Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Raudi
New Contributor III

Created on ‎04-02-2018 08:16 AM

Multiple IPv6 addresses on LAN interface

Hi,

 

i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.

 

WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.

 

My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:

 

config ipv6   set ip6-address fd24:7ed4:3bd5:99::250/64   set ip6-allowaccess ping https ssh     config ip6-extra-addr      edit 2a02:xxxx:xxxx:5b00::250/64      next      edit 2a02:xxxx:xxxx:5500::250/64      next   end   set ip6-send-adv enable   config ip6-delegated-prefix-list     edit 1     set upstream-interface "wan1"     set autonomous-flag enable     set onlink-flag enable     set subnet ::/64   next   end end

 

Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.

 

O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.

 

But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.

 

When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.

 

And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.

 

Is it possible that the seondary ip is limited to one additional ip address?

 

Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.

 

(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)

 

Regards

Stefan

30634
0 Kudos
1 Solution
Raudi
New Contributor III
In response to Raudi

Created on ‎09-04-2018 04:13 AM

Hi,

 

today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.

 

So problem solved in a few weeks when 6.0.3 is available...

 

Regards

Stefan

View solution in original post

13162
0 Kudos
35 REPLIES 35
Raudi
New Contributor III
In response to emnoc

Created on ‎04-05-2018 10:37 AM

This i have aready:

config router policy6
    edit 1
        set input-device "lan"
        set src 2a02:xxxx:xxxx:5b00::/64
        set output-device "wan1"
        set comments "IPv6 - 5b00 -> WAN1"
    next
    edit 2
        set input-device "lan"
        set src 2a02:xxxx:xxxx:5500::/64
        set output-device "wan2"
        set comments "IPv6 - 5500 -> WAN2"
    next
end

Why dual prefix? I have 2 separate WAN interfaces with a prefix. WAN1 must use the delegated prefix from WAN1 and WAN2 must use the prefix of WAN2.

 

The LAN interface has nothing to do with the prefix delegation on the WAN interface...

3628
0 Kudos
Raudi
New Contributor III
In response to Raudi

Created on ‎06-17-2018 03:05 AM

i'm a little bit forward in this. I opened a case and i think i have the cause for my problem:

 

My old LANCOM uses for communicating with the DHCPv6 server on each interface the corresponding hardware address of the interface as client ID.

 

The Fortigate uses here for all interfaces the same client ID (DUID). If i understand this correct, each interface has a different interface id (IAID), which should be used also to identify.

 

So the WAN1 asks for a IP with the same DUID as the WAN2 interface, and the provider seems not to respect the IAID value, this causes the problem here.

 

LANCOM used different DUID's, because this it worked in the past...

 

I tryed to tell this the provider, but the chance to move something at Vodafone is very low, it is a big problem to find someone who is understanding the problem. All the supporter can only help with their standard matrix. And they say, their responibility ends at the modem, all after that is my problem and they can't help. And now tell a standrad call center supporter the DHCP server sends wrong responses...

 

The Fortigate Support now searches a way to use different DUID's.

3628
0 Kudos
emnoc
Esteemed Contributor III
In response to Raudi

Created on ‎06-17-2018 09:13 AM

The Fortigate uses here for all interfaces the same client ID (DUID). If i understand this correct, each interface has a different interface id (IAID), which should be used also to identify.

 

That should be correct for the  DHCPv6 services

 

The Fortigate Support now searches a way to use different DUID'

 

So what are you trying to accomplish a different DUID per each wan interface or the interface ID? I will share this  KB for juniper that I ran into which might be relevent

 

https://www.juniper.net/d...-duid-configuring.html

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3628
0 Kudos
Raudi
New Contributor III
In response to emnoc

Created on ‎06-17-2018 10:53 AM

Hi Ken,

 

i need a different DUID for each WAN interface...

 

Interesting is this on the link you provided:

 

"The DUID type is specified per routing instance."

 

WAN1 is a different routing instance as WAN2? So, on a Juniper i will get different DUID on each WAN interface.

 

 

I think the FG uses DUID-LL because at the end is the MAC of WAN1. And the DUID on WAN2 has the MAC of WAN1.

 

Stefan

 

 

3628
0 Kudos
Raudi
New Contributor III
In response to Raudi

Created on ‎06-18-2018 08:37 AM

o.k. just got a feedback from support, no chance to configure something to get different DUID's.

 

I should contact my sales representative to create a feature request.

 

They say the FortiGate is RFC 3315 conform.

 

But at my view each WAN interface should be work as a DHCPv6 client fully independent from other WAN interfaces. A firewall is a special client in my view...

 

I'm a little bit frustrated at the moment... 

3628
0 Kudos
emnoc
Esteemed Contributor III
In response to Raudi

Created on ‎06-18-2018 12:18 PM

What I would do is to take a pcap from each interface. IIRC the DUID is vendor specific but the Identified should  be different per interface IIRC, so  look at  this cloudshark

 

https://www.cloudshark.org/captures/eeedef4dd779

 

Do  a DHCPv6 client request per-interface and compare

 

ADD here's what I did with  linux a few years back

http://socpuppet.blogspot...pv6-on-fortigates.html

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3628
0 Kudos
Raudi
New Contributor III
In response to emnoc

Created on ‎06-18-2018 01:27 PM

Hi,

 

here a trace from WAN1:

 

You can see, that WAN 1 uses the MAC from a different interface as DUID.

 

 

 

Preview file
65 KB
3628
0 Kudos
Raudi
New Contributor III
In response to Raudi

Created on ‎06-18-2018 01:29 PM

Here a trace from WAN2:

 

The DUID is the MAC of WAN2 and WAN1 and WAN2 are using the same.

 

Only the IAID is different.

 

Regards

Stefan

 

Preview file
65 KB
3628
0 Kudos
Raudi
New Contributor III
In response to Raudi

Created on ‎06-18-2018 02:02 PM

Ups... double post... Can be erased...

3628
0 Kudos
Raudi
New Contributor III
In response to Raudi

Created on ‎06-18-2018 02:24 PM

Oh i found something, this is exacly our problem:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/dhcpv6-duplicate-client-duid.html

 

Per default it is not allowed to have a duplicate DUID, the new request will replace the first.

 

Only after enabling this feature the IAID will be used to identify the interface and duplicate DUID's are allowed. But this is not default.

 

At the DHCPv6 Server DUID i can see that my provider uses Cisco, perhaps Cisco has a similar setting, or Ciso is only the relay agent and the DHCPv6 Server is different, who knows.

 

But i found a bug in the Cisco relay agent:

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg03094

 

Complex problem...

 

3628
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.