Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎04-07-2016 12:08 AM

Article Id 194156

Technical Tip: How to setup the FortiGate to assign IPv6 addresses

Description
This article describes how to setup the FortiGate to assign IPv6 addresses.  The FortiGate can be configured to generate Router Advertisement in order to auto configure client IPv6 using StateLess Address Auto Configuration (SLAAC). However, SLAAC is not enough to provide full IPv6 settings because it does not include DNS servers IP.

As a workaround, there are two options.

1) Configure the FortiGate as a stateless DHCPv6 server: the client will generate an IPV6 address from the Router Advertisement received from the FortiGate, then it will generate a DHCPv6 request to retrieve the DNS servers.

2) Configure the FortiGate as statefull DHCPv6 server: the client will receive the Router Advertisement from the FortiGate then it will generate a DHCPv6 request to retrieve an IPv6 + DNS servers from the DHCPv6 server pool.

Solution
Diagram.
IPv6 Client Host (IPV6 Stateless autoconfig)
|
| IPv6 nework (fd00::/64)
|
[Port29 – fd00::1/64]
FortiGate
|
IPv6 Internet
SLAAC Configuration CLI (only relevant parts)

# config system interface
    edit "port29"
        set vdom "root"
        set vlanforward enable
        set type physical
        set snmp-index 31
            # config ipv6
                set ip6-allowaccess ping https ssh http telnet
                set ip6-address fd00::1/64
                set ip6-send-adv enable
                    config ip6-prefix-list
                        edit fd00::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end
SLAAC Verification

The client generates IPv6 address from the Router Advertisement, but it does not receive any DNS server so it is not able to browse Internet.

nvisentin_FD38573_tn_FD38573-1.jpg

Option 1: SLAAC + stateless DHCPv6 server on the FortiGate.
# config system dhcp6 server
    edit 1
        set interface "port29"
        set dns-server1 2001:4860:4860::8888
    next
end

# config system interface
    edit "port29"
        set vdom "root"
        set vlanforward enable
        set type physical
        set snmp-index 31
            # config ipv6
                set ip6-allowaccess ping https ssh http telnet
                set ip6-address fd00::1/64
                set ip6-send-adv enable
                set ip6-other-flag enable                                <----- The client will get DNS server from DHCPv6.
                    config ip6-prefix-list
                        edit fd00::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end
SLAAC + stateless DHCPv6 server verification

The client generates IPv6 address from the Router Advertisement and get DNS server from DHCPv6.

nvisentin_FD38573_tn_FD38573-2.jpg

The client is now able to resolve DNS name and browse Internet.

nvisentin_FD38573_tn_FD38573-3.jpg

Option 2: statefull DHCPv6 server on the FortiGate.
# config system dhcp6 server
    edit 1
        set subnet fd00::/64
        set interface "port29"
            config ip-range
                edit 1
                    set start-ip fd00::1:1
                    set end-ip fd00::1:ffff
                next
            end
        set dns-server1 2001:4860:4860::8888
    next
end

# config system interface
    edit "port29"
        set vdom "root"
        set vlanforward enable
        set type physical
        set snmp-index 31
            # config ipv6
                set ip6-allowaccess ping https ssh http telnet
                set ip6-address fd00::1/64
                set ip6-send-adv enable
                set ip6-manage-flag enable                               <----- The client will get IPv6 address from DHCPv6.
                set ip6-other-flag enable                                <----- The client will get DNS server from DHCPv6.
                    config ip6-prefix-list
                        edit fd00::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end
Statefull DHCPv6 server verification.

The client gets IPv6 address from DHCPv6 server.

nvisentin_FD38573_tn_FD38573-4.jpg

Note that windows generates also random IP.

The client is now able to resolve DNS name and browse Internet.

nvisentin_FD38573_tn_FD38573-5.jpg

FGT # exe dhcp6 lease-list port29
Interface  DUID                                      IAID      IP          Expiry
port29     00:01:00:01:19:e8:86:47:b8:ca:3a:a8:69:6a  251663351 fd00::1:1  Tue Nov 10 11:21:04 2015
port29     00:01:00:01:16:6e:77:40:08:00:27:b7:39:9d  235405351 fd00::1:2  Tue Nov 10 11:28:10 2015

59230
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.