Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Multiple IPv6 addresses on LAN interface
Hi,
i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.
WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.
My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:
config ipv6
set ip6-address fd24:7ed4:3bd5:99::250/64
set ip6-allowaccess ping https ssh
config ip6-extra-addr
edit 2a02:xxxx:xxxx:5b00::250/64
next
edit 2a02:xxxx:xxxx:5500::250/64
next
end
set ip6-send-adv enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.
O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.
But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.
When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.
And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.
Is it possible that the seondary ip is limited to one additional ip address?
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.
(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)
Regards
Stefan
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 08:26:14
(permalink)
Hi yes you can do that, I don't know how you could deploy autoconf if you want a client to take one prefixes over the other. In your case, you need to set the prefixes to be advertise e.g config ip6-prefix-list
edit 2001:db8:1::/64
set autonomous-flag enable
set preferred-life-time 600
set valid-life-time 600
next edit 2001:db8:2::/64
set autonomous-flag enable
set preferred-life-time 600
set valid-life-time 600
next edit 2001:db8:3::/64
set autonomous-flag enable
set preferred-life-time 600
set valid-life-time 600
next end http://socpuppet.blogspot.com/2015/08/just-how-many-ipv6-prefixes-can-be.html Also for this;
Or where can i look else to check why i can't ping the LAN interface with this specific secondary address
try any all of the below cli-cmd diag debug flow filter6diag sniffer packet <interfacename> icmp6
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 08:35:59
(permalink)
Thanks for the quick answer, automatically should only the prefix of WAN1 deployed, die IPv6 network of WAN2 should only be used static.
After a reboot i was able to ping both IP's, both addresses where listed in the routing table.
But i got another problem. In the WAN1 i got the delegated-prefix for WAN2 automatically configured?!?
How is this possible? O.k. will take some research...
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 11:07:48
(permalink)
I don't get it... For a moment all was fine, WAN1 has the delegated prefix from the provider and i was able to access the internet. WAN2 has his delegated prefix too and i was also able to access the internet with a client in this network.
But now the delegated prefix from WAN1 changed to the prefix which is for WAN2.
How can this be?
I have only 2 firewall policy's for outgoing:
In Interface: LAN
Out Interface: WAN1
Source: Prefix WAN1
Destination: all
In Interface: LAN
Out Interface: WAN2
Source: Prefix WAN2
Destination: all
Now i removed at both "ALL_ICMP6". And i had ping enabled on the WAN interface, this i disabled too.
After disabling the WAN1 for a moment and enabling it again i got the correct prefix again.
Lets see how long the config is now stable...
Why WAN1 get the delegated prefix infos from WAN2? There is no connection between them...
Can i disable the prefix delegation and configure the prefix static?
Kind regards
Stefan
|
kurtli_FTNT
Bronze Member
- Total Posts : 49
- Scores: 0
- Reward points: 0
- Joined: 2018/03/29 15:07:50
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 11:09:44
(permalink)
Hi Raudi,
You can have more than one extra IPV6 address configured under interface. And when the problem happens ( can't ping LAN interface), what is the output of "diag ipv6 address list"? Especially, note the "flag". Usually, the flag should be 'p'.
Regards
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 12:28:27
(permalink)
Hmmm... IPv6 seems to be under construction...
As i told, after a reboot i was able to use all IP addresses...
I wrote i removed the ALL_ICMP6 from the policy but let PING inside it. But i can't ping external sites. So the PING don't work for IPv6. In the Forward Traffic log i see that PING6 is blocked, but PING6 i can't select in the firewall policy... In the services list i saw, it is per default exluded from the list, not helpful...
And when i add the ALL_ICMP6 again i got problems with the wrong prefix again.
I will stop testing for today...
At the moment i rebootet and have a working outfoing IPv6 config... Let's see if this is stable now...
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 13:23:40
(permalink)
It's not stable wan2 has just lost his IPv6...
Disabled WAN2, enabled it again, wait a while and it is working again...
And a few minutes later, all was working, WAN1 lost his IPv6.
And more minutes later WAN1 got its IP back and used the prefix from WAN2.
Time to go to bed...
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 14:36:30
(permalink)
What's your assignments for WAN1/WAN2 address? Losing a cfg tells me these are "dynamic SLAAC enabled " ?
Ken
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/02 22:59:53
(permalink)
This is the config on the both WAN interfaces: config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end
set defaultgw disable
next
end WAN2 is the same with a different hint. When i look now, both interfaces have at this moment their IP and correct prefix, but i can't access the internet with WAN1, WAN2 is working at the moment. When i reboot the FG, i will bet, then i can access the internet with both WAN interfaces again... I think i must go deeper in the logs, to see what happens.
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/03 13:39:31
(permalink)
o.k. i removed all prefix automatics from the wan interfaces.
Both wan interfaces got an ip via dhcp.
