Troubleshooting Tip: Enable IPv6 in FortiGate (for Malaysia ISP, UNIFI)

Prerequisite: have a PPPoE setup for IPv4 and make sure the Internet is working.

Step 1: In the PPPoE VLAN 500 (UNIFI PPPoE interface VLAN) enable IPv6 as below:

config system interface
    edit "UNIFI"
        set vdom "root"
        set mode pppoe
            config ipv6
                set ip6-mode pppoe
                set ip6-allowaccess ping
                set dhcp6-prefix-delegation enable
                set autoconf enable
                    config dhcp6-iapd-list
                        edit 1
                            set prefix-hint ::/64
                        next
                    end
            end
        set username "XXXXX@unifi"
        set password ENC XYXYXYXYXYXYXYXY
        set dns-server-override disable
        set interface "wan1"
        set vlanid 500
    next
end

After this, check if IPv6 is getting from PPPoE:

hostname# diag ipv6 address list
....
dev=45 devname=ppp2 flag= scope=0 prefix=64 addr=2001:e68:5099:38e2:ea1c:babf:fffe:XYXY preferred=172590 valid=258990 cstamp=11471765 tstamp=35488410
dev=45 devname=ppp2 flag=P scope=253 prefix=10 addr=fe80::ea1c:babf:fffe:XYXY preferred=4294967295 valid=4294967295 cstamp=11471765 tstamp=11471765

And FortiGate will start communicating with FortiGuard using IPv6:

hostname # diag debug rating
...

IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
173.243.142.16 0 182 D 0 76843 0 121 Thu Sep 26 09:14:54 2024
2620:101:9000:140:173:243:140:16 0 981 D 0 44579 0 41 Thu Sep 26 09:14:55 2024
173.243.140.16 0 1153 DI 0 666369 0 357 Thu Sep 26 09:14:55 2024

Step 2: In the LAN, enable IPv6 and delegation as below:

config system interface
    edit "port5"
        set vdom "root"
        set ip W.X.Y.Z 255.255.255.0
            config ipv6
                set ip6-mode delegated
                set dhcp6-prefix-delegation enable
                set ip6-send-adv enable
                set ip6-other-flag enable
                set ip6-delegated-prefix-iaid 1
                set ip6-upstream-interface "UNIFI" <===VLAN PPPoE interface
                set ip6-subnet ::1/64
                    config ip6-delegated-prefix-list
                        edit 1
                            set upstream-interface "UNIFI" <-- VLAN PPPoE interface.
                            set delegated-prefix-iaid 1
                            set subnet ::/64
                            set rdnss-service default
                        next
                    end
                    config dhcp6-iapd-list
                        edit 1
                            set prefix-hint ::/64
                        next
                    end
            end
    next
end

After some time, there will be IPv6 in the LAN:

hostname # diag ipv6 address list
dev=13 devname=port5 flag= scope=0 prefix=64 addr=2001:e68:5459:70d7::XX preferred=114382 valid=200782 cstamp=11472298 tstamp=29751829
dev=13 devname=port5 flag=P scope=253 prefix=64 addr=fe80::ea1c:baff:febf:WXYZ preferred=4294967295 valid=4294967295 cstamp=29121 tstamp=29121

...

After reconnecting all machines in the LAN, all the devices should get an IPv6 public IP in this stage.

Step 3: Configure an IPv6 policy:

config firewall policy
    edit X
        set name "IPV6-INTERNET"
        set srcintf "port5"
        set dstintf "UNIFI"
        set action accept
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
    next
end

Lastly, do not forgot to do an IPv6 Test: