Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OliverHeinz
New Contributor

Created on ‎03-11-2023 01:33 AM Edited on ‎03-12-2023 01:02 AM

SD-WAN failover with non IPv6 capable backup link

I have a WWAN  backup link that is not ipv6 capable. Clients get GUAs from the primary link. In case this link goes down and SD-WAN switches to the backup link the outbound IPv6 traffic needs NAT64.

edit: realized that NAT64 is not the right solution for this scenario. See below.

So I need NAT64 for all the IPv6 traffic that leaves through the backup link interface of my FortiGate.

NAT64 is configured on a policy level, but I can't do policies on member interfaces once they joined an SD-WAN zone.

How can I achieve this? Or did I oversee something? I could add another router that does the NAT64 for this link.  But I'd prefer a solution without an additional device.

 

Slightly offtopic: if I had a IPv6 capable backup link, is there  really no NPTv6 on FortiGates?

TIA,Oliver

Labels:
1344
0 Kudos
1 Solution
vsahu
Staff
Staff
In response to OliverHeinz

Created on ‎03-15-2023 03:03 AM Edited on ‎03-15-2023 03:03 AM

Hello OliverHeinz,

 


Yes, you can create a separate VDOM and add it in the SDWAN Zone and get the setup working but still on that VDOM you've to configure all the required policies and routes based on your requirement.

 

And also as the client is dual stack it will be able to communicate with both IPv4/IPv6

 

Regards,
Vishal

View solution in original post

1261
0 Kudos
3 REPLIES 3
vsahu
Staff
Staff

Created on ‎03-11-2023 04:02 AM Edited on ‎03-11-2023 04:05 AM

Hello,

 

In your scenario, If you've both Primary and Backup links in the same Zone, then you'll have issues as with a single zone you can only create a single policy for source and destination so 64 NAT will be either enabled or disabled.

 

The possible solution is moving the backup link Interface to a different SD-WAN zone, with that in place you'll be able to call the interface as per your requirement, but once you move the interface to a different zone, either you've to create the policy for both zones separately else you can enable feature Multiple Interface Policies by going to (System -> Feature Visibility) and adding both zones in single policy as per future requirements. The SD-WAN rules will work as it's working now, you just have to call both the zones in the rule.
vsahu_0-1678535775447.png
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/942095/sd-wan-members-and-zo...
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/157495/simplify-nat46-and-nat64-poli...
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/290922/configuring-an-ipv6-s...

 

Regards,
Vishal
1327
OliverHeinz
New Contributor
In response to vsahu

Created on ‎03-11-2023 10:58 AM

Thanks Vishal,

for pointing out a way to circumvent the limitation. Wouldn't it also be possible to create a separate VDOM just for the backup link that takes care of the additional, link-specific treatments and the use the corresponding vdom-link in the SD-WAN zone?

 

But I think I'm on the wrong track with the NAT64 anyway. As the clients are dual-stacked they can perfectly reach IPv4 through the backup link using their IPv4 addresses. So NAT64/DNS64 is not what is needed.  An IPv6-tunnelbroker might be the right solution.

Any people out there that have this scenario working with IPv4/IPv6 on the primary link, ipv4-only on the backup link and dual-stack clients that use GUAs from the primary link?

 

 

1320
0 Kudos
vsahu
Staff
Staff
In response to OliverHeinz

Created on ‎03-15-2023 03:03 AM Edited on ‎03-15-2023 03:03 AM

Hello OliverHeinz,

 


Yes, you can create a separate VDOM and add it in the SDWAN Zone and get the setup working but still on that VDOM you've to configure all the required policies and routes based on your requirement.

 

And also as the client is dual stack it will be able to communicate with both IPv4/IPv6

 

Regards,
Vishal
1262
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.