When i enter (heise.de):
exec ping6 -I wan1 2a02:2e0:3fe:1001:7777:772e:2:85
or
exec ping6 -I wan2 2a02:2e0:3fe:1001:7777:772e:2:85
this works...
And i can ping any server on his static IPv6 ip address with:
exec ping6 2a02:xxxx:xxxx:5b00::22
or the 2nd prefix:
exec ping6 2a02:xxxx:xxxx:5500::18
But what must i configure that i can access the internet from the internal lan?
For IPv4 i must create a static route to the wan interface with the gateway address of the provider.
In the IPv6 routing table i have no default route, but i don't know the ip of the provider for the next hop to create a manual route.
When i enable the prefix delegation, the traffic goes automatically from lan to wan, but the prefix delegation is very unstable so i want to configure this static.
So what is missing to route from lan to wan? A route? Or something else?
A hint will be great.
Kind regards
Stefan
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/03 14:07:14
(permalink)
Will I never seen dual DHCP wan with ipv6, either way you will need to confirm a static route6 for the wan link of preference and a firewall6 rule.
So are you auto-delegating a ipv6 prefix to the internal clients ?
Ken
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/03 22:56:39
(permalink)
I'm using one of the both prefix for auto delegating in the lan, like you wrote in your first post.
But for my servers i disabled that and set a fixed IPv6.
For the two prefixes i made two policy routes:
source prefix1 -> wan1
source prefix2 -> wan2
And i have 2 Firewall policy's:
incoming lan / source prefix1 / outgoing wan1 / destination all / Protocols PING6,HTTP,HTTPS etc.
incoming lan / source prefix2 / outgoing wan2 / destination all / Protocols PING6,HTTP,HTTPS etc.
When i had enabled the prefix delegation on both wan interfaces this worked.
Is it possible that the FG can't handle 2 wan side autodelegated prefixes? Why is the prefix for WAN2 active on WAN1?
Because this problems i disabled the autodelegation on WAN side and want to configure this static.
But how to configure the outgoing route, i think this is the part what is missing...
With that enabled:
diag debug flow filter6 addr 2a02:2e0:3fe:1001:7777:772e:2:85
i will get when pinging from a server in the lan the above IP:
id=20085 trace_id=1149 func=resolve_ip6_tuple_fast line=4018 msg="vd-root:0 received a packet(proto=58, 2a02:xxxx:xxxx:5500::18:1->2a02:2e0:3fe:1001:7777:772e:2:85:128) from lan."
id=20085 trace_id=1149 func=resolve_ip6_tuple_fast line=4054 msg="Find an existing session, id-0000485a, original direction"
id=20085 trace_id=1149 func=ipv6_fast_cb line=58 msg="enter fast path"
This will repeat for every ping...
And the routing table shows like that:
C ::1/128 via ::, root, 1d10h38m
C 2a02:xxxx:xxxx:5500::/64 via ::, lan, 1d10h38m
C 2a02:xxxx:xxxx:5b00::/64 via ::, lan, 1d10h38m
C 2a02:xxxx:xxxx:98:5c:f52e:b993:f829/128 via ::, wan1, 11:21:21
C 2a02:xxxx:xxxx:98:6543:28b4:9fdc:dc1/128 via ::, wan2, 10:49:55
S fd24:7ed4:3bd5:88::/64 [10/0] via fd24:7ed4:3bd5:99::1, lan, 1d10h38m
C fd24:7ed4:3bd5:99::/64 via ::, lan, 1d10h38m
C fe80::/64 via ::, wan2, 1d10h00m
K ff00::/8 via ::, wan2, 1d10h01m
The IPv6 addresses for WAN1 and WAN2 are dynamic...
Gegards
Stefan
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/04 06:22:50
(permalink)
So you want to auto delegate from two ISPs ? I never heard of that and it would be interesting to see that work.
On why the one prefix is active on the other wan interface might need a case with support. I think it's active probably due to your interface mode is other than "static".
Ken
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/04 06:34:26
(permalink)
??? I wrote: "I'm using one of the both prefix for auto delegating in the lan, like you wrote in your first post." Shure 2 prefixes via auto delegation in the same lan will be problematic... Support i must try, this is a old 100D with expired support i use here in my home office to replace a LANCOM 1781EF+, learning by playing with it.  Not my main competence, but many customers have that and i want to know that products better... But perhaps as a partner and if this can be a bug, perhaps they take a look to it. I will ask our security specialist. (But he has no experience with IPv6.) Thanks! Stefan
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/04 06:55:42
(permalink)
Try this 1st if this what you did not do so to begin with.
config system interface
edit "LAN.wan1"
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-upstream-interface "wan1"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
next
edit "LAN.wan2"
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-upstream-interface "wan2"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
next
end
Now if the clients on lan1 and lan2 gets a DHCPv6PD from wan1 and wan2 , than you know delegation is working, BUT this will probably break from a routing aspect unless you pbr- routes for prefixes for internal.wan2 two thru WAN2.
