FortiGate NAT64 internal Subnet

 Problem

Sometimes it is not necessary to convert the complete internal or external IPv6 traffic to IPv4. What must be done if only individual IP addresses are translated?


Solution

For translating individual IPv6 from IPv4, the configuration is very similar to when all IP is to be translated.
In detail the following configuration is necessary:
config system nat64
    set always-synthesize-aaaa-record disable
end
  • always-synthesize-aaaa-recordthe DNS proxy does not check for AAAA records but rather synthesizes AAAA records.
We need a virtual IPv6 address from the DMZ2 Range. With that we are able to define the Virtual-IP object.
config firewall vip64
    edit "nat64_Server"
        set extip 2001:db8:211:5c:4000::2
        set mappedip 172.16.51.12
        set portforward enable
        set extport 443
        set mappedport 443
    next
end
  • extip: The virtual IPv6 address
  • mappedip: the real IPv4 address
As usual by FortiGate, at the end we need a firewall policy to allow the traffic:
config firewall policy64
    edit 1
        set name "DMZ2 to Server"
        set srcintf "DMZ"
        set dstintf "lan1"
        set srcaddr "all"
        set dstaddr "nat64_Server"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "HTTPS"
        set logtraffic enable
    next
end
  • dstaddr: use the predefined Virtual-IP object

DNS Server

The IPv6 address is very hard to remember and cannot be entered easily in most browsers.
To test the functionality, I created a DNS server on the FortiGate, which resolves a URL to the virtual IPv6.
The following settings are necessary for this:
Enable the DNS Server on the DMZ2 (the IPv6 Subnet Interface).
config system dns-server
    edit "DMZ2"
    next
end

As next, we have to configure the DNS Zone:
config system dns-database
    edit "lab.com"
        set domain "lab.com"
        set view shadow
        config dns-entry
            edit 1
                set type AAAA
                set hostname "server"
                set ipv6 2001:db8:211:5c:4000::2
            next
            edit 2
                set hostname "server"
                set ip 172.16.51.12
            next
        end
    next
end
  • view: define as shadow otherwise the zone is not resolvable in recursive port setting.
  • domain: Define the Domainname in your LAB 
  • type: AAAA is the A-Record in the IPv6 world
  • ipv6: the virtual-IP as we define earlier
  • ip: the real IPv4 of the server (needed to resolve the hostname in other subnet)

Verify

; <<>> DiG 9.16.15-Ubuntu <<>> AAAA server.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;fac.hq.shadow.lab.		IN	AAAA

;; ANSWER SECTION:
fac.hq.shadow.lab.	6956	IN	AAAA	2001:db8:211:6c:4000::2

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Di Dez 21 22:11:06 CET 2021
;; MSG SIZE  rcvd: 74



Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more