Hi,
i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.
WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.
My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:
config ipv6 set ip6-address fd24:7ed4:3bd5:99::250/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit 2a02:xxxx:xxxx:5b00::250/64 next edit 2a02:xxxx:xxxx:5500::250/64 next end set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end
Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.
O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.
But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.
When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.
And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.
Is it possible that the seondary ip is limited to one additional ip address?
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.
(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)
Regards
Stefan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.
So problem solved in a few weeks when 6.0.3 is available...
Regards
Stefan
Hi yes you can do that, I don't know how you could deploy autoconf if you want a client to take one prefixes over the other.
In your case, you need to set the prefixes to be advertise
e.g
config ip6-prefix-list edit 2001:db8:1::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next
edit 2001:db8:2::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next
edit 2001:db8:3::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next
end
http://socpuppet.blogspot.com/2015/08/just-how-many-ipv6-prefixes-can-be.html
Also for this;
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address
try any all of the below
cli-cmd
diag debug flow filter6
diag sniffer packet <interfacename> icmp6
PCNSE
NSE
StrongSwan
Thanks for the quick answer, automatically should only the prefix of WAN1 deployed, die IPv6 network of WAN2 should only be used static.
After a reboot i was able to ping both IP's, both addresses where listed in the routing table.
But i got another problem. In the WAN1 i got the delegated-prefix for WAN2 automatically configured?!?
How is this possible? O.k. will take some research...
I don't get it... For a moment all was fine, WAN1 has the delegated prefix from the provider and i was able to access the internet. WAN2 has his delegated prefix too and i was also able to access the internet with a client in this network.
But now the delegated prefix from WAN1 changed to the prefix which is for WAN2.
How can this be?
I have only 2 firewall policy's for outgoing:
In Interface: LAN
Out Interface: WAN1
Source: Prefix WAN1
Destination: all
In Interface: LAN
Out Interface: WAN2
Source: Prefix WAN2
Destination: all
Now i removed at both "ALL_ICMP6". And i had ping enabled on the WAN interface, this i disabled too.
After disabling the WAN1 for a moment and enabling it again i got the correct prefix again.
Lets see how long the config is now stable...
Why WAN1 get the delegated prefix infos from WAN2? There is no connection between them...
Can i disable the prefix delegation and configure the prefix static?
Kind regards
Stefan
Hi Raudi,
You can have more than one extra IPV6 address configured under interface. And when the problem happens ( can't ping LAN interface), what is the output of "diag ipv6 address list"? Especially, note the "flag". Usually, the flag should be 'p'.
Regards
Hmmm... IPv6 seems to be under construction...
As i told, after a reboot i was able to use all IP addresses...
I wrote i removed the ALL_ICMP6 from the policy but let PING inside it. But i can't ping external sites. So the PING don't work for IPv6. In the Forward Traffic log i see that PING6 is blocked, but PING6 i can't select in the firewall policy... In the services list i saw, it is per default exluded from the list, not helpful...
And when i add the ALL_ICMP6 again i got problems with the wrong prefix again.
I will stop testing for today...
At the moment i rebootet and have a working outfoing IPv6 config... Let's see if this is stable now...
It's not stable wan2 has just lost his IPv6...
Disabled WAN2, enabled it again, wait a while and it is working again...
And a few minutes later, all was working, WAN1 lost his IPv6.
And more minutes later WAN1 got its IP back and used the prefix from WAN2.
Time to go to bed...
What's your assignments for WAN1/WAN2 address? Losing a cfg tells me these are "dynamic SLAAC enabled " ?
Ken
PCNSE
NSE
StrongSwan
This is the config on the both WAN interfaces:
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end
set defaultgw disable
next
end
WAN2 is the same with a different hint.
When i look now, both interfaces have at this moment their IP and correct prefix, but i can't access the internet with WAN1, WAN2 is working at the moment.
When i reboot the FG, i will bet, then i can access the internet with both WAN interfaces again...
I think i must go deeper in the logs, to see what happens.
o.k. i removed all prefix automatics from the wan interfaces.
Both wan interfaces got an ip via dhcp.
When i enter (heise.de):
exec ping6 -I wan1 2a02:2e0:3fe:1001:7777:772e:2:85 or exec ping6 -I wan2 2a02:2e0:3fe:1001:7777:772e:2:85
this works...
And i can ping any server on his static IPv6 ip address with:
exec ping6 2a02:xxxx:xxxx:5b00::22 or the 2nd prefix: exec ping6 2a02:xxxx:xxxx:5500::18
But what must i configure that i can access the internet from the internal lan?
For IPv4 i must create a static route to the wan interface with the gateway address of the provider.
In the IPv6 routing table i have no default route, but i don't know the ip of the provider for the next hop to create a manual route.
When i enable the prefix delegation, the traffic goes automatically from lan to wan, but the prefix delegation is very unstable so i want to configure this static.
So what is missing to route from lan to wan? A route? Or something else?
A hint will be great.
Kind regards
Stefan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.