Troubleshooting Tip: Enable IPv6 in FortiGate (for Malaysia ISP, UNIFI)

kyozloveyou_FTNT · ‎09-25-2024

Description

This article describes how it is possible to configure the FortiGate to get the IPv6 IP from the Internet and delegate it to the LAN.

This article may be used as a reference to configure on other ISPs. However, it may not work as certain ISPs have their own setting to be followed, as more and more ISPs now have provided IPv6 to their subscriber.

Scope

FortiGate with 7.2 and above.

Solution

Prerequisite: have a PPPoE setup for IPv4 and make sure the Internet is working.

Step 1: In the PPPoE VLAN 500 (UNIFI PPPoE interface VLAN) enable IPv6 as below:

config system interface
edit "UNIFI"
set vdom "root"
set mode pppoe
config ipv6
set ip6-mode pppoe
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set autoconf enable
config dhcp6-iapd-list
edit 1
set prefix-hint ::/64
next
end
end
set username "XXXXX@unifi"
set password ENC XYXYXYXYXYXYXYXY
set dns-server-override disable
set interface "wan1"
set vlanid 500
next
end

After this, check if IPv6 is getting from PPPoE:

hostname# diag ipv6 address list
....
dev=45 devname=ppp2 flag= scope=0 prefix=64 addr=2001:e68:5099:38e2:ea1c:babf:fffe:XYXY preferred=172590 valid=258990 cstamp=11471765 tstamp=35488410
dev=45 devname=ppp2 flag=P scope=253 prefix=10 addr=fe80::ea1c:babf:fffe:XYXY preferred=4294967295 valid=4294967295 cstamp=11471765 tstamp=11471765

And FortiGate will start communicating with FortiGuard using IPv6:

hostname # diag debug rating
...

IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
173.243.142.16 0 182 D 0 76843 0 121 Thu Sep 26 09:14:54 2024
2620:101:9000:140:173:243:140:16 0 981 D 0 44579 0 41 Thu Sep 26 09:14:55 2024
173.243.140.16 0 1153 DI 0 666369 0 357 Thu Sep 26 09:14:55 2024

Step 2: In the LAN, enable IPv6 and delegation as below:

config system interface
edit "port5"
set vdom "root"
set ip W.X.Y.Z 255.255.255.0
config ipv6
set ip6-mode delegated
set dhcp6-prefix-delegation enable
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "UNIFI" <===VLAN PPPoE interface
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "UNIFI" <-- VLAN PPPoE interface.
set delegated-prefix-iaid 1
set subnet ::/64
set rdnss-service default
next
end
config dhcp6-iapd-list
edit 1
set prefix-hint ::/64
next
end
end
next
end

After some time, there will be IPv6 in the LAN:

hostname # diag ipv6 address list
dev=13 devname=port5 flag= scope=0 prefix=64 addr=2001:e68:5459:70d7::XX preferred=114382 valid=200782 cstamp=11472298 tstamp=29751829
dev=13 devname=port5 flag=P scope=253 prefix=64 addr=fe80::ea1c:baff:febf:WXYZ preferred=4294967295 valid=4294967295 cstamp=29121 tstamp=29121

...

After reconnecting all machines in the LAN, all the devices should get an IPv6 public IP in this stage.

Step 3: Configure an IPv6 policy:

config firewall policy
edit X
set name "IPV6-INTERNET"
set srcintf "port5"
set dstintf "UNIFI"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
next
end

Lastly, do not forgot to do an IPv6 Test:

Troubleshooting Tip: Enable IPv6 in FortiGate (for Malaysia ISP, UNIFI)

You are leaving our website