Next, if both lans get a prefix from wan1/wan2 isp you know can enable multiples. You will need static routes and PBR for routing the inside LAN clients to the ipv6-internet.
I have the above lab up and working but it's not working on a real internet so I can test clients machines.
Ken
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/04 07:15:16
(permalink)
Hello Ken, this is almost exact what i configured before, i had WAN1 and WAN2 configured for auto delegation, so i got my prefix from the ISP: config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end Then i configured the LAN interface to use the delegated prefix from WAN1, like you wrote above. Yes this works, sometimes... But sometimes the delegated prefix i got from the ISP on WAN1 changes to the prefix which is on WAN2, so the internet access stops working. So i think, if the both WAN interfaces are not stable with the prefix, so i don't need to configure the LAN side. Because this i was thinking about to configure this static. At the moment i'm thinking about to configure only one WAN interface for IPv6, on the second i disable it completely. If this works a few days, i can enable it on WAN2 again. When i got again the problems with the prefix it mus be a BUG... Regards Stefan
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/04 07:36:51
(permalink)
good ;), I thought that was what you did but your description was not clear to me ;)
So I think with that earlier config & pbr6 you could maybe get it working.
e.g
# for the prefix on the 2nd ISP.
#
#
config router policy6
edit 0
set comment" PBR6 WAN2 prefix from LAN.wan2 "
set src 2001:db8:11::/64
set output wan2
set gateway <blablahisp2>
end
Could you do that? What a client of mine did by accident was to place LAN.1/LAN.2 into the same physical LAN. So some clients gain prefix1 and others prefix2. What was different than you, prefix1/2 was from the same ISP-WAN upstream.
I bet you could try that, I will drop a diagram up later when I get back to my MAC and send it to be more clear. In the above description since prefix#1 and prefix#2 was using the same WAN.ISP pbr6 was not need or required.
Ken
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/04 07:43:18
(permalink)
So this is my current config with one WAN working: config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
end
set defaultgw disable
next
edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set estimated-upstream-bandwidth 400000
set estimated-downstream-bandwidth 25000
set role wan
set snmp-index 5
config ipv6
end
set defaultgw disable
next
edit "lan"
set vdom "root"
set ip 192.168.99.250 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
set snmp-index 9
set secondary-IP enable
config ipv6
set ip6-address fd24:xxxx:xxxx:99::250/64
set ip6-allowaccess ping https ssh
set dhcp6-prefix-delegation enable
config ip6-extra-addr
edit 2a02:xxxx:xxxx:5b00::250/64
next
edit 2a02:xxxx:xxxx:5500::250/64
next
end
set ip6-send-adv enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
next
end
config router policy6
edit 1
set input-device "lan"
set src 2a02:xxxx:xxxx:5b00::/64
set output-device "wan1"
set comments "IPv6 - 5b00 -> WAN1"
next
edit 2
set input-device "lan"
set src 2a02:xxxx:xxxx:5500::/64
set output-device "wan2"
set comments "IPv6 - 5500 -> WAN2"
next
end My Servers with fixed IP are able to communicate with the internet and my MAC Book gets a IP via autoconfig and goes into internet too. Now i will test and see if this config is stable.
|
Raudi
Bronze Member
- Total Posts : 46
- Scores: 0
- Reward points: 0
- Joined: 2018/04/01 14:01:53
- Status: offline
Re: Multiple IPv6 addresses on LAN interface
2018/04/05 10:16:57
(permalink)
After 22 hours perfectly working i have enabled IPv6 in DHCP mode on the WAN2 interface and set this on WAN2:
set dhcp6-prefix-delegation enable
20 minutes later internet access through WAN1 stops because the delegated prefix on WAN1 changes to the prefix which belongs to WAN2.
To get this on WAN1 working again i disabled IPv6 on WAN2, set IPv6 on the WAN1 to static, removed the address and enabled it on WAN1 again. A moment later IPv6 internet access was possible again.
This behavior must be a bug.
|
emnoc
Expert Member
- Total Posts : 5182
- Scores: 337
- Reward points: 0
- Joined: 2008/03/20 13:30:33
- Location: AUSTIN TX AREA
- Status: online
Re: Multiple IPv6 addresses on LAN interface
2018/04/05 10:27:36
(permalink)
Don't think so but open a case. When you enable wan2, the traffic is probably going to go out WAN2, unless you do some PBR6 routing.
you could do some PBR6 rules
e.g
src prefixes from ISP1 go out WAN1
src prefixes from ISP2 go out WAN2
And see if that fixes the issues. I have a hunch dual PREFIXESdelegation is not supported in a FGT
Ken
PCNSE, NSE , Forcepoint , StrongSwan Specialist
|