Hi,
I've configured ipv6 for the first time on my Fortigate 50E with 6.2.16 firmware.
My ISP doesn't give me the option to delegate /56 or /60 subnet but only eight /64 subnets for internal use. So I've connected the wan1 port to the ISP bridge and using link local IPV6 address of the Fortigate WAN1 port I've I've delegated one of the /64 prefix to the Fortigate.
Then I've configured the WAN1 port via CLI in dhcp as follows:
config system interface
edit "wan1"
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
end
next
end
Next I've configured my lan interface:
config system interface
edit "lan"
config ipv6
set ip6-mode static
set ip6-address xxxx:xxx:xxxx:f2f1::1/64 //the subnet is the same of the one delegated by the ISP
set ip6-allowaccess ping https ssh
set ip6-send-adv enable
set ip6-other-flag enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
set rdnss-service default
next
end
end
next
end
And then I've configured the dhcp server
config system dhcp6 server
edit 1
set rapid-commit enable
set subnet ::/64
set interface "lan"
set upstream-interface "wan1"
set ip-mode delegated
next
end
With this configuration i can reach google ipv6 address, from cli via wan1 (that exit to the net with the same ipv6 address of the lan interface):
But is unreachable from the lan interface:
I've also created ad IPV6 policy from lan to wan1 that allow the traffic from any source to any destination always scheduled and for all service, NAT disabled. And I've created a static IPV6 route to all destionation (::/0) to wan1.
I've tried with gateway :: or the link local address of the ISP bridge and the google site is reachable via wan1 only.
Where am I wrong with this configuration?
thanks in advance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
and ultimately, check that the ipv6 IP that is sourced in the debug flow is part of the subnet defined on the lan, and it matches the subnet defined in the policy "source"
Not sure if anything is wrong.
Maybe debug flow can tell what the problem is:
I've tried to sniff packets using google IPV6 as destination and that's the results. Did you have any other suggestion? Can I do something different?
Thanks in advance
diagnose sniffer packet lan 'host 2001:4860:4860::8888'
interfaces=[lan]
filters=[host 2001:4860:4860::8888]
id=20085 trace_id=21 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=21 func=resolve_ip6_tuple line=4663 msg="allocate a new session-000067ba"
id=20085 trace_id=22 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=22 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
id=20085 trace_id=23 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=23 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
id=20085 trace_id=24 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=24 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
id=20085 trace_id=25 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9728->2001:4860:4860::8888:128) from local."
id=20085 trace_id=25 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067ba, original direction"
^C
0 packets received by filter
0 packets dropped by kernel
diagnose sniffer packet wan1 'host 2001:4860:4860::8888'
interfaces=[wan1]
filters=[host 2001:4860:4860::8888]
id=20085 trace_id=26 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=26 func=resolve_ip6_tuple line=4663 msg="allocate a new session-000067c1"
4.905392 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 1
4.932686 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 1
id=20085 trace_id=27 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=27 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
5.918478 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 2
5.946118 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 2
id=20085 trace_id=28 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=28 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
6.938478 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 3
6.965031 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 3
id=20085 trace_id=29 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=29 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
7.958474 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 4
7.985291 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 4
id=20085 trace_id=30 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, xxxx:xxx:xxxx:f2f1::1:9984->2001:4860:4860::8888:128) from local."
id=20085 trace_id=30 func=resolve_ip6_tuple_fast line=4567 msg="Find an existing session, id-000067c1, original direction"
8.978511 xxxx:xxx:xxxx:f2f1::1 -> 2001:4860:4860::8888: icmp6: echo request seq 5
9.006063 2001:4860:4860::8888 -> xxxx:xxx:xxxx:f2f1::1: icmp6: echo reply seq 5
^C
10 packets received by filter
0 packets dropped by kernel
The outputs are a little mixed up. There is no need to add the "lan" or "wan" as interface filter in the sniffer. Use "any" and should cover both network segments.
Debug flow shows that packets are sent out. It seems that the return packet is either not seen, or not captured by the debug flow. That could be the key to solving the problem. Could you run the debug flow with a wider filter (for example, only "filter proto icmp") with the sniffer on "any" interface?
Hi Alex, thank you. I've done it as indicate and below there's the result. The packed seems to find the route on WAN1 that have as gateway the link.local of the ISP bridge but then there is the message "func=ip6_forward line=546 msg="invalid source address, drop" and I don't understand why
diagnose sniffer packet any 'icmp6'
interfaces=[any]
filters=[icmp6]
1.172984 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor sol: who has fe80::3ea6:2fff:fe98:6621
1.172990 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor sol: who has fe80::3ea6:2fff:fe98:6621
1.173485 fe80::3ea6:2fff:fe98:6621 -> fe80::926c:acff:fe65:2aa9: icmp6: neighbor adv: tgt is fe80::3ea6:2fff:fe98:6621
6.176203 fe80::3ea6:2fff:fe98:6621 -> fe80::926c:acff:fe65:2aa9: icmp6: neighbor sol: who has fe80::926c:acff:fe65:2aa9
6.176247 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor adv: tgt is fe80::926c:acff:fe65:2aa9
6.176251 fe80::926c:acff:fe65:2aa9 -> fe80::3ea6:2fff:fe98:6621: icmp6: neighbor adv: tgt is fe80::926c:acff:fe65:2aa9
id=20085 trace_id=87 func=resolve_ip6_tuple_fast line=4529 msg="vd-root:0 received a packet(proto=58, fe80::72d7:5b96:95f2:703f:1->2001:4860:4860::8888:128) from lan."
id=20085 trace_id=87 func=resolve_ip6_tuple line=4663 msg="allocate a new session-00006cfa"
id=20085 trace_id=87 func=vf_ip6_route_input line=1159 msg="find a route: gw-fe80::3807:16ff:fe10:652d via wan1 err 0 flags 00050003"
id=20085 trace_id=87 func=ip6_forward line=546 msg="invalid source address, drop"
7.484323 fe80::72d7:5b96:95f2:703f -> 2001:4860:4860::8888: icmp6: echo request seq 396
7.484425 fe80::926c:acff:fe65:2aa9 -> fe80::72d7:5b96:95f2:703f: icmp6: 2001:4860:4860::8888 unreachable code-#2
7.484430 fe80::926c:acff:fe65:2aa9 -> fe80::72d7:5b96:95f2:703f: icmp6: 2001:4860:4860::8888 unreachable code-#2
This is progress.
My guess is that the firewall policy allowing the traffic LAN > WAN is not set up to allow ICMPv6 and ICMP (specifically, not "ALL" service).
Something is not matching there
and ultimately, check that the ipv6 IP that is sourced in the debug flow is part of the subnet defined on the lan, and it matches the subnet defined in the policy "source"
I think you've find the point. Seems that the lan interface doesn't release ipv6 addresses as DHCP server. I've assigned manually an IPV6 address in the range configured with gateway the IP address of the lan interface and all works correctly. I've also added the ICMP explicit policy as suggested. At this point, how can I configure the dhcp6 server on lan interface correctly? I think that I miss something.
Not very familiar with the DHCP setup, but check this article and see if there are any differences from your config:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-the-FortiGate-to-assign-IPv6/...
After working a bit with config I've finally find the correct setup of the dhcp for my environment. Thank you Alex for your support!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.