Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Problem with Nat64 on 7.2.2



I'm trying out NAT64 on the FG. I have followed the guide completely but it's strange that the return packet is dropped, i can see the return packet is recived on the wan interface but then no more, i'm little stuck where i should look, it's like there is missing route towards the naf.root interface


from packet sniffer

3.740201 Nat64 in 2a01:6f01:1204:c64:91f0:7113:7aba:f4c1 -> 64:ff9b::b915:11f9: icmp6: echo request seq 1681 [flowlabel 0x20000]
3.740235 naf.root out 2a01:6f01:1204:c64:91f0:7113:7aba:f4c1 -> 64:ff9b::b915:11f9: icmp6: echo request seq 1681 [flowlabel 0x20000]
3.740243 naf.root in -> icmp: echo request
3.740273 wan1 out -> icmp: echo request
3.741179 wan1 in -> icmp: echo reply



Heiðar S.


New Contributor

when i do debug flow, i can see on strange line but can't find the reson for it 

"fw_forward_dirty_handler"  i find it little suspicious,

id=65308 trace_id=28 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1,> tun_id= from naf.root. type=8, code=0, id=23207, seq=35371."
id=65308 trace_id=28 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-0016de26, original direction"
id=65308 trace_id=28 func=npu_handle_session64 line=1287 msg="Trying to offloading session from naf.root to wan1, skb.npu_flag=00000480 ses.state=00010200 ses.npu_state=0x04000000"
id=65308 trace_id=28 func=fw_forward_dirty_handler line=414 msg="state=00010200, state2=00000000, npu_state=04000000"


New Contributor

I'm having this same issue. Digging around this forum I'm lead to believe this is an issue with the Dynamic IP Pool. Apparently you cannot use the same IPv4 address that's assigned to the WAN interface (outgoing IPv4). But I'm only assigned a single IPv4 address on the WAN interface because I have a residential connection and am only allocated a single IPv4 for accessing the public internet.


Here is what I was able to dig up on another post:

"Considering this, the NAT64 does not allow to use the WAN interface IP address as the external IP range for the IP pool. It is imperative to use an available IP address of the public range. For example, the WAN interface IP address is, therefore, the IP pool can have an available IP address within that range."


Looks like they are using a private network for the WAN port and are able to use more than one IPv4 address on that interface. So there must be an edge router somewhere on that link that's reaching the public IPv4 internet.


I still don't have a solution. Not sure what to do. I could try putting another router in between my Fortigate Firewall and ISP modem (an edge router). Then my Fortigate firewall will have a private 192.168.x.x address I have some control over. But I think this will introduce a double NAT.

Top Kudoed Authors