Technical Tip: How to setup the FortiGate to assign IPv6 addresses

Description

This article describes how to configure the FortiGate to dynamically assign IPv6 addresses to clients on the network.

Scope

FortiGate, IPv6.

Solution

In IPv4 networks, addresses are typically assigned either manually (static addressing) or dynamically (using DHCP). There is also automatic configuration via Automatic Private IP Addresssing (APIPA, in the 169.254.0.0/16 subnet), but this is rarely used for practical networking.

For IPv6 networks, addressing is more complex since a network host can and will have multiple assigned IPv6 addresses for each link that it is connected to:

• Link-local IPv6 addresses (LLA) are automatically assigned by the host to itself from within the fe80::/10 subnet and are restricted to usage within the connected network/link (i.e., they are non-routable and one LLA is assigned per network link)
• Unicast addresses, which include Global Unicast Addresses (GUA) and Unique Local Addresses (ULA), can either be assigned manually on a host or dynamically by a router/server on the network. Clients can be assigned multiple of this address type for each network link.

On the FortiGate, there are two methods available for assigning dynamic IPv6 unicast addresses, those being Stateless Address Auto-Configuration (SLAAC, defined in RFC 4862) and stateful DHCPv6 (most recently defined in RFC 9915)

1. With SLAAC, the FortiGate serves an IPv6 prefix in the IPv6 Router Advertisement (RA) messages that are sent periodically and also in-response to a Router Solicitation (RS) from a client. Clients also learn the default gateway for the network by means of these RA messages.
   • Notably, SLAAC does not provide any other information, such as DNS servers or other options. To solve this, SLAAC can be combined with stateless DHCPv6 (where DHCPv6 only serves this supplemental information).
2. With stateful DHCPv6, IPv6 addressing and supplemental network information is served fully within DHCPv6. Clients make multicast queries to ff02::1:2 (All_DHCP_Relay_Agents_and_Servers) to destination port UDP/547 and servers (such as the FortiGate) make  unicast replies to the client's link-local address with destination port UDP/546.
   • Note that where IPv4 DHCP uses the DORA process (Discover, Offer, Request, Acknowledge), DHCPv6 instead uses SARR (Solicit, Advertise, Request, Reply).
   • Stateful DHCPv6 also has a sub-type available called IPv6 Prefix Delegation, where an upstream DHCPv6 provider (such as an ISP router) can provide a base IPv6 prefix to the FortiGate that can then be divided into subnets and assigned via DHCPv6 to clients further downstream.

For guidance on configuring each of the above scenarios, consult the following sections of the FortiOS Administration Guide:

• IPv6 stateless address auto-configuration (SLAAC)
• SLAAC with DHCPv6 stateless server
• DHCPv6 stateful server
• IPv6 prefix delegation

Summarizing key CLI configurations required for IPv6 address assignment:

The following is a summary of the key interface settings required for IPv6 dynamic address assignment from the FortiGate to downstream clients. Missing these settings will prevent IPv6 address allocation from functioning correctly:

config system interface

    edit <name>

        config ipv6

            set ip6-send-adv [enable | disable]

            set ip6-other-flag[enable | disable]

            set ip6-manage-flag [enable | disable]

            config ip6-prefix-list

                edit rdnss <ipv6_dns_1> <ipv6_dns_2> <ipv6_dns_3> <--- FortiOS v7.6.0 and earlier

            end

            config ip6-rdnss-list <--- FortiOS 7.6.1 and later

                edit <rdnss_ip_address>

                end

            end

        end

    next

end

ip6-send-adv - Controls if the FortiGate transmits IPv6 Router Advertisements (required for FortiGate to act as IPv6 router, mandatory for all addressing methods).

ip6-other-flag - Enables/disables the IPv6 Other Configuration flag (RFC 4861 Section 4.2). Instructs the client to use DHCPv6 to request other information such as DNS server addresses, required for SLAAC with stateless DHCP (but not SLAAC on its own).

ip6-manage-flag - Enables/disables IPv6 Managed Address Configuration flag (also RFC 4861). Instructs the client to use DHCPv6 to request both addressing information and other information (technically renders the other flag redundant), required for stateful DHCPv6.

rdnss / ip6-rdnss-list - Specifies DNS server addresses within Router Advertisement and can act as an alternative/supplement to stateless DHCPv6 (see RFC 8106). Recommended but optional for SLAAC and SLAAC with stateless DHCP, see also: Technical Tip: Configure multiple RDNSS IPv6 addresses on the FortiGate.

Notes on Combining SLAAC and stateful DHCPv6:

At the time of this writing, IPv6 addressing support amongst client devices is not universal. For example, Windows 11 has ignored RDNSS if DHCP is enabled for IPv4 and IPv6, and Android notably does not support DHCPv6 at all (though may specifically enable support for DHCPv6 Prefix Delegation).

In this case, it may be necessary to enable multiple parallel methods of assigning IPv6 addresses depending on which clients are expected to request addresses for a given network segment. The following configuration shows what an example hybrid setup would look like on a FortiGate running FortiOS 7.6 that includes SLAAC + RDNSS (via IPv6 Router Advertisements) and Stateful DHCPv6:

config system interface
    edit "internal6"
        config ipv6
            set ip6-address 2001:db8:abcd:1::1/64
            set ip6-allowaccess ping https ssh http
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
            config ip6-prefix-list
                edit 2001:db8:abcd:1::/64
                next
            end
            config ip6-rdnss-list
                edit 2001:db8:abcd:1::1
                next
            end
        end
    next
end

config system dhcp6 server
    edit 1
        set subnet 2001:db8:abcd:1::/64
        set interface "internal6"
            config ip-range
                edit 1
                    set start-ip 2001:db8:abcd:1::2
                    set end-ip 2001:db8:abcd:1::ffff
                next
            end
            set dns-server1 2001:db8:abcd:1::1
        next
    end

With this setup, connected clients can retrieve an IPv6 address via SLAAC and/or stateful DHCPv6, as well as obtain additional DNS information via RDNSS and/or stateless DHCPv6:

On the FortiGate, it is then possible to list all DHCPv6 leases that have been assigned to clients using the command execute dhcp6 lease-list <interface>:

FortiGate # execute dhcp6 lease-list internal6
Interface    DUID                                      IAID      IP/Prefix          Expiry
internal6    00:01:00:01:2d:26:69:27:00:15:5d:62:52:0c 100668765 2001:db8:abcd:1::2 Wed Feb 25 16:40:33 2026