv6-prefixes-can-be.html
Also for this;
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address
try any all of the below
cli-cmd
diag debug flow filter6
diag sniffer packet <interfacename> icmp6
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick answer, automatically should only the prefix of WAN1 deployed, die IPv6 network of WAN2 should only be used static.
After a reboot i was able to ping both IP's, both addresses where listed in the routing table.
But i got another problem. In the WAN1 i got the delegated-prefix for WAN2 automatically configured?!?
How is this possible? O.k. will take some research...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't get it... For a moment all was fine, WAN1 has the delegated prefix from the provider and i was able to access the internet. WAN2 has his delegated prefix too and i was also able to access the internet with a client in this network.
But now the delegated prefix from WAN1 changed to the prefix which is for WAN2.
How can this be?
I have only 2 firewall policy's for outgoing:
In Interface: LAN
Out Interface: WAN1
Source: Prefix WAN1
Destination: all
In Interface: LAN
Out Interface: WAN2
Source: Prefix WAN2
Destination: all
Now i removed at both "ALL_ICMP6". And i had ping enabled on the WAN interface, this i disabled too.
After disabling the WAN1 for a moment and enabling it again i got the correct prefix again.
Lets see how long the config is now stable...
Why WAN1 get the delegated prefix infos from WAN2? There is no connection between them...
Can i disable the prefix delegation and configure the prefix static?
Kind regards
Stefan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Raudi,
You can have more than one extra IPV6 address configured under interface. And when the problem happens ( can't ping LAN interface), what is the output of "diag ipv6 address list"? Especially, note the "flag". Usually, the flag should be 'p'.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm... IPv6 seems to be under construction...
As i told, after a reboot i was able to use all IP addresses...
I wrote i removed the ALL_ICMP6 from the policy but let PING inside it. But i can't ping external sites. So the PING don't work for IPv6. In the Forward Traffic log i see that PING6 is blocked, but PING6 i can't select in the firewall policy... In the services list i saw, it is per default exluded from the list, not helpful...
And when i add the ALL_ICMP6 again i got problems with the wrong prefix again.
I will stop testing for today...
At the moment i rebootet and have a working outfoing IPv6 config... Let's see if this is stable now...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not stable wan2 has just lost his IPv6...
Disabled WAN2, enabled it again, wait a while and it is working again...
And a few minutes later, all was working, WAN1 lost his IPv6.
And more minutes later WAN1 got its IP back and used the prefix from WAN2.
Time to go to bed...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your assignments for WAN1/WAN2 address? Losing a cfg tells me these are "dynamic SLAAC enabled " ?
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the config on the both WAN interfaces:
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end
set defaultgw disable
next
end
WAN2 is the same with a different hint.
When i look now, both interfaces have at this moment their IP and correct prefix, but i can't access the internet with WAN1, WAN2 is working at the moment.
When i reboot the FG, i will bet, then i can access the internet with both WAN interfaces again...
I think i must go deeper in the logs, to see what happens.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
o.k. i removed all prefix automatics from the wan interfaces.
Both wan interfaces got an ip via dhcp.
When i enter (heise.de):
exec ping6 -I wan1 2a02:2e0:3fe:1001:7777:772e:2:85 or exec ping6 -I wan2 2a02:2e0:3fe:1001:7777:772e:2:85
this works...
And i can ping any server on his static IPv6 ip address with:
exec ping6 2a02:xxxx:xxxx:5b00::22 or the 2nd prefix: exec ping6 2a02:xxxx:xxxx:5500::18
But what must i configure that i can access the internet from the internal lan?
For IPv4 i must create a static route to the wan interface with the gateway address of the provider.
In the IPv6 routing table i have no default route, but i don't know the ip of the provider for the next hop to create a manual route.
When i enable the prefix delegation, the traffic goes automatically from lan to wan, but the prefix delegation is very unstable so i want to configure this static.
So what is missing to route from lan to wan? A route? Or something else?
A hint will be great.
Kind regards
Stefan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,679 -
FortiClient
1,753 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
469 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
316 -
6.2
251 -
SSL-VPN
240 -
FortiAuthenticator v5.5
234 -
IPsec
206 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiGate-VM
11 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1705 | |
| 1093 | |
| 752 | |
| 446 | |
| 230 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.