FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff
Description This article describe how to troubleshoot in FortiOS DHCPv6 Prefix Delegation.
Scope FortiOS 6.0, 6.2 and earlier.
Solution

Some ISP can provide an IPv6 address through dynamic addressing mechanism and additional delegate an IPv6 prefix to LAN using DHCPv6.

 

IPv6 protocol allow to configure host IPv6 addressing dynamically with two mechanism called SLAAC and DHCPv6.

There are advantages and disavantages on each one of them, therefore the way to get a complete adressing mechanism in IPv6 it is possible to use both mechanism simultaneusly to get the best of both world.

 

The following describe the mechanisms and with the most obvious disadvantages:

 

SLAAC (Stateless Address Autoconfiguration):

 

- The Prefix is provided with RA (Router Advertisment) messages, as well as the default gateway, prefix lifetime and Flags M (Managed address configuration) and O (Other configuration).

 

- End stations automatically generate the Interface ID (lower 64 bits) of the address as an EUI-64 address based on the station MAC address.

 

- This mechanism doesn't provide DNS information (resolver(s) or local domain-search).

 

- RFC 6106 specifies new extensions to SLAAC that allow DNS information to be included in RAs. (Optional).

 

DHCPv6:

 

- DHCPv6 operates similarly to DHCPv4. 

The end station get the ipv6 address from the server.

 

- Similary to IPv4, the end sations received the complete addressing (ipv6 prefix + Interface ID).

The end station discard the IPv6 prefix received by RA.

 

- The DHCPv6 provide DNS information.

 

- DHCPv6 servers do not provide gateway information.

The default gateway is obtained from the Router Advertisement messages.

 

To get the best world on both mechanism it is necessary to use the SLAAC with the Flags set M and O in order the end-stations get from SLAAC the default gateway and trough the flag M tell the host to look for a DHCPv6 server.

The flag O is to provide DNS information from the DHCPv6.

 

Additionally RFC3633 provide additional mechanism for automated delegation of IPv6 prefixes using the DHCPv6.

 

FortiOS allow ipv6 addressing using Statefull DHCPv6 server configuration (SLAAC + DHCPv6) and DHCPv6 Prefix Delegation.

 

The following topology will be use to demostrate the Statefull DHCPv6 and Prefix Delegation.

 

The Router default gateway and DHCPv6 server is located on Internet side on vlan211.

 

mricardez_0-1647872932548.png

 

Following the FortiOS CLI configuration:

 

IPv6 Prefix on WAN (vlan211): 2001:db8:72b1:8ca9::/64

IPv6 Prefix on LAN (vlan237): 2001:db8:72b1:8caa::/64

 

# config system interfac
    edit "vlan211"
        set vdom "root"
        set device-identification enable
        set role wan
        set snmp-index 13

 

# config ipv
    set ip6-mode dhcp <----- IPv6 addressing by DHCPv6.
    set ip6-allowaccess ping
    set dhcp6-prefix-delegation enable
    set dhcp6-prefix-hint 2001:db8:72b1:8caa::/64 <----- Prefix IPv6 delegated.
end
    set interface "port2"
    set vlanid 211
next
end

 

# config system interfac
    edit "vlan237"
        set vdom "root"
        set device-identification enable
        set role lan
        set snmp-index 14

 

# config ipv
    set ip6-mode delegated
    set ip6-allowaccess ping
    set ip6-send-adv enable <----- FortiGate will send RA to end stations.
    set ip6-manage-flag enable <-- Set flag "M"
    set ip6-other-flag enable <-- Set flag "O"
    set ip6-upstream-interface "vlan211"
    set ip6-subnet ::1/64 <----- Set the 'Interface ID' used with the IPv6 prefix delegated.


# config ip6-delegated-prefix-lis
    edit 1
        set upstream-interface "vlan211"
        set subnet 2001:db8:72b1:8caa::/64 <----- Prefix IPv6 delegated.
    next
end
end
    set interface "port2"
    set vlanid 237
next
end

 

# config system dhcp6 serve
    edit 1
        set interface "vlan237"
        set upstream-interface "vlan211"
        set ip-mode delegated
        set dns-server1 2804:14d:1:0:181:213:132:2 <----- DNS resolvers to use on LAN.
        set dns-server2 2804:14d:1:0:181:213:132:3
    next
end

 

FortiOS Cli commandos to review Fortigate Operation.

 

- Both interfaces get the IPv6 address by DHCPv6.

