- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problem with Nat64 on 7.2.2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with Nat64 on 7.2.2
Hi,
I'm trying out NAT64 on the FG. I have followed the guide completely but it's strange that the return packet is dropped, i can see the return packet is recived on the wan interface but then no more, i'm little stuck where i should look, it's like there is missing route towards the naf.root interface
from packet sniffer
3.740201 Nat64 in 2a01:6f01:1204:c64:91f0:7113:7aba:f4c1 -> 64:ff9b::b915:11f9: icmp6: echo request seq 1681 [flowlabel 0x20000]
3.740235 naf.root out 2a01:6f01:1204:c64:91f0:7113:7aba:f4c1 -> 64:ff9b::b915:11f9: icmp6: echo request seq 1681 [flowlabel 0x20000]
3.740243 naf.root in 157.97.12.199 -> 185.21.17.249: icmp: echo request
3.740273 wan1 out 157.97.12.199 -> 185.21.17.249: icmp: echo request
3.741179 wan1 in 185.21.17.249 -> 157.97.12.199: icmp: echo reply
br
Heiðar S.
Labels:
- Labels:
-
FortiGate
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when i do debug flow, i can see on strange line but can't find the reson for it
"fw_forward_dirty_handler" i find it little suspicious,
id=65308 trace_id=28 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 157.97.12.199:23207->92.43.192.120:2048) tun_id=0.0.0.0 from naf.root. type=8, code=0, id=23207, seq=35371."
id=65308 trace_id=28 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-0016de26, original direction"
id=65308 trace_id=28 func=npu_handle_session64 line=1287 msg="Trying to offloading session from naf.root to wan1, skb.npu_flag=00000480 ses.state=00010200 ses.npu_state=0x04000000"
id=65308 trace_id=28 func=fw_forward_dirty_handler line=414 msg="state=00010200, state2=00000000, npu_state=04000000"
i
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having this same issue. Digging around this forum I'm lead to believe this is an issue with the Dynamic IP Pool. Apparently you cannot use the same IPv4 address that's assigned to the WAN interface (outgoing IPv4). But I'm only assigned a single IPv4 address on the WAN interface because I have a residential connection and am only allocated a single IPv4 for accessing the public internet.
Here is what I was able to dig up on another post:
"Considering this, the NAT64 does not allow to use the WAN interface IP address as the external IP range for the IP pool. It is imperative to use an available IP address of the public range. For example, the WAN interface IP address is 192.168.1.3, therefore, the IP pool can have an available IP address within that range."
Looks like they are using a private network for the WAN port and are able to use more than one IPv4 address on that interface. So there must be an edge router somewhere on that link that's reaching the public IPv4 internet.
I still don't have a solution. Not sure what to do. I could try putting another router in between my Fortigate Firewall and ISP modem (an edge router). Then my Fortigate firewall will have a private 192.168.x.x address I have some control over. But I think this will introduce a double NAT.
Related Posts
- FortiClient Azure SSO VPN issues 43 Views
- FortiGate 30E Slow connection via NAT 116 Views
- Adding HA Cluster of two 60F... 63 Views
- FortiMangaer and FGT Hub migration issues... 34 Views
- Fortigate SIP translation malefunction 78 Views
Labels
-
FortiGate
6,445 -
FortiClient
1,286 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
326 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
53 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.