Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jason2
New Contributor

static IPv6 address won't work without nat turned on

My ISP has given me a static /48 range of IPv6 addresses.  I enabled IPv6 and gave wan1 an IPv6 address and was able to ping6 google.com.  I gave my LAN interface a IPv6 address, added a static IPv6 route, setup my windows 2016 DHCP server to give out IPv6 addresses and DNS settings.  My computers get an address from my DHCP server but they can't ping or access the IPv6 internet unless NAT is turned on my lan to wan IPv6 Policy.  What am I doing wrong?

config system interface
    edit "wan1"
        set vdom "root"
        set ip 10.10.10.10 255.255.255.240
        set allowaccess ping
        set type physical
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-allowaccess ping
            set ip6-address 2001:1111:2222:8a00::2131/64
        end
    next

    edit "lan"
        set vdom "root"
        set ip 10.10.11.1 255.255.255.0
        set allowaccess ping https ssh snmp
        set type hard-switch
        set device-identification enable
        set role lan
        set snmp-index 11
        config ipv6
            set ip6-allowaccess ping https ssh
            set ip6-address 2001:1111:2222:8a02::1/64
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
            config ip6-prefix-list
                edit 2001:1111:2222:8a02::/64
                    set onlink-flag enable
                next
            end
        end
    next
end

config router static6
    edit 1
        set gateway 2001:1111:2222:8a00::1
        set device "wan1"
    next
end

config system dns
    set primary 12.127.16.67
    set secondary 12.127.17.71
    set ip6-primary 2620:0:ccc::2
    set ip6-secondary 2620:0:ccd::2
end

 

9 REPLIES 9
emnoc
Esteemed Contributor III

That's not  enough information but is the network handed out being carried by the ISP or did you just assigned a address out of the /48  to the lan?

 

Did you run any diag debug flow6    diagnostics?

 

Did you run any  diag sniffer commands to see what the  SRC_ipv6 address of a client?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jason2
New Contributor

I assigned the addresses out of the /48, except for the IPv6 default gateway which came from the ISP.

I forgot to mention that I have a fortigate 100d running 5.4.7.

I will post the commands I ran and their results shortly.

jason2
New Contributor

This is what I have run:

# diag sniffer packet any "host 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6" 4 0 l
interfaces=[any]
filters=[host 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6]
2017-10-19 16:47:12.158864 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4950
2017-10-19 16:47:12.159859 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4950
2017-10-19 16:47:16.793186 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4951
2017-10-19 16:47:16.793460 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4951
2017-10-19 16:47:21.806802 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4952
2017-10-19 16:47:21.806980 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4952
2017-10-19 16:47:26.801705 lan in 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4953
2017-10-19 16:47:26.801872 wan1 out 2001:1111:2222:8A02:a46c:a914:3e9b:a2a6 -> 2607:f8b0:4002:810::2004: icmp6: echo request seq 4953

 

from looking at the above, when NAT is disabled on the IPv6 policy, the firewall is sending out the packets, but it is not getting a response.  This test was done by pinging www.google.com from a client on the LAN.  If I ping6 www.google.com from the firewall I get replies.  Since it looks like I am sending requests but not receiving responses it looks like a routing problem from my ISP, AT&T.  When I talked with them about it they said everything is setup correctly on their end.  I have no access to the AT&T router so I can't even troubleshoot from that point.

jason2
New Contributor

AT&T has told me that the router is setup correctly and the problem must be with the firewall.  I have given the wan1 interface the IPv6 address of 2001:1111:2222:8a00::2131/64.  From my cell phone, I can ping6 the LAN side part of the router 2001:1111:2222:8a00::1/64 but I can't ping 2001:1111:2222:8a00::2131.  However I can ping6 from 2001:1111:2222:8a00::2131 to www.google.com

 

emnoc
Esteemed Contributor III

Do you have allowacces sunder the ipv6 config for pings on WAN?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jason2
New Contributor

Yes I do.  See the code of my first post.

emnoc
Esteemed Contributor III

diag sniffer packet wan1 "icmp6"\

 

Do a ping ( use a NTT-ipv6 looking0-glass ) does icmp6 echo-request get to that interface?

 

if yes, do cli diag debug flow filter6  and set some  filters, what does that show ?

 

Dump the   RIB-ipv6-family what does that show ?

 

 

Again cli cmd listed below

 

get router  info6  routing-table connected

get router  info6  routing-table database

 

Are your routes in the table? Do you have the expect ipv6 routes? The right interfaces ? Etc.......

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
OBDSINFO
New Contributor

Resurrecting this 6-years old thread...

 

I'm using 200E firewall with FortiOS 7.4.0

Experiencing the exact same symptoms.

ISP assigned /48 block.

WAN assigned with smaller block /112

LAN and VLANS assigned with /64 blocks

 

WAN Traffic no issues with IPv6.

LAN / VLAN - IPv6 traffic can go out, but getting no incoming traffic ; unless I enable NAT.

 

LAN cannot ping the gateway IP, but WAN can.

From the Internet, we can ping the LAN interface IP, regardless the NAT status On or Off.  But not the rest of the LAN network.

 

Got another firewall - a 100F - with similar setup on another site, and got no such problem.  Same recipe was applied on both firewalls. That 100F is running older firmware - 7.2.5.

 

Opened support case with Fortinet support.  They were able to observe the issue by doing online session and running all kind of diagnostic commands. 

Waiting for the past 5 days for their response.

 

Feels like a bug in firmware, but Jason got the issue like 6 years ago on much older OS.  Unless feature was broken 2 times in 2 different firmwares, it makes no sense.

 

I'll post any useful update if support team is able to fix it.

Unless any of you already knows the answer to the original issue reported?

OBDSINFO

Took me 5 months to find the answer, being assisted by both Fortinet support, and the ISP which were throwing the ball to each other..

 

Fortinet and I support thought it was a routing issue at the ISP level.

But then we realized the LAN Interface IP was pingable from the WAN, but not any VM inside the LAN network.  Since the LAN IP answered ping requests while being on the same IP subnet as the VM IP's, it could not be a routing issue.

That's when we reopened a ticket again with Fortinet...

 

 

Finally...

 

The fix was simply to enable the "Neighbor discovery proxy" through CLI, for all interfaces requiring IPV6 (LAN and VLANs).

Sample:

 

config system nd-proxy
set status enable
set member "wan1" "LAN" "VLAN_200"
end

 

Was much tricky as we have 2 Fortigate devices, on 2 different sites, with 2 different ISP.

One did not need the ND-PROXY at all.  The other site did.

So seems like it depends how the ISP is setting up their network.

 

From my understanding, ND Proxy for IPV6 is the counterpart of ARP for IPV4.

It's documented in here:

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/967274/neighbor-discovery-pr...

 

I bet the OP @jason2 had the exact same issue ? I know it's been many years, but would be curious to know.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors