Skip to main content
midlajkp888
midlajkp888
Explorer II
January 22, 2026
Solved

Configure secondary IPv6 address Along with PD from ISP in the LAN interface

  • January 22, 2026
  • 3 replies
  • 488 views

Hi Team,

 

I am using FortiGate with Version 7.4.9. 

I have ISP connected to WAN interface and my clients on LAN interface. Currently I have configured Prefix Delegation for IPv6 to get the LAN addresses from ISP and it is working as supposed to be, with SLAAC addressing towards the client for the PD prefix.

Now along with this, I want to configure a ULA as a secondary address in my LAN interface. How can i achieve this. I could not find any option in CLI. 

Please provide any insight on this or let me know if Am missing anything.

 

Warm Regards
Midlaj

    Best answer by Jean-Philippe_P

    Hello again Midlaj,

     

    I found this answer for you:

     

    The configuration of a secondary IPv6 address on an interface with prefix delegation from an ISP and a ULA as a secondary address is indeed challenging due to the limitations of the ip6-mode settings. Here are some insights:

     

    1. IPv6 Mode Limitation: As you observed, the ip6-mode cannot be set to both delegated and static simultaneously. This means you cannot directly configure a secondary ULA address while using prefix delegation from the ISP.

    2. Secondary IP Configuration: The solution provided for configuring a secondary IPv6 address is applicable when the ip6-mode is set to static. This allows for multiple ULA addresses but does not support prefix delegation.

    3. Workaround: Unfortunately, there is no direct method to configure both a delegated prefix and a secondary ULA address on the same interface due to the mode restrictions. You may need to consider alternative network designs, such as using a different interface or VLAN for the ULA, or using a different device to handle the ULA addressing.

    4. Feature Request: If this functionality is critical, consider reaching out to Fortinet support to request a feature enhancement that allows for both delegated and static configurations on the same interface.

     

    In summary, the current configuration limitations prevent the coexistence of delegated prefixes and secondary ULA addresses on the same interface.

    3 replies

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    January 25, 2026

    Hello Midlaj, 

     

    Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

    Jean-Philippe - Fortinet Community Team
    midlajkp888
    midlajkp888Author
    Explorer II
    January 25, 2026

    Thank you very much Jean. Will wait for the answers. Thank you.

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    January 26, 2026

    Hello,

     

    We are still looking for an answer to your question.

     

    We will come back to you ASAP.

    Jean-Philippe - Fortinet Community Team
    midlajkp888
    midlajkp888Author
    Explorer II
    January 26, 2026

    Thank you. Ack'd

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    January 28, 2026

    Hello again Midlaj :)

     

    I found this solution. Can you tell us if it helps, please? 

     

    To configure a secondary IPv6 address on your LAN interface while using prefix delegation from your ISP, follow these steps:

    1. Enable Secondary IP Option:

      • This can be done via the CLI. Ensure that the secondary IP option is enabled on the interface where you want to add the ULA.
      # config system interface edit <lan_interface> set secondary-IP enable end

    2. Configure the Secondary IPv6 Address:

      • Since you want to add a ULA as a secondary address, you need to configure it using the CLI. Ensure that the ip6-mode is set to static on the LAN interface.

      # config system interface edit <lan_interface> config ipv6 set ip6-mode static config ip6-extra-addr edit <ULA_IP/Prefix> end end end

    3. Verify Configuration: After configuration, verify that the ULA is correctly added as a secondary address on the LAN interface.

     

    Note: Ensure that the ip6-mode is not set to DHCP on the LAN interface, as this will prevent the configuration of a secondary IPv6 address.

    Jean-Philippe - Fortinet Community Team
    midlajkp888
    midlajkp888Author
    Explorer II
    January 28, 2026

    Hi Jean,

     

    Thank you for the effort.

     

    But it seems like I could not achieve. I have attached my existing config and the new config below.

     

    Below is the existing configuration which i had with configuration of Prefix delegation from ISP for LAN, which was working perfectly fine.

    config system interface     edit "lan"         set vdom "root"         set ip <omitted>         set allowaccess ping https ssh snmp http fgfm fabric         set type hard-switch         set alias "miznet"         set stp enable         set role lan         set snmp-index 10         config ipv6             set ip6-mode delegated             set ip6-allowaccess ping https ssh http             set ip6-send-adv enable             set ip6-manage-flag enable             set ip6-other-flag enable             set ip6-delegated-prefix-iaid 5             set ip6-upstream-interface "wan"             set ip6-subnet ::1/64             config ip6-delegated-prefix-list                 edit 1                     set upstream-interface "wan"                     set delegated-prefix-iaid 5                     set subnet ::/64                     set rdnss-service default                 next             end         end     next end

     

    now, the issue when I tried the proposed configuration is, when we move the 'ipv6-mode' to static; the 'delegation' will remove and the delegated address configuration switch to static/manual. I believe these both won't coexistence with the said configuration. because the 'ipv6-mode' options are 'Static | Delegated | DHCP'.


    below the configuration with the proposed configuration:

    config system interface     edit "lan"         set vdom "root"         set ip <omitted>         set allowaccess ping https ssh snmp http fgfm fabric         set type hard-switch         set alias "miznet"         set stp enable         set role lan         set snmp-index 10         set secondary-IP enable         config ipv6             set ip6-address 2601:<omitted>::1/64             set ip6-allowaccess ping https ssh http             config ip6-extra-addr                 edit fc10:<omitted>::1/64                 next             end             set ip6-send-adv enable             set ip6-manage-flag enable             set ip6-other-flag enable             config ip6-delegated-prefix-list                 edit 1                     set upstream-interface "wan"                     set delegated-prefix-iaid 5                     set subnet ::/64                     set rdnss-service default                 next             end         end     next end

     

    Earlier the ip6 address starting with 2601 is the ISP PD address. earlier it was not seen in the configuration because the ip6 mode was 'Delegated'. 

    Another thing which I wanted to clarify is, this secondary IP address configuration solution which you mentioned works with Delegated prefix, or only for configuration of multiple ULA addresses. Please let me know your insights. Thank you.

     

     

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_PAnswer
    Staff & Editor
    January 29, 2026

    Hello again Midlaj,

     

    I found this answer for you:

     

    The configuration of a secondary IPv6 address on an interface with prefix delegation from an ISP and a ULA as a secondary address is indeed challenging due to the limitations of the ip6-mode settings. Here are some insights:

     

    1. IPv6 Mode Limitation: As you observed, the ip6-mode cannot be set to both delegated and static simultaneously. This means you cannot directly configure a secondary ULA address while using prefix delegation from the ISP.

    2. Secondary IP Configuration: The solution provided for configuring a secondary IPv6 address is applicable when the ip6-mode is set to static. This allows for multiple ULA addresses but does not support prefix delegation.

    3. Workaround: Unfortunately, there is no direct method to configure both a delegated prefix and a secondary ULA address on the same interface due to the mode restrictions. You may need to consider alternative network designs, such as using a different interface or VLAN for the ULA, or using a different device to handle the ULA addressing.

    4. Feature Request: If this functionality is critical, consider reaching out to Fortinet support to request a feature enhancement that allows for both delegated and static configurations on the same interface.

     

    In summary, the current configuration limitations prevent the coexistence of delegated prefixes and secondary ULA addresses on the same interface.

    Jean-Philippe - Fortinet Community Team
      Terms & ConditionsAccessibility statement