Helpful ReplyHot!Multiple IPv6 addresses on LAN interface

Page: < 12 Showing page 2 of 2
Author
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/04/05 10:37:45 (permalink)
0
This i have aready:
config router policy6
    edit 1
        set input-device "lan"
        set src 2a02:xxxx:xxxx:5b00::/64
        set output-device "wan1"
        set comments "IPv6 - 5b00 -> WAN1"
    next
    edit 2
        set input-device "lan"
        set src 2a02:xxxx:xxxx:5500::/64
        set output-device "wan2"
        set comments "IPv6 - 5500 -> WAN2"
    next
end
Why dual prefix? I have 2 separate WAN interfaces with a prefix. WAN1 must use the delegated prefix from WAN1 and WAN2 must use the prefix of WAN2.
 
The LAN interface has nothing to do with the prefix delegation on the WAN interface...
#21
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/17 03:05:09 (permalink)
0
i'm a little bit forward in this. I opened a case and i think i have the cause for my problem:
 
My old LANCOM uses for communicating with the DHCPv6 server on each interface the corresponding hardware address of the interface as client ID.
 
The Fortigate uses here for all interfaces the same client ID (DUID). If i understand this correct, each interface has a different interface id (IAID), which should be used also to identify.
 
So the WAN1 asks for a IP with the same DUID as the WAN2 interface, and the provider seems not to respect the IAID value, this causes the problem here.
 
LANCOM used different DUID's, because this it worked in the past...
 
I tryed to tell this the provider, but the chance to move something at Vodafone is very low, it is a big problem to find someone who is understanding the problem. All the supporter can only help with their standard matrix. And they say, their responibility ends at the modem, all after that is my problem and they can't help. And now tell a standrad call center supporter the DHCP server sends wrong responses...
 
The Fortigate Support now searches a way to use different DUID's.
#22
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/17 09:13:10 (permalink)
0

The Fortigate uses here for all interfaces the same client ID (DUID). If i understand this correct, each interface has a different interface id (IAID), which should be used also to identify.

 
That should be correct for the  DHCPv6 services
 

The Fortigate Support now searches a way to use different DUID'

 
So what are you trying to accomplish a different DUID per each wan interface or the interface ID? I will share this  KB for juniper that I ran into which might be relevent
 
https://www.juniper.net/d...-duid-configuring.html
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#23
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/17 10:53:29 (permalink)
0
Hi Ken,
 
i need a different DUID for each WAN interface...
 
Interesting is this on the link you provided:
 
"The DUID type is specified per routing instance."
 
WAN1 is a different routing instance as WAN2? So, on a Juniper i will get different DUID on each WAN interface.
 
 
I think the FG uses DUID-LL because at the end is the MAC of WAN1. And the DUID on WAN2 has the MAC of WAN1.
 
Stefan
 
 
#24
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 08:37:21 (permalink)
0
o.k. just got a feedback from support, no chance to configure something to get different DUID's.
 
I should contact my sales representative to create a feature request.
 
They say the FortiGate is RFC 3315 conform.
 
But at my view each WAN interface should be work as a DHCPv6 client fully independent from other WAN interfaces. A firewall is a special client in my view...
 
I'm a little bit frustrated at the moment... 
#25
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 12:18:32 (permalink)
0
What I would do is to take a pcap from each interface. IIRC the DUID is vendor specific but the Identified should  be different per interface IIRC, so  look at  this cloudshark
 
https://www.cloudshark.org/captures/eeedef4dd779
 
Do  a DHCPv6 client request per-interface and compare
 
ADD here's what I did with  linux a few years back
http://socpuppet.blogspot...pv6-on-fortigates.html
post edited by emnoc - 2018/06/18 12:24:38

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#26
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 13:27:06 (permalink)
0
Hi,
 
here a trace from WAN1:
 

You can see, that WAN 1 uses the MAC from a different interface as DUID.
 
 
 

Attached Image(s)

#27
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 13:29:05 (permalink)
0
Here a trace from WAN2:
 

The DUID is the MAC of WAN2 and WAN1 and WAN2 are using the same.
 
Only the IAID is different.
 
Regards
Stefan
 

Attached Image(s)

#28
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 14:02:26 (permalink)
0
Ups... double post... Can be erased...
post edited by Raudi - 2018/06/18 14:25:40
#29
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 14:24:47 (permalink)
0
Oh i found something, this is exacly our problem:
 
https://www.juniper.net/documentation/en_US/junos/topics/concept/dhcpv6-duplicate-client-duid.html
 
Per default it is not allowed to have a duplicate DUID, the new request will replace the first.
 
Only after enabling this feature the IAID will be used to identify the interface and duplicate DUID's are allowed. But this is not default.
 
At the DHCPv6 Server DUID i can see that my provider uses Cisco, perhaps Cisco has a similar setting, or Ciso is only the relay agent and the DHCPv6 Server is different, who knows.
 
But i found a bug in the Cisco relay agent:
 
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg03094
 
Complex problem...
 
#30
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Multiple IPv6 addresses on LAN interface 2018/06/18 14:39:07 (permalink)
0
So what's providing your DHCPv6 server assignment? I did mine ( with a linux box ) and had mix result hence why I did that  blog post. I can  retest now   & provide update 
 
Ken 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#31
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Dual IPv6 WAN with DHCPv6 - was: Multiple IPv6 addresses on LAN interface 2018/06/18 14:46:56 (permalink)
0
Hello Ken,
 
sorry i don't understand that question, i have no access to the DHCPv6 Server, the server is at my internet service provider, vodafone...
 
Stefan
#32
emnoc
Expert Member
  • Total Posts : 5082
  • Scores: 311
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Dual IPv6 WAN with DHCPv6 - was: Multiple IPv6 addresses on LAN interface 2018/06/18 15:26:06 (permalink)
0
What's the upstream DHCP v6  server ?
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#33
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Dual IPv6 WAN with DHCPv6 - was: Multiple IPv6 addresses on LAN interface 2018/06/18 22:59:23 (permalink)
0
As i say, i can't say what they use, from the server DUID i can say that the vendor is Cisco.
 
Shure if i can identify what they use i can search for the default behavior.
 
I think the default is that they do not allow duplicate DUID's, our problem looks very close to the behavior which is in the Juniper web site described.
 
The second DHCP request replaces the first request. And then the renew from the first request provide the info that the informations he used are invalid.
#34
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Dual IPv6 WAN with DHCPv6 - was: Multiple IPv6 addresses on LAN interface 2018/07/08 02:37:07 (permalink)
0
Hi,
 
Vodafone confirms my problem, the problem is, they identify a customer by the DUID and don't allow multiple DUID's.
 
As i talked with a Vodafone technican, we are able to see on their DHCP server exectly the behavior we discovered before. The second WAN interface overwrites the lease from the first WAN interface and the DUID walks from the first customer number to the second. When now the first WAN want's to renew the lease it is getting the info that the IP is invalid and gets the infos from the second WAN...
 
I think Fortinet will now change their behavior, that both WAN interfaces will be able to use different DUID's...
 
Kind regards
Stefan
#35
Raudi
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
Re: Dual IPv6 WAN with DHCPv6 - was: Multiple IPv6 addresses on LAN interface 2018/09/04 04:13:38 (permalink) ☄ Helpfulby tanr 2018/09/04 07:43:50
0
Hi,
 
today i got the info from the support, that in 6.0.3 the DHCPv6 client will have an unique DUID for each interface.
 
So problem solved in a few weeks when 6.0.3 is available...
 
Regards
Stefan
#36
Page: < 12 Showing page 2 of 2
Jump to:
© 2018 APG vNext Commercial Version 5.5