Multiple IPv6 addresses on LAN interface

Raudi · ‎04-02-2018

Hi,

i'm currently trying to get IPv6 configured. I have 2 WAN interfaces each has its own prefix.

WAN1 i got working. Here i'm able to deploy addresses via SLAAC or use static IP's.

My LAN interface got a internal statc fd24 address, all my servers have this static address and this is used in DNS. Then i enabled the secondary ip-address option and added a static ip from each prefix to the LAN interface. Now my LAN interface has 3 static IPv6 addresses configured:

config ipv6 set ip6-address fd24:7ed4:3bd5:99::250/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit 2a02:xxxx:xxxx:5b00::250/64 next edit 2a02:xxxx:xxxx:5500::250/64 next end set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end

Then i added 2 policy routes to route the source with 5b00 to WAN1 and 5500 to WAN2.

O.k. from LAN in can ping the 5b00::250 when i have a address in the 5b00 network. I can also access the internet.

But when i'm in the 5500 network, i can't ping the 5500::250 address of the LAN interface.

When i make a trace on the LAN interface i got a packet from the client with a "Neighbor Solicitation" but noting else.

And in the routing table i can see only the 5b00 network via :: lan. The 5500 network isn't listed.

Is it possible that the seondary ip is limited to one additional ip address?

Or where can i look else to check why i can't ping the LAN interface with this specific secondary address.

(Next i think i try a reboot of the fortiGate perhaps there is something hanging and next i test with discarding the fd24 address and make the 5b00 primary and the 5500 as secondary.)

Regards

Stefan

Raudi · ‎09-04-2018

Hi,

today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.

So problem solved in a few weeks when 6.0.3 is available...

Regards

Stefan

View solution in original post

emnoc · ‎04-02-2018

Hi yes you can do that, I don't know how you could deploy autoconf if you want a client to take one prefixes over the other.

In your case, you need to set the prefixes to be advertise

e.g

config ip6-prefix-list edit 2001:db8:1::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next

edit 2001:db8:2::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next

edit 2001:db8:3::/64 set autonomous-flag enable set preferred-life-time 600 set valid-life-time 600 next

end

http://socpuppet.blogspot.com/2015/08/just-how-many-ipv6-prefixes-can-be.html

Also for this;

Or where can i look else to check why i can't ping the LAN interface with this specific secondary address

try any all of the below

cli-cmd

diag debug flow filter6

diag sniffer packet <interfacename> icmp6

PCNSE

NSE

StrongSwan

Raudi · ‎04-02-2018

Thanks for the quick answer, automatically should only the prefix of WAN1 deployed, die IPv6 network of WAN2 should only be used static.

After a reboot i was able to ping both IP's, both addresses where listed in the routing table.

But i got another problem. In the WAN1 i got the delegated-prefix for WAN2 automatically configured?!?

How is this possible? O.k. will take some research...

Raudi · ‎04-02-2018

I don't get it... For a moment all was fine, WAN1 has the delegated prefix from the provider and i was able to access the internet. WAN2 has his delegated prefix too and i was also able to access the internet with a client in this network.

But now the delegated prefix from WAN1 changed to the prefix which is for WAN2.

How can this be?

I have only 2 firewall policy's for outgoing:

In Interface: LAN

Out Interface: WAN1

Source: Prefix WAN1

Destination: all

In Interface: LAN

Out Interface: WAN2

Source: Prefix WAN2

Destination: all

Now i removed at both "ALL_ICMP6". And i had ping enabled on the WAN interface, this i disabled too.

After disabling the WAN1 for a moment and enabling it again i got the correct prefix again.

Lets see how long the config is now stable...

Why WAN1 get the delegated prefix infos from WAN2? There is no connection between them...

Can i disable the prefix delegation and configure the prefix static?

Kind regards

Stefan

kurtli_FTNT · ‎04-02-2018

Hi Raudi,

You can have more than one extra IPV6 address configured under interface. And when the problem happens ( can't ping LAN interface), what is the output of "diag ipv6 address list"? Especially, note the "flag". Usually, the flag should be 'p'.

Regards

Raudi · ‎04-02-2018

Hmmm... IPv6 seems to be under construction...

As i told, after a reboot i was able to use all IP addresses...

I wrote i removed the ALL_ICMP6 from the policy but let PING inside it. But i can't ping external sites. So the PING don't work for IPv6. In the Forward Traffic log i see that PING6 is blocked, but PING6 i can't select in the firewall policy... In the services list i saw, it is per default exluded from the list, not helpful...

And when i add the ALL_ICMP6 again i got problems with the wrong prefix again.

I will stop testing for today...

At the moment i rebootet and have a working outfoing IPv6 config... Let's see if this is stable now...

Raudi · ‎04-02-2018

It's not stable wan2 has just lost his IPv6...

Disabled WAN2, enabled it again, wait a while and it is working again...

And a few minutes later, all was working, WAN1 lost his IPv6.

And more minutes later WAN1 got its IP back and used the prefix from WAN2.

Time to go to bed...

emnoc · ‎04-02-2018

What's your assignments for WAN1/WAN2 address? Losing a cfg tells me these are "dynamic SLAAC enabled " ?

Ken

PCNSE

NSE

StrongSwan

Raudi · ‎04-02-2018

This is the config on the both WAN interfaces:

config system interface
  edit "wan1"
    set vdom "root"
    set mode dhcp
    set allowaccess ping
    set type physical
    set estimated-upstream-bandwidth 400000
    set estimated-downstream-bandwidth 25000
    set role wan
    set snmp-index 1
    config ipv6
      set ip6-mode dhcp
      set dhcp6-prefix-delegation enable
      set dhcp6-prefix-hint 2a02:xxxx:xxxx:5b00::/64
    end
    set defaultgw disable
  next
end

WAN2 is the same with a different hint.

When i look now, both interfaces have at this moment their IP and correct prefix, but i can't access the internet with WAN1, WAN2 is working at the moment.

When i reboot the FG, i will bet, then i can access the internet with both WAN interfaces again...

I think i must go deeper in the logs, to see what happens.

Raudi · ‎04-03-2018

o.k. i removed all prefix automatics from the wan interfaces.

Both wan interfaces got an ip via dhcp.

When i enter (heise.de):

exec ping6 -I wan1 2a02:2e0:3fe:1001:7777:772e:2:85

or

exec ping6 -I wan2 2a02:2e0:3fe:1001:7777:772e:2:85

this works...

And i can ping any server on his static IPv6 ip address with:

exec ping6 2a02:xxxx:xxxx:5b00::22

or the 2nd prefix:

exec ping6 2a02:xxxx:xxxx:5500::18

But what must i configure that i can access the internet from the internal lan?

For IPv4 i must create a static route to the wan interface with the gateway address of the provider.

In the IPv6 routing table i have no default route, but i don't know the ip of the provider for the next hop to create a manual route.

When i enable the prefix delegation, the traffic goes automatically from lan to wan, but the prefix delegation is very unstable so i want to configure this static.

So what is missing to route from lan to wan? A route? Or something else?

A hint will be great.

Kind regards

Stefan