 

FortigateVM-MKZ # diagnose ipv6 address list | grep vlan
dev=19 devname=vlan211 flag=P scope=0 prefix=128 addr=2001:db8:72b1:8ca9::1002 preferred=4294967295 valid=4294967295 cstamp=68813355 tstamp=68840185
dev=19 devname=vlan211 flag=P scope=253 prefix=64 addr=fe80::247:77ff:fe79:3302 preferred=4294967295 valid=4294967295 cstamp=4055376 tstamp=4055376
dev=20 devname=vlan237 flag= scope=0 prefix=64 addr=2001:db8:72b1:8caa::1 preferred=602867 valid=2590067 cstamp=68840185 tstamp=107001582
dev=20 devname=vlan237 flag=P scope=253 prefix=64 addr=fe80::247:77ff:fe79:3302 preferred=4294967295 valid=4294967295 cstamp=8705106 tstamp=8705106

 

- Default Gateway obtained from RA messages and using the link-local address from Router.

 

FortigateVM-MKZ # diagnose ipv6 route list | grep gwy
vf=0 type=01(unicast) protocol=2(kernel) flag=00450000 prio=1024 gwy:fe80::247:77ff:fe79:3502 dev=19(vlan211) pmtu=1500

 

- DHCPv6 lease info from end stations. 

 

FortigateVM-MKZ # execute dhcp6 lease-list
Interface DUID IAID IP/Prefix Expiry
vlan237 00:04:93:e4:5e:96:f2:2b:c3:58:76:68:da:f7:92: 1919819010 2001:db8:72b1:8caa::2 Fri Mar 25 14:27:01 2022

 

 

To debug a DHCPv6 renew IPv6 address.

 

- Unset/set dhcp6-prefix-hint.
- Debug on FortiGate and sniffer on wan simultaneusly.

 

FortigateVM-MKZ # config system interface
FortigateVM-MKZ (interface) edit vlan211
FortigateVM-MKZ (vlan211) # config ipv6
FortigateVM-MKZ (ipv6) unset dhcp6-prefix-hint
FortigateVM-MKZ (ipv6) end

 

FortigateVM-MKZ # config system interface
FortigateVM-MKZ (interface) 
FortigateVM-MKZ (interface) edit vlan211
FortigateVM-MKZ (vlan211) # config ipv6
FortigateVM-MKZ (ipv6) set dhcp6-prefix-hint 2001:db8:72b1:8caa::/64
FortigateVM-MKZ (ipv6) end

 


FortigateVM-MKZ # diagnose debug reset
FortigateVM-MKZ # diagnose debug console timestamp enable
FortigateVM-MKZ # diagnose debug application dhcp6c 255
Debug messages will be on for 30 minutes.
FortigateVM-MKZ # diagnose debug enable


- The following debug only show the DHPv6 messages SARR (Solicit, Advertise, Request, Reply).

 

2022-03-21 11:59:29 [debug]client6_send() send solicit to ff02::1:2%vlan211
2022-03-21 11:59:29 [debug]dhcp6_reset_timer() reset a timer on vlan211, state=SOLICIT, timeo=0, retrans=1082
2022-03-21 11:59:29 [info]client6_mainloop() timeout=10 sec, cfd=8, kfd=9
2022-03-21 11:59:29 [info]client6_mainloop() msg received, sock =11
2022-03-21 11:59:29 [debug]client6_recv() receive advertise from fe80::247:77ff:fe79:3502%vlan211 on vlan211
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option identity association, len 40
2022-03-21 11:59:29 [debug] IA_NA: ID=19, T1=3600, T2=7200
2022-03-21 11:59:29 [debug]copyin_option() get DHCP option IA address, len 24
2022-03-21 11:59:29 [debug]copyin_option() IA_NA address: 2001:db8:72b1:8ca9::1002 pltime=604800 vltime=2592000
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option IA_PD, len 41
2022-03-21 11:59:29 [debug] IA_PD: ID=19, T1=3600, T2=7200
2022-03-21 11:59:29 [debug]copyin_option() get DHCP option IA_PD prefix, len 25
2022-03-21 11:59:29 [debug]copyin_option() IA_PD prefix: 2001:db8:72b1:8caa::/64 pltime=604800 vltime=2592000
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option client ID, len 10
2022-03-21 11:59:29 [debug] DUID: 00:03:00:01:00:47:77:79:33:02
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option server ID, len 14
2022-03-21 11:59:29 [debug] DUID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option DNS, len 16
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option domain search list, len 18
2022-03-21 11:59:29 [debug]client6_recvadvert() server ID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02, pref=-1
2022-03-21 11:59:29 [debug]client6_recvadvert() reset timer for vlan211 to 0.969465
2022-03-21 11:59:29 [debug]dhcp6_check_timer() called
2022-03-21 11:59:29 [info]client6_mainloop() timeout=10 sec, cfd=8, kfd=9
2022-03-21 11:59:40 [debug]dhcp6_check_timer() called
2022-03-21 11:59:40 [debug]select_server() picked a server (ID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02)
2022-03-21 11:59:40 [debug]client6_send() a new XID (45cf4a) is generated
2022-03-21 11:59:40 [debug]copy_option() set client ID (len 10)
2022-03-21 11:59:40 [debug]copy_option() set server ID (len 14)
2022-03-21 11:59:40 [debug]copyout_option() set IA address
2022-03-21 11:59:40 [debug]copyout_option() set identity association
2022-03-21 11:59:40 [debug]copy_option() set elapsed time (len 2)
2022-03-21 11:59:40 [debug]copy_option() set option request (len 4)
2022-03-21 11:59:40 [debug]copyout_option() set IA_PD prefix
2022-03-21 11:59:40 [debug]copyout_option() set IA_PD
2022-03-21 11:59:40 [debug]client6_send() send request to ff02::1:2%vlan211
2022-03-21 11:59:40 [debug]dhcp6_reset_timer() reset a timer on vlan211, state=REQUEST, timeo=0, retrans=922
2022-03-21 11:59:40 [info]client6_mainloop() timeout=10 sec, cfd=8, kfd=9
2022-03-21 11:59:40 [info]client6_mainloop() msg received, sock =11
2022-03-21 11:59:40 [debug]client6_recv() receive reply from fe80::247:77ff:fe79:3502%vlan211 on vlan211
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option identity association, len 40
2022-03-21 11:59:40 [debug] IA_NA: ID=19, T1=3600, T2=7200
2022-03-21 11:59:40 [debug]copyin_option() get DHCP option IA address, len 24
2022-03-21 11:59:40 [debug]copyin_option() IA_NA address: 2001:db8:72b1:8ca9::1002 pltime=604800 vltime=2592000
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option IA_PD, len 41
2022-03-21 11:59:40 [debug] IA_PD: ID=19, T1=3600, T2=7200
2022-03-21 11:59:40 [debug]copyin_option() get DHCP option IA_PD prefix, len 25
2022-03-21 11:59:40 [debug]copyin_option() IA_PD prefix: 2001:db8:72b1:8caa::/64 pltime=604800 vltime=2592000
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option client ID, len 10
2022-03-21 11:59:40 [debug] DUID: 00:03:00:01:00:47:77:79:33:02
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option server ID, len 14
2022-03-21 11:59:40 [debug] DUID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option DNS, len 16
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option domain search list, len 18
2022-03-21 11:59:40 [debug]info_printf() nameserver[0] 3ffe:501:ffff:100:200:ff:fe00:3f3e
2022-03-21 11:59:40 [debug]info_printf() Domain search list[0] lab.fortinet.com
2022-03-21 11:59:40 [debug]client6_process() dynamic dns1=[3ffe:501:ffff:100:200:ff:fe00:3f3e]

