My ISP has given me a static /48 range of IPv6 addresses. I enabled IPv6 and gave wan1 an IPv6 address and was able to ping6 google.com. I gave my LAN interface a IPv6 address, added a static IPv6 route, setup my windows 2016 DHCP server to give out IPv6 addresses and DNS settings. My computers get an address from my DHCP server but they can't ping or access the IPv6 internet unless NAT is turned on my lan to wan IPv6 Policy. What am I doing wrong?
config system interface
edit "wan1"
set vdom "root"
set ip 10.10.10.10 255.255.255.240
set allowaccess ping
set type physical
set role wan
set snmp-index 1
config ipv6
set ip6-allowaccess ping
set ip6-address 2001:1111:2222:8a00::2131/64
end
next
edit "lan"
set vdom "root"
set ip 10.10.11.1 255.255.255.0
set allowaccess ping https ssh snmp
set type hard-switch
set device-identification enable
set role lan
set snmp-index 11
config ipv6
set ip6-allowaccess ping https ssh
set ip6-address 2001:1111:2222:8a02::1/64
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:1111:2222:8a02::/64
set onlink-flag enable
next
end
end
next
end
config router static6
edit 1
set gateway 2001:1111:2222:8a00::1
set device "wan1"
next
end
config system dns
set primary 12.127.16.67
set secondary 12.127.17.71
set ip6-primary 2620:0:ccc::2
set ip6-secondary 2620:0:ccd::2
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That's not enough information but is the network handed out being carried by the ISP or did you just assigned a address out of the /48 to the lan?
Did you run any diag debug flow6 diagnostics?
Did you run any diag sniffer commands to see what the SRC_ipv6 address of a client?
Ken
PCNSE
NSE
StrongSwan
I assigned the addresses out of the /48, except for the IPv6 default gateway which came from the ISP.
I forgot to mention that I have a fortigate 100d running 5.4.7.
I will post the commands I ran and their results shortly.
This is what I have run:
# diag sniffer packet any "host 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6" 4 0 l
interfaces=[any]
filters=[host 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6]
2017-10-19 16:47:12.158864 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4950
2017-10-19 16:47:12.159859 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4950
2017-10-19 16:47:16.793186 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4951
2017-10-19 16:47:16.793460 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4951
2017-10-19 16:47:21.806802 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4952
2017-10-19 16:47:21.806980 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4952
2017-10-19 16:47:26.801705 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4953
2017-10-19 16:47:26.801872 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4953
from looking at the above, when NAT is disabled on the IPv6 policy, the firewall is sending out the packets, but it is not getting a response. This test was done by pinging www.google.com from a client on the LAN. If I ping6 www.google.com from the firewall I get replies. Since it looks like I am sending requests but not receiving responses it looks like a routing problem from my ISP, AT&T. When I talked with them about it they said everything is setup correctly on their end. I have no access to the AT&T router so I can't even troubleshoot from that point.
AT&T has told me that the router is setup correctly and the problem must be with the firewall. I have given the wan1 interface the IPv6 address of 2001:1111:2222:8a00::2131/64. From my cell phone, I can ping6 the LAN side part of the router 2001:1111:2222:8a00::1/64 but I can't ping 2001:1111:2222:8a00::2131. However I can ping6 from 2001:1111:2222:8a00::2131 to www.google.com
Do you have allowacces sunder the ipv6 config for pings on WAN?
Ken
PCNSE
NSE
StrongSwan
Yes I do. See the code of my first post.
diag sniffer packet wan1 "icmp6"\
Do a ping ( use a NTT-ipv6 looking0-glass ) does icmp6 echo-request get to that interface?
if yes, do cli diag debug flow filter6 and set some filters, what does that show ?
Dump the RIB-ipv6-family what does that show ?
Again cli cmd listed below
get router info6 routing-table connected
get router info6 routing-table database
Are your routes in the table? Do you have the expect ipv6 routes? The right interfaces ? Etc.......
Ken
PCNSE
NSE
StrongSwan
Resurrecting this 6-years old thread...
I'm using 200E firewall with FortiOS 7.4.0
Experiencing the exact same symptoms.
ISP assigned /48 block.
WAN assigned with smaller block /112
LAN and VLANS assigned with /64 blocks
WAN Traffic no issues with IPv6.
LAN / VLAN - IPv6 traffic can go out, but getting no incoming traffic ; unless I enable NAT.
LAN cannot ping the gateway IP, but WAN can.
From the Internet, we can ping the LAN interface IP, regardless the NAT status On or Off. But not the rest of the LAN network.
Got another firewall - a 100F - with similar setup on another site, and got no such problem. Same recipe was applied on both firewalls. That 100F is running older firmware - 7.2.5.
Opened support case with Fortinet support. They were able to observe the issue by doing online session and running all kind of diagnostic commands.
Waiting for the past 5 days for their response.
Feels like a bug in firmware, but Jason got the issue like 6 years ago on much older OS. Unless feature was broken 2 times in 2 different firmwares, it makes no sense.
I'll post any useful update if support team is able to fix it.
Unless any of you already knows the answer to the original issue reported?
Took me 5 months to find the answer, being assisted by both Fortinet support, and the ISP which were throwing the ball to each other..
Fortinet and I support thought it was a routing issue at the ISP level.
But then we realized the LAN Interface IP was pingable from the WAN, but not any VM inside the LAN network. Since the LAN IP answered ping requests while being on the same IP subnet as the VM IP's, it could not be a routing issue.
That's when we reopened a ticket again with Fortinet...
Finally...
The fix was simply to enable the "Neighbor discovery proxy" through CLI, for all interfaces requiring IPV6 (LAN and VLANs).
Sample:
config system nd-proxy
set status enable
set member "wan1" "LAN" "VLAN_200"
end
Was much tricky as we have 2 Fortigate devices, on 2 different sites, with 2 different ISP.
One did not need the ND-PROXY at all. The other site did.
So seems like it depends how the ISP is setting up their network.
From my understanding, ND Proxy for IPV6 is the counterpart of ARP for IPV4.
It's documented in here:
I bet the OP @jason2 had the exact same issue ? I know it's been many years, but would be curious to know.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.