ipv6 - internal lan interface cannot reach internet

Quass · ‎04-15-2024

Hi,

I've configured ipv6 for the first time on my Fortigate 50E with 6.2.16 firmware.

My ISP doesn't give me the option to delegate /56 or /60 subnet but only eight /64 subnets for internal use. So I've connected the wan1 port to the ISP bridge and using link local IPV6 address of the Fortigate WAN1 port I've I've delegated one of the /64 prefix to the Fortigate.

Then I've configured the WAN1 port via CLI in dhcp as follows:

config system interface
edit "wan1"
config ipv6
    set ip6-mode dhcp
    set ip6-allowaccess ping
      set dhcp6-prefix-delegation enable
    end
  next
end

Next I've configured my lan interface:

config system interface
  edit "lan"
    config ipv6
      set ip6-mode static
      set ip6-address xxxx:xxx:xxxx:f2f1::1/64 //the subnet is the same of the one delegated by the ISP
      set ip6-allowaccess ping https ssh
      set ip6-send-adv enable
      set ip6-other-flag enable
      config ip6-delegated-prefix-list
        edit 1
          set upstream-interface "wan1"
          set autonomous-flag enable
          set onlink-flag enable
          set subnet ::/64
          set rdnss-service default
        next
      end
    end
  next
end

And then I've configured the dhcp server

config system dhcp6 server
    edit 1
        set rapid-commit enable
        set subnet ::/64
        set interface "lan"
        set upstream-interface "wan1"
        set ip-mode delegated
    next
end

With this configuration i can reach google ipv6 address, from cli via wan1 (that exit to the net with the same ipv6 address of the lan interface):

But is unreachable from the lan interface:

I've also created ad IPV6 policy from lan to wan1 that allow the traffic from any source to any destination always scheduled and for all service, NAT disabled. And I've created a static IPV6 route to all destionation (::/0) to wan1.

I've tried with gateway :: or the link local address of the ISP bridge and the google site is reachable via wan1 only.

Where am I wrong with this configuration?

thanks in advance

AlexC-FTNT · ‎04-16-2024

and ultimately, check that the ipv6 IP that is sourced in the debug flow is part of the subnet defined on the lan, and it matches the subnet defined in the policy "source"

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

AlexC-FTNT · ‎04-16-2024

Not sure if anything is wrong.

Maybe debug flow can tell what the problem is:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-debug-flow-and-sniffer-to-captu...

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Quass · ‎04-16-2024

I've tried to sniff packets using google IPV6 as destination and that's the results. Did you have any other suggestion? Can I do something different?

Thanks in advance

diagnose sniffer packet lan 'host 2001:4860:4860::8888'
interfaces=[lan]
filters=[host 2001:4860:4860::8888]
id=20085 trace_id=21 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=21 func=resolve_ip6_tuple line=4663 msg="allocate a new session-000067ba"
id=20085 trace_id=22 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=22 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
id=20085 trace_id=23 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=23 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
id=20085 trace_id=24 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=24 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
id=20085 trace_id=25 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=25 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
^C
0 packets received by filter
0 packets dropped by kernel

 diagnose sniffer packet wan1 'host 2001:4860:4860::8888'
interfaces=[wan1]
filters=[host 2001:4860:4860::8888]
id=20085 trace_id=26 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=26 func=resolve_ip6_tuple line=4663 msg="allocate a new session-000067c1"
4.905392 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 1
4.932686 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 1
id=20085 trace_id=27 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=27 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
5.918478 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 2
5.946118 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 2
id=20085 trace_id=28 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=28 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
6.938478 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 3
6.965031 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 3
id=20085 trace_id=29 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=29 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
7.958474 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 4
7.985291 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 4
id=20085 trace_id=30 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=30 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
8.978511 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 5
9.006063 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 5
^C
10 packets received by filter
0 packets dropped by kernel

AlexC-FTNT · ‎04-16-2024

The outputs are a little mixed up. There is no need to add the "lan" or "wan" as interface filter in the sniffer. Use "any" and should cover both network segments.

Debug flow shows that packets are sent out. It seems that the return packet is either not seen, or not captured by the debug flow. That could be the key to solving the problem. Could you run the debug flow with a wider filter (for example, only "filter proto icmp") with the sniffer on "any" interface?

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Quass · ‎04-16-2024

Hi Alex, thank you. I've done it as indicate and below there's the result. The packed seems to find the route on WAN1 that have as gateway the link.local of the ISP bridge but then there is the message "func=ip6_forward line=546 msg="invalid source address, drop" and I don't understand why

diagnose sniffer packet any 'icmp6'
interfaces=[any]
filters=[icmp6]
1.172984 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor sol: who has fe80::3ea6:2fff:fe98:6621
1.172990 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor sol: who has fe80::3ea6:2fff:fe98:6621
1.173485 fe80::3ea6:2fff:fe98:6621 -> fe80::926c:acff:fe65:2aa9: icmp6: neighbor adv: tgt is fe80::3ea6:2fff:fe98:6621
6.176203 fe80::3ea6:2fff:fe98:6621 -> fe80::926c:acff:fe65:2aa9: icmp6: neighbor sol: who has fe80::926c:acff:fe65:2aa9
6.176247 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor adv: tgt is fe80::926c:acff:fe65:2aa9
6.176251 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor adv: tgt is fe80::926c:acff:fe65:2aa9
id=20085 trace_id=87 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, fe80::72d7:5b96:95f2:703f:1->2001:4860:4860::8888:128) from lan."
id=20085 trace_id=87 func=resolve_ip6_tuple line=4663 msg="allocate a new session-00006cfa"
id=20085 trace_id=87 func=vf_ip6_route_input line=1159 msg="find a route: gw-fe80::3807:16ff:fe10:652d via wan1 err 0 flags 00050003"
id=20085 trace_id=87 func=ip6_forward line=546 msg="invalid source address, drop"
7.484323 fe80::72d7:5b96:95f2:703f -> 2001:4860:4860::8888: icmp6: echo request seq 396
7.484425 fe80::926c:acff:fe65:2aa9 -> fe80::72d7:5b96:95f2:703f: icmp6: 2001:4860:4860::8888 unreachable code-#2
7.484430 fe80::926c:acff:fe65:2aa9 -> fe80::72d7:5b96:95f2:703f: icmp6: 2001:4860:4860::8888 unreachable code-#2

AlexC-FTNT · ‎04-16-2024

This is progress.
My guess is that the firewall policy allowing the traffic LAN > WAN is not set up to allow ICMPv6 and ICMP (specifically, not "ALL" service).
Something is not matching there

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

AlexC-FTNT · ‎04-16-2024

and ultimately, check that the ipv6 IP that is sourced in the debug flow is part of the subnet defined on the lan, and it matches the subnet defined in the policy "source"

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Quass · ‎04-16-2024

I think you've find the point. Seems that the lan interface doesn't release ipv6 addresses as DHCP server. I've assigned manually an IPV6 address in the range configured with gateway the IP address of the lan interface and all works correctly. I've also added the ICMP explicit policy as suggested. At this point, how can I configure the dhcp6 server on lan interface correctly? I think that I miss something.

AlexC-FTNT · ‎04-17-2024

Not very familiar with the DHCP setup, but check this article and see if there are any differences from your config:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-the-FortiGate-to-assign-IPv6/...

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Quass · ‎04-18-2024

After working a bit with config I've finally find the correct setup of the dhcp for my environment. Thank you Alex for your support!