- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: routing native IPv6 through a fortigate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
routing native IPv6 through a fortigate
I have some trouble getting ipv6 running behind my fortigate in native mode (meaning without NAT).
It works fine with NAT66, but the moment I turn NAT of on the firewall policy everything is dead.
I have a /48 from my provider and configured a /64 for the internal lan where I took on address for my test computer.
The only v6 route I setup is a default ::/0 to the router of my provider (which as stated seems to be all I have to do to get NAT66 running).
I can ping6 my external fortigate address, but not my internal computer, even though I trid a basic all/all/all policy for that as well. As the line in the policy doesnt show any traffic at all I suspect some routing issues and something I still have to setup, but I have no clue what is missing, as the monitoring section in the fortigate states a number of v6 routes saying "connected" (one of them being the internal v6 /64 going to the lan interface.
any pointers appreciated.
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after an hour on the phone with an isp technician I am not really any wiser. The only odd thing we found was that the isp routers interface was configured as /48, where in theory it should be a /64 (trying to configure my wan interface to /48 did not work, because the fortigate complains about overlapping nets).
After he changed it to a /64 he could at least ping my loopback device (from the isp router), yet it was still not reachable from anything beyond.
I still get a "connect: Network is unreachable" when trying to ping anything outside, which imo is totally bullshit as I have a static default route set to the isp router.
traces show incoming pings reach my fortigate, but then somehow they drown in NULL and the trace really doesnt tell me anything usefull. Its like the "ping" works, but not the "pong", which again I would understand if my gateway was off, which it isnt.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q:
Can { 2003:54:19:2::99:1 } ping {2003:54:19::1} ?
use diag debug flow filter6 and filters
Q:
Now, if you can ping the ISP than that lan segments is reachable.
Q:
Can the internet ping { 2003:54:19:2::99:1 } ? ( use a any any policy for now )
Q:
if no, can the ISP provider ping your address ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Q:
Can { 2003:54:19:2::99:1 } ping {2003:54:19::1} ?
use diag debug flow filter6 and filters
yes (but its actually ::99, not ::9:1)
emnoc wrote:Q:
Now, if you can ping the ISP than that lan segments is reachable.
yes
emnoc wrote:Q:
Can the internet ping { 2003:54:19:2::99:1 } ? ( use a any any policy for now )
no.
id=20085 trace_id=133 func=resolve_ip6_tuple_fast line=3438 msg="vd-root received a packet(proto=58, 2a01:4f8:171:1445::2:21237->2003:54:19:2::99:128) from port2." id=20085 trace_id=133 func=resolve_ip6_tuple line=3537 msg="allocate a new session-00042747" id=20085 trace_id=133 func=vf_ip6_route_input line=921 msg="find a route: gw-2003:54:19:2::99 via dmz err 0 flags 01000001" id=20085 trace_id=133 func=fw6_forward_handler line=322 msg="Check policy between port2 -> dmz" id=20085 trace_id=133 func=fw6_forward_handler line=448 msg="Allowed by Policy-6:" id=20085 trace_id=134 func=resolve_ip6_tuple_fast line=3438 msg="vd-root received a packet(proto=58, 2003:54:19:2::99:21237->2a01:4f8:171:1445::2:129) from dmz." id=20085 trace_id=134 func=resolve_ip6_tuple_fast line=3463 msg="Find an existing session, id-00042747, reply direction" id=20085 trace_id=135 func=resolve_ip6_tuple_fast line=3438 msg="vd-root received a packet(proto=58, 2a01:4f8:171:1445::2:21237->2003:54:19:2::99:128) from port2." id=20085 trace_id=135 func=resolve_ip6_tuple_fast line=3463 msg="Find an existing session, id-00042747, original direction" id=20085 trace_id=135 func=ip6_session_install_npu_session line=274 msg="npu session intallation succeeded"
emnoc wrote:
Q:
if no, can the ISP provider ping your address ?
he can, but only from the isp router itself (using 2003:54:19::1), any hop behind that everything fails.
I am really getting the idea that something is borked with the current installation and I am considering reflashing just for giggles, because frankly, this is just plain wrong. Looking at all the configs it MUST work, yet it simply does not. I have also opened a ticket at fortinet for that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll be damned. Reflashing 5.4.5 did the trick. Everything works fine now as if nothing has ever happened...
Thanks for trying to help me here emnoc!
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Can't ping VLAN interfaces through VPN 6 Views
- NO internet connection when using static... 50 Views
- free vpn client certificate problems 125 Views
- SSL VPN on LTE Disconnecting Frequently 110 Views
- new switch license 92 Views
Labels
-
FortiGate
6,532 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.