I have a WWAN backup link that is not ipv6 capable. Clients get GUAs from the primary link. In case this link goes down and SD-WAN switches to the backup link the outbound IPv6 traffic needs NAT64.
edit: realized that NAT64 is not the right solution for this scenario. See below.
So I need NAT64 for all the IPv6 traffic that leaves through the backup link interface of my FortiGate.
NAT64 is configured on a policy level, but I can't do policies on member interfaces once they joined an SD-WAN zone.
How can I achieve this? Or did I oversee something? I could add another router that does the NAT64 for this link. But I'd prefer a solution without an additional device.
Slightly offtopic: if I had a IPv6 capable backup link, is there really no NPTv6 on FortiGates?
TIA,Oliver
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 03-15-2023 03:03 AM Edited on 03-15-2023 03:03 AM
Hello OliverHeinz,
Yes, you can create a separate VDOM and add it in the SDWAN Zone and get the setup working but still on that VDOM you've to configure all the required policies and routes based on your requirement.
And also as the client is dual stack it will be able to communicate with both IPv4/IPv6
Hello,
In your scenario, If you've both Primary and Backup links in the same Zone, then you'll have issues as with a single zone you can only create a single policy for source and destination so 64 NAT will be either enabled or disabled.
The possible solution is moving the backup link Interface to a different SD-WAN zone, with that in place you'll be able to call the interface as per your requirement, but once you move the interface to a different zone, either you've to create the policy for both zones separately else you can enable feature Multiple Interface Policies by going to (System -> Feature Visibility) and adding both zones in single policy as per future requirements. The SD-WAN rules will work as it's working now, you just have to call both the zones in the rule.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/942095/sd-wan-members-and-zo...
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/157495/simplify-nat46-and-nat64-poli...
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/290922/configuring-an-ipv6-s...
Thanks Vishal,
for pointing out a way to circumvent the limitation. Wouldn't it also be possible to create a separate VDOM just for the backup link that takes care of the additional, link-specific treatments and the use the corresponding vdom-link in the SD-WAN zone?
But I think I'm on the wrong track with the NAT64 anyway. As the clients are dual-stacked they can perfectly reach IPv4 through the backup link using their IPv4 addresses. So NAT64/DNS64 is not what is needed. An IPv6-tunnelbroker might be the right solution.
Any people out there that have this scenario working with IPv4/IPv6 on the primary link, ipv4-only on the backup link and dual-stack clients that use GUAs from the primary link?
Created on 03-15-2023 03:03 AM Edited on 03-15-2023 03:03 AM
Hello OliverHeinz,
Yes, you can create a separate VDOM and add it in the SDWAN Zone and get the setup working but still on that VDOM you've to configure all the required policies and routes based on your requirement.
And also as the client is dual stack it will be able to communicate with both IPv4/IPv6
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.