Hi,
I'm trying out NAT64 on the FG. I have followed the guide completely but it's strange that the return packet is dropped, i can see the return packet is recived on the wan interface but then no more, i'm little stuck where i should look, it's like there is missing route towards the naf.root interface
from packet sniffer
3.740201 Nat64 in 2a01:6f01:1204:c64:91f0:7113:7aba:f4c1 -> 64:ff9b::b915:11f9: icmp6: echo request seq 1681 [flowlabel 0x20000]
3.740235 naf.root out 2a01:6f01:1204:c64:91f0:7113:7aba:f4c1 -> 64:ff9b::b915:11f9: icmp6: echo request seq 1681 [flowlabel 0x20000]
3.740243 naf.root in 157.97.12.199 -> 185.21.17.249: icmp: echo request
3.740273 wan1 out 157.97.12.199 -> 185.21.17.249: icmp: echo request
3.741179 wan1 in 185.21.17.249 -> 157.97.12.199: icmp: echo reply
br
Heiðar S.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
when i do debug flow, i can see on strange line but can't find the reson for it
"fw_forward_dirty_handler" i find it little suspicious,
id=65308 trace_id=28 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 157.97.12.199:23207->92.43.192.120:2048) tun_id=0.0.0.0 from naf.root. type=8, code=0, id=23207, seq=35371."
id=65308 trace_id=28 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-0016de26, original direction"
id=65308 trace_id=28 func=npu_handle_session64 line=1287 msg="Trying to offloading session from naf.root to wan1, skb.npu_flag=00000480 ses.state=00010200 ses.npu_state=0x04000000"
id=65308 trace_id=28 func=fw_forward_dirty_handler line=414 msg="state=00010200, state2=00000000, npu_state=04000000"
i
I'm having this same issue. Digging around this forum I'm lead to believe this is an issue with the Dynamic IP Pool. Apparently you cannot use the same IPv4 address that's assigned to the WAN interface (outgoing IPv4). But I'm only assigned a single IPv4 address on the WAN interface because I have a residential connection and am only allocated a single IPv4 for accessing the public internet.
Here is what I was able to dig up on another post:
"Considering this, the NAT64 does not allow to use the WAN interface IP address as the external IP range for the IP pool. It is imperative to use an available IP address of the public range. For example, the WAN interface IP address is 192.168.1.3, therefore, the IP pool can have an available IP address within that range."
Looks like they are using a private network for the WAN port and are able to use more than one IPv4 address on that interface. So there must be an edge router somewhere on that link that's reaching the public IPv4 internet.
I still don't have a solution. Not sure what to do. I could try putting another router in between my Fortigate Firewall and ISP modem (an edge router). Then my Fortigate firewall will have a private 192.168.x.x address I have some control over. But I think this will introduce a double NAT.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.