Unable to connect to JPIX's V6 Plus Fixed IP service with FortiGate

kinatyama · ‎05-02-2024

I recently subscribed to a fixed IP (IPv4) line with Flets Cross and configured a VNE tunnel from FortiGate, but I was unable to connect to the internet. I would appreciate it if you could provide me with a solution to this problem.

I followed the instructions in the following document:

https://www.fortinet.com/content/dam/fortinet/assets/deployment-guides/ja_jp/fg-jpne-v6plus.pdf

Device and Version Information:

FortiGate: 1500D
FortiOS: 7.2.8

Line Information:

Provider: en Hikari
Plan: Flets Cross V6Plus fixed IP (IPv4)
Equipment: ONU (no HGW)
v4 IP Address: 144.x.x.x/32
IFID: ::0072:x:x:x
BRAddr: 2404:x:x:x::x
UpdateURL: http://fcs.enabler.ne.jp/update?user=[username]&pass=[password]

Thank you for your time and assistance.

sarrpatta · ‎05-02-2024

I used the Ip Pool for the NAT between the Internal and wan1 interfaces,the DNS is good the fortigate can not access any external ip addresses beside the default gateway i think its because the FGT is using the wan address instead of the nat address

kinatyama · ‎05-02-2024

Thank you for your reply.

I apologize for my lack of understanding, but I am unable to resolve names, etc. even from the FortiGate CLI,
It appears that you are not able to connect to the Internet because the VNE tunnel is not properly constructed.
*I am using FortiGate for self-learning, so it is possible that there is a rudimentary problem.

funkylicious · ‎05-02-2024

Hi,

First of all, you dont seem to have DNS servers set on the FGT, the reason why you cant resolve google.com , are any set ?

Secondly, while trying to ping 8.8.8.8 , do you have a static ipv4 route for this traffic to be able to exit the local device ?

If you want to use ipv6 , then you should try execute ping6 IP/HOSTNAME

Also, a ipv6 route should be also installed in the routing table, you can check with, get router info6 routing-table static

geek

kinatyama · ‎05-02-2024

Hi,
>First of all, you dont seem to have DNS servers set on the FGT, the reason why you cant resolve google.com , are any set ?
0.0.0.0 is set to the DNS server in order to configure the DNS server obtained by DHCPv6 information request.

>Secondly, while trying to ping 8.8.8.8 , do you have a static ipv4 route for this traffic to be able to exit the local device ?
Yes, there is.
Static route is configured to the vne.root interface.
However, we believe that the vne.root tunnel is not configured correctly and that the connection to the Internet is not working.

funkylicious · ‎05-02-2024

Hi,

Please try and override the DNS server settings and use some custom ones, like 1.1.1.1 or 8.8.8.8 instead of 0.0.0.0 or whatever is available for you in terms of public DNS's .

This can be done from Network > DNS > Specify and input the IP's or from CLI , https://docs.fortinet.com/document/fortigate/7.4.3/cli-reference/28620/config-system-dns

geek

kinatyama · ‎05-02-2024

I overwrote the DNS server, but could not resolve the name as well.

funkylicious · ‎05-02-2024

I see.

Can you confirm that you have done the steps from the link, 2-5 , 2-6 ( i can see that it's done ) , 2-7 and 2-8 ?

After those, you should get the IPv6 address from step 3-2 which in your case laddr and raddr is not populated.

L.E. also, on step 2-1 on port37 under config ipv6 , you have set the interface-identifier as the HWaddr of port37, right ? Which you can find using this command ,

get hardware nic port37 | grep Hwaddr

geek

kinatyama · ‎05-02-2024

I have configured everything, but are not able to get IPv6 to the WAN interface (port37).