I have some trouble getting ipv6 running behind my fortigate in native mode (meaning without NAT).
It works fine with NAT66, but the moment I turn NAT of on the firewall policy everything is dead.
I have a /48 from my provider and configured a /64 for the internal lan where I took on address for my test computer.
The only v6 route I setup is a default ::/0 to the router of my provider (which as stated seems to be all I have to do to get NAT66 running).
I can ping6 my external fortigate address, but not my internal computer, even though I trid a basic all/all/all policy for that as well. As the line in the policy doesnt show any traffic at all I suspect some routing issues and something I still have to setup, but I have no clue what is missing, as the monitoring section in the fortigate states a number of v6 routes saying "connected" (one of them being the internal v6 /64 going to the lan interface.
any pointers appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
after an hour on the phone with an isp technician I am not really any wiser. The only odd thing we found was that the isp routers interface was configured as /48, where in theory it should be a /64 (trying to configure my wan interface to /48 did not work, because the fortigate complains about overlapping nets).
After he changed it to a /64 he could at least ping my loopback device (from the isp router), yet it was still not reachable from anything beyond.
I still get a "connect: Network is unreachable" when trying to ping anything outside, which imo is totally bullshit as I have a static default route set to the isp router.
traces show incoming pings reach my fortigate, but then somehow they drown in NULL and the trace really doesnt tell me anything usefull. Its like the "ping" works, but not the "pong", which again I would understand if my gateway was off, which it isnt.
Q:
Can { 2003:54:19:2::99:1 } ping {2003:54:19::1} ?
use diag debug flow filter6 and filters
Q:
Now, if you can ping the ISP than that lan segments is reachable.
Q:
Can the internet ping { 2003:54:19:2::99:1 } ? ( use a any any policy for now )
Q:
if no, can the ISP provider ping your address ?
PCNSE
NSE
StrongSwan
emnoc wrote:Q:
Can { 2003:54:19:2::99:1 } ping {2003:54:19::1} ?
use diag debug flow filter6 and filters
yes (but its actually ::99, not ::9:1)
emnoc wrote:Q:
Now, if you can ping the ISP than that lan segments is reachable.
yes
emnoc wrote:Q:
Can the internet ping { 2003:54:19:2::99:1 } ? ( use a any any policy for now )
no.
id=20085 trace_id=133 func=resolve_ip6_tuple_fast line=3438 msg="vd-root received a packet(proto=58, 2a01:4f8:171:1445::2:21237->2003:54:19:2::99:128) from port2." id=20085 trace_id=133 func=resolve_ip6_tuple line=3537 msg="allocate a new session-00042747" id=20085 trace_id=133 func=vf_ip6_route_input line=921 msg="find a route: gw-2003:54:19:2::99 via dmz err 0 flags 01000001" id=20085 trace_id=133 func=fw6_forward_handler line=322 msg="Check policy between port2 -> dmz" id=20085 trace_id=133 func=fw6_forward_handler line=448 msg="Allowed by Policy-6:" id=20085 trace_id=134 func=resolve_ip6_tuple_fast line=3438 msg="vd-root received a packet(proto=58, 2003:54:19:2::99:21237->2a01:4f8:171:1445::2:129) from dmz." id=20085 trace_id=134 func=resolve_ip6_tuple_fast line=3463 msg="Find an existing session, id-00042747, reply direction" id=20085 trace_id=135 func=resolve_ip6_tuple_fast line=3438 msg="vd-root received a packet(proto=58, 2a01:4f8:171:1445::2:21237->2003:54:19:2::99:128) from port2." id=20085 trace_id=135 func=resolve_ip6_tuple_fast line=3463 msg="Find an existing session, id-00042747, original direction" id=20085 trace_id=135 func=ip6_session_install_npu_session line=274 msg="npu session intallation succeeded"
emnoc wrote:
Q:
if no, can the ISP provider ping your address ?
he can, but only from the isp router itself (using 2003:54:19::1), any hop behind that everything fails.
I am really getting the idea that something is borked with the current installation and I am considering reflashing just for giggles, because frankly, this is just plain wrong. Looking at all the configs it MUST work, yet it simply does not. I have also opened a ticket at fortinet for that.
I'll be damned. Reflashing 5.4.5 did the trick. Everything works fine now as if nothing has ever happened...
Thanks for trying to help me here emnoc!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.