Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
micahawitt
New Contributor III

Created on ‎04-16-2020 07:20 AM

IPV6

Forgive if this is loaded somewhere else.

 

I'm running into a snag here.  I am currently on Spectrum and getting a /128 from them.  According to my WAN1 interface.  

 

I am trying to get the DHCP to passthrough to my clients on a vlan, anyone have any luck with this?

11169
0 Kudos
1 Solution
emnoc
Esteemed Contributor III
In response to micahawitt

Created on ‎04-17-2020 01:19 PM

Did you speak with your provider? They will tell you what size prefix is belng delegated , typically /48 or /56 and then you configure the fortigate for the ipv6 delegation on the wan and you pass a prefix in that delegation to your inside lans

 

e.g

 

config sys inteface

     edit wan1

        config ipv6

          set ipv6 dhcp-prefix-delegation enable

          set dhcp6-prefix-hint 2001:db8:44 /56

end

 

 

 Once you have the assignment, you use slacc on your internal lans for assignments of the /64 to the hosts machines.

 

   config sys int 

       edit port1

           config ipv6

                  set ip6-allowaccess ssh ping https

                  set ip6-mode delegate

                  set ip6-upstream wan1

      end

 

Yes it's really that easy you need to speak to your ISP

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7953
0 Kudos
13 REPLIES 13
micahawitt
New Contributor III
In response to micahawitt

Created on ‎04-18-2020 06:58 AM

So here is latest, neither wan config above is getting me an ipv6 address on my fortigate, keeps getting a /128 as it shows.

 

With that though, i am able to get ipv6 on my laptop if i hook directly.

1909
0 Kudos
lobstercreed
Valued Contributor
In response to micahawitt

Created on ‎04-19-2020 12:33 PM

Micah,

 

I should emphasize that in my experience your FortiGate will not get anything larger than a /128 by design.  If you're looking for that to change, you're looking in the wrong place. 

 

The way delegation works is that it gives you a prefix to work with for your downstream networks.  The exact config commands I gave above worked fine for me as you can see in this screenshot:

 

 

(Though I ended up tweaking my downstream a bit and am using two /60 for reasons that go way beyond the scope of this.)

 

- Daniel

Preview file
28 KB
1909
0 Kudos
micahawitt
New Contributor III
In response to lobstercreed

Created on ‎04-20-2020 05:51 AM

Its not that i care that its a /128, i just want it to work.  I know that if i hook up my laptop it does work. Trying to get the Fortigate is another issue.

 

i have set my config verbatim to what you have listed.

 

 

when i got to test-ipv6.com or whatismyip.com its not even picking up an ipv6 address on my wan interface it seems as it doesn't show one.

Preview file
35 KB
1909
0 Kudos
Thiudans
New Contributor
In response to micahawitt

Created on ‎07-03-2020 06:04 AM

Hello everyone,

 

Brand new to this forum and brand new to Fortinet.

 

Regarding the /128 on the outside interface. That is a gateway address to route to the prefix(es) behind your firewall via router advertisement daemon (radvss I think).

 

I worked on getting IPv6 working on my firewall for two days or so, it took me a bit but everything is fine now. Here are my interface configs -- I am using SLAAC, not DHCPv6 though. You can see if you are delegating properly by typing in 

 

diagnose ipv6 address list

 

If you see ipv6 addresses on your interface(s), you are successfully delegating and you will have your prefix.

 

I actually opened a ticket with support and there is no concise way to get your prefix!

 

In any case, here is my interface config:

 

edit "XXXX"

        set vdom "root"

        set ip RFC-1918.254 255.255.255.0

        set allowaccess ping https ssh snmp http

        set type hard-switch

        set device-identification enable

        set role lan

        set snmp-index 4

        config ipv6

            set ip6-mode delegated

            set ip6-allowaccess ping

            set ip6-send-adv enable

            set ip6-other-flag enable

            set ip6-upstream-interface "wan"

            set ip6-subnet ::55:0:0:0:ffff/64

            config ip6-delegated-prefix-list

                edit 6

                    set upstream-interface "wan"

                    set subnet 0:0:0:55::/64

                    set rdnss-service default

                next

            end

        end

 

 

My wan:

 

edit "wan"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/56
        end
        set dns-server-override disable

 

I am using Spectrum. 

 

With a /56, the last 2 HEX numbers are my network addresses, so the delegated interface above is the 5th network, out of 256 networks. Incidentally, if Spectrum ever changes the prefix, this should automatically popogate to your interfaces and clients.

 

 

 

1909
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.