Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OliverHeinz
New Contributor

SD-WAN failover with non IPv6 capable backup link

I have a WWAN  backup link that is not ipv6 capable. Clients get GUAs from the primary link. In case this link goes down and SD-WAN switches to the backup link the outbound IPv6 traffic needs NAT64.

edit: realized that NAT64 is not the right solution for this scenario. See below.

So I need NAT64 for all the IPv6 traffic that leaves through the backup link interface of my FortiGate.

NAT64 is configured on a policy level, but I can't do policies on member interfaces once they joined an SD-WAN zone.

How can I achieve this? Or did I oversee something? I could add another router that does the NAT64 for this link.  But I'd prefer a solution without an additional device.

 

Slightly offtopic: if I had a IPv6 capable backup link, is there  really no NPTv6 on FortiGates?

TIA,Oliver

1 Solution
vsahu

Hello OliverHeinz,

 


Yes, you can create a separate VDOM and add it in the SDWAN Zone and get the setup working but still on that VDOM you've to configure all the required policies and routes based on your requirement.

 

And also as the client is dual stack it will be able to communicate with both IPv4/IPv6

 

Regards,
Vishal

View solution in original post

3 REPLIES 3
vsahu
Staff
Staff

Hello,

 

In your scenario, If you've both Primary and Backup links in the same Zone, then you'll have issues as with a single zone you can only create a single policy for source and destination so 64 NAT will be either enabled or disabled.

 

The possible solution is moving the backup link Interface to a different SD-WAN zone, with that in place you'll be able to call the interface as per your requirement, but once you move the interface to a different zone, either you've to create the policy for both zones separately else you can enable feature Multiple Interface Policies by going to (System -> Feature Visibility) and adding both zones in single policy as per future requirements. The SD-WAN rules will work as it's working now, you just have to call both the zones in the rule.
vsahu_0-1678535775447.png
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/942095/sd-wan-members-and-zo...
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/157495/simplify-nat46-and-nat64-poli...
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/290922/configuring-an-ipv6-s...

 

Regards,
Vishal
OliverHeinz

Thanks Vishal,

for pointing out a way to circumvent the limitation. Wouldn't it also be possible to create a separate VDOM just for the backup link that takes care of the additional, link-specific treatments and the use the corresponding vdom-link in the SD-WAN zone?

 

But I think I'm on the wrong track with the NAT64 anyway. As the clients are dual-stacked they can perfectly reach IPv4 through the backup link using their IPv4 addresses. So NAT64/DNS64 is not what is needed.  An IPv6-tunnelbroker might be the right solution.

Any people out there that have this scenario working with IPv4/IPv6 on the primary link, ipv4-only on the backup link and dual-stack clients that use GUAs from the primary link?

 

 

vsahu

Hello OliverHeinz,

 


Yes, you can create a separate VDOM and add it in the SDWAN Zone and get the setup working but still on that VDOM you've to configure all the required policies and routes based on your requirement.

 

And also as the client is dual stack it will be able to communicate with both IPv4/IPv6

 

Regards,
Vishal
Top Kudoed Authors