Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Guide to setting up IPv6, DHCP6/NAT64/DNS64 on FortiOS 5.0 (FortiGate)  (Read 18423 times)

Chainik

  • Newbie
  • *
  • Posts: 3
« Last Edit: June 27, 2013, 03:48:33 AM by Chainik »
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 962
Re: Guide to setting up IPv6, DHCP6/NAT64/DNS64 on FortiOS 5.0
« Reply #1 on: June 25, 2013, 07:51:21 AM »

A couple of small comments. I would recommend against blocking ICMPv6 echo requests. Blocking them is not only making debugging harder, it also breaks some tunnelling protocols like for example Teredo. Also it sounds a bit strange to me, if they really made DNS64 synthesize AAAA records by default, even if there is already an AAAA record. So what exactly does that default setting do? Does it replace the existing AAAA records with a synthesized AAAA record? Or will it add the synthesized AAAA record such that the reply contains both real and synthetic AAAA records?
Logged

Chainik

  • Newbie
  • *
  • Posts: 3
Re: Guide to setting up IPv6, DHCP6/NAT64/DNS64 on FortiOS 5.0
« Reply #2 on: June 26, 2013, 03:27:50 AM »

Yes, good point on ICMP, I will update the guide.

Regarding AAAA synthesis/NAT64, I just re-checked the behaviour, which is as follows:

--- with
config system nat64
    set status enable
    set always-synthesize-aaaa-record enable  #implicit default setting
end

$ dig aaaa www.google.com

; <<>> DiG 9.7.3 <<>> aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19157
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2991
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2992
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2994
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2990
www.google.com.         157     IN      AAAA    64:ff9b::adc2:2993
...


--- with
config system nat64
    set status enable
    set always-synthesize-aaaa-record disable
end


$ dig aaaa www.google.com

; <<>> DiG 9.7.3 <<>> aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         261     IN      AAAA    2a00:1450:4009:808::1014
...


So it looks like the default setting will simply ignore existing AAAA records and replace them with synthesized ones.

Not a good default in my opinion, but that is how it behaves with the current firmware.

-- ab1
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 962
Re: Guide to setting up IPv6, DHCP6/NAT64/DNS64 on FortiOS 5.0
« Reply #3 on: June 26, 2013, 04:08:58 AM »

So it looks like the default setting will simply ignore existing AAAA records and replace them with synthesized ones.

Not a good default in my opinion, but that is how it behaves with the current firmware.
It's a very bad default. I don't know what they were thinking when choosing that as the default.
Logged