Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbabu
Staff
Staff

Created on ‎07-25-2024 11:53 PM Edited on ‎03-12-2025 10:42 AM By Moderator

Article Id 328185

Technical Tip: How to configure IPv6 with statefull DHCPv6 server

Description This article describes how to configure IPv6 with a stateful DHCPv6 server.
Scope FortiGate.
Solution

Topology:

 

Untitled Diagram.drawio.png

 

  1. Enable IPv6 in GUI: Go to System -> Feature Visibility -> Core Features, enable IPv6, and select 'Apply'.
  2. Define the IPv6 address on Port 1 as shown below:

 

FGT-A(port1) # show
    config system interface
        edit "port1"
            set vdom "root"
            set ip 10.109.21.79 255.255.240.0
            set allowaccess ping https ssh http telnet fgfm
            set type physical
            set alias "WAN"
            set snmp-index 1
                config ipv6
                    set ip6-address 2001:af0:8003:2::54f/64
                    set ip6-allowaccess ping https ssh
                end
            next

        end

 

intf addr.PNG

 

  1. Define a default route towards ISP.:

 

FGT-A(1) # show
    config router static6
        edit 1
            set gateway 2001:af0:8003:2::1
            set device "port1"
        next
    end

 

static1.PNG

 

static2.PNG

 

Once the Route is defined, try to ping the gateway and see if the gateway is reachable from the port1 interface:

 

FGT-A# exec ping6 2001:af0:8003:2::1
PING 2001:af0:8003:2::1(2001:af0:8003:2::1) 56 data bytes
64 bytes from 2001:af0:8003:2::1: icmp_seq=1 ttl=255 time=1.05 ms
64 bytes from 2001:af0:8003:2::1: icmp_seq=2 ttl=255 time=0.480 ms
64 bytes from 2001:af0:8003:2::1: icmp_seq=3 ttl=255 time=0.430 ms

 

  1. Once the gateway is reachable, define the IPv6 DNS server:

 

FGT-A (dns) # show
    config system DNS
        set primary 1.1.1.1
        set secondary 8.8.8.8
        set ip6-primary 2001:4860:4860::8888
        set ip6-secondary 2606:4700:4700::1111
    end

 

DNS settings.PNG

 
  1. Configure LAN IPv6 subnet on port3 and enable DHCPv6 stateful server:

 

config system interface
    edit "port3"
        set vdom "root"
        set ip 10.132.5.79 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set alias "LAN"
        set snmp-index 3
            config ipv6
                set ip6-address fd01:af0:8003:2::af/64
                set ip6-allowaccess ping https ssh
                set ip6-send-adv enable
                set ip6-manage-flag enable
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit fd01:af0:8003:2::/64
                    next
                end
            end
        next

    end

 

DHCPv6 Stateful config:


FGT-A(server) # show
    config system dhcp6 server
        edit 1
             set dns-service default
             set subnet fd01:af0:8003:2::/64
             set interface "port3"
                 config ip-range
                     edit 1
                     set start-ip fd01:af0:8003:2::1
                     set end-ip fd01:af0:8003:2::ffff
                 next
             end
         next 
     end

 

dhcp6 server.PNG
To specify the DNS server with IPv6, the default mode in dns-service needed to change. Once the option is set to specify, the specific DNS server can be set as below:

config system dhcp6 server

    edit 1

        set dns-service specify

        set dns-server1 2606:4700:4700::1111

        set dns-server2 2606:4700:4700::1001

        end

    next

end

 

  1. Configure IPv6 firewall policies to allow traffic from LAN to WAN:

 

config firewall policy
    edit 1
        set name "LAN ipv6"
        set uuid efa28f06-4af6-51ef-5593-ddd60f598b8c
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr6 "fd01:af0:8003:2::/64"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next

end

 

To verify the DHCP-assigned IP address, run the following command:

 

exec dhcp6 lease-list port3
Interface DUID IAID IP/Prefix Expiry
port3 00:01:00:01:2e:35:1b:a8:00:66:6c:69:17:01 67135084 fd01:af0:8003:2::1 Fri Aug 2 04:08:24 2024

port3 00:01:00:01:2e:33:78:a0:00:6b:72:79:12:01 33581938 fd01:af0:8003:2::2 Fri Aug 2 04:09:14 2024

port3 00:01:00:01:2e:35:1b:5e:00:70:65:74:07:01 67137637 fd01:af0:8003:2::3 Fri Aug 2 04:12:16 2024

 

Run the below command to check the IPv6 route table:

 

get router info6 routing-table database

routing table for VRF=0
S *> ::/0 [10/0] via 2001:af0:8003:2::1, port1, 19:12:47, [1024/0]
C *> ::1/128 via ::, root, 1d01h43m
C *> 2001:af0:8003:2::/64 via ::, port1, 19:13:12
C *> fd01:af0:8003:2::/64 via ::, port3, 02:33:49

 

Related article

Technical Tip: How to use debug flow and sniffer to capture IPv6 traffic
1667
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.