Skip to main content
wigster
wigster
New Member
June 18, 2024
Solved

FortiGate 7.4.4 VM IPv6 Prefix Delegation for Multiple Subnets

  • June 18, 2024
  • 2 replies
  • 3243 views

Hi, 

 

TLDR - I have a /63 prefix and I'd like to delegate a /64 to each of two interfaces. Delegation works but both interfaces get the same prefix. Where in Forti documentation would I find the correct syntax?

 

I'm a home user looking to upgrade an old router. I played with *sense, then found FortiGate-VM. I have no experience with FG but prefer the UI. I'm continuing to play with an FG-VM, with a view to purchasing a hardware FG. Thanks to FortiNet for providing an easy way to get a VM.

 

My ISP delegates a dynamic /62 prefix, and seems to require an ONT which then essentially limits anything downstream to a /63 (long story, and is the only available ISP). I've never used IPv6 either but I'm determined to try it out with the FG-VM.

 

I'm trying to delegate a /64 on the FG-VM to each of two LAN interfaces. Both interfaces get the same prefix so I'm missing something.

 

port1, my WAN interface, has the following ipv6 config - 

config ipv6
   set ip6-allowaccess ping
   set dhcp6-prefix-delegation enable
   set autoconf enable
   config dhcp6-iapd-list
      edit 3
         set prefix-hint ::/63
      next
   end
end

 

port2 successfully gets the first /64 - 

config ipv6
   set ip6-mode delegated
   set ip6-allowaccess ping https http
   set ip6-send-adv enable
   set ip6-other-flag enable
   set ip6-delegated-prefix-iaid 3
   set ip6-upstream-interface "port1"
   set ip6-subnet ::1/64
   config ip6-delegated-prefix-list
      edit 1
         set upstream-interface "port1"
         set delegated-prefix-iaid 3
         set subnet ::/64
      next
   end
end
FGVMEVELBTXEYO59 (port2) # co ipv6
FGVMEVELBTXEYO59 (ipv6) # get
ip6-mode : 
nd-mode : basic 
ip6-address : 2a02:b98:4736:c5da::1/64

 

port3 gets the same 'IP Address/Prefix' as port2 - 

config ipv6
   set ip6-mode delegated
   set ip6-allowaccess ping
   set ip6-send-adv enable
   set ip6-other-flag enable
   set ip6-delegated-prefix-iaid 3
   set ip6-upstream-interface "port1"
   set ip6-subnet ::2:0:0:0:1/64
   config ip6-delegated-prefix-list
      edit 2
         set upstream-interface "port1"
         set delegated-prefix-iaid 3
         set subnet ::/64
      next
   end
end
FGVMEVELBTXEYO59 (port3) # co ipv6
FGVMEVELBTXEYO59 (ipv6) # get
ip6-mode : 
nd-mode : basic 
ip6-address : 2a02:b98:4736:c5da::1/64

 

I guess I have the wrong syntax for 'ip6-subnet' and inside 'ip6-delegated-prefix-list' but I can't see from documentation how to splice a /63 to two different /64 nets.

 

Cheers! 

2 replies

spoojary
Staff
spoojaryAnswer
Staff
June 19, 2024

Please check the doc: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/37673/ipv6-prefix-delegation

    wigster
    wigsterAuthor
    New Member
    June 19, 2024

    Hi @spoojary ,

     

    Thanks! I have already looked at that doc. Unfortunately the doc does not mention how to delegate more than one prefix. I also looked at older versions, to no avail.

     

    I have found several different ways to specify 'ip6-subnet' and 'ip6-delegated-prefix-list' in this forum. Whatever I try, the second interface gets the same address as the first. 

     

    Cheers!

      wigster
      wigsterAuthor
      New Member
      June 19, 2024

      Hello,

       

      I'm embarrassed. 

      I thought I'd first tried -

      set ip6-subnet ::1:0:0:0:1/64

       

      but it works. Sorry and thanks.

      Terms & ConditionsCookie settingsAccessibility statement