2022-03-21 11:59:40 [debug]get_ia() make an IA: PD-19
2022-03-21 11:59:40 [debug]update_prefix() create a prefix 2001:db8:72b1:8caa::/64 pltime=604800, vltime=2592000
2022-03-21 11:59:40 [debug]get_ia() make an IA: NA-19
2022-03-21 11:59:40 [debug]update_address() create an address 2001:db8:72b1:8ca9::1002 pltime=604800, vltime=2592000
2022-03-21 11:59:40 [debug]dhcp6_remove_event() removing an event on vlan211, state=REQUEST
2022-03-21 11:59:40 [debug]dhcp6_remove_event() removing server (ID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02)
2022-03-21 11:59:40 [debug]client6_recvreply() got an expected reply, sleeping.
2022-03-21 11:59:40 [debug]dhcp6c_resource_update() dhcp6client: checking if needed to reinterfaceure

 

- The sniffer packet.

 

mricardez_0-1647881660871.png
 

- Only to LAB porpuse the following debian configurations on server and PC.

 

###### debian-server ######

 

# ip address add 2804:14d:72b1:8ca9::ffff/64 dev vlan211 <----- Configure IPv6 address on the WAN prefix.

 

root@debian-server:/etc# cat /etc/radvd.conf  <----- radvd.conf use to RA message.
interface vlan211 {
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;

prefix 2001:db8:72b1:8ca9::/64 {  <----- RA prefix on WAN.
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { }; <----- RFC 6106.
};

 

root@debian-server:/etc# systemctl start radvd  <----- Start the radvd service.


root@debian-server:/etc/dhcp# cat /etc/dhcp/dhcpd6.conf  <----- DHCPv6 file configuration.
default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
allow leasequery;

option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e;
option dhcp6.domain-search "lab.fortinet.com";

option dhcp6.info-refresh-time 21600;

 

The subnet where the server is attached.


subnet6 2001:db8:72b1:8ca9::/64 {
range6 2001:db8:72b1:8ca9::1001 2001:db8:72b1:8ca9::1002;

 

Some /64 prefixes available for Prefix Delegation (RFC 3633).


prefix6 2001:db8:72b1:8caa:: 2001:db8:72b1:8cab:: /64;
}


#/usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf vlan211    <----- Run dhcpv6 server on foreground mode.


###### debian-pc ######

 

fortinet@debian-user:~$ cat /etc/network/interfaces

iface vlan237 inet6 dhcp
accept_ra 2
request_prefix 1

Contributors