Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SJFriedl
New Contributor II

Querying IPv6 prefix delegation status

TL;DR - how can I tell the *actual* IPv6 prefix delegated from the upstream?

 

A customer's 60E is running FortiOS 7, the prefix-hint asks for a /60 from the WAN1 upstream, but it doesn't seem to be getting that prefix, but I can't find any place where I can discover what was actually provided by the upstream other than to see it's not working.

 

I have a 60F at home, I believe I'm actually getting the /56 I ask for, but I can't find that anywhere either.

 

I have been all over the CLI and cannot find any place to show what's going on with prefix delegation. Is there a place to do this without diving into debug mode and restarting the interface to see whatever might negotiate? There has to be a way.

 

Note that "diagnose ipv6 address list" does *not* show this information as far as I can tell.

 

~~~ Steve

 

2 REPLIES 2
vtsonev
Staff
Staff

Hi Steve,

 

From your post I understand that you have IPv6 configuration with DHCPv6 prefix delegation and you want to find out what prefix lenght you receive from the delegation ? Prefix hint is set to /60 but you suspect that the interfaces receive a different one.

 

There has been a change between FortiOS 7.0.1 and 7.0.2 where the prefix-delegation is set on different config sub-menu. You can check the CLI reference here:

https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/8620/config-system-interface

The new menu is called "config dhcp6-iapd-list". So if you are using 7.0.2 or later you have to configure the prefix-hint in that menu. Normally following the upgrade path this configuration is migrated to the new firmware.

 

 

I guess your wan1 configuration looks right now similar to the example below?


config system interface
    edit "wan1"
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/60
            end

 

You can use CLI command below to list all details you need:

config system interface

edit wan1

get

.... (truncated for brevity)

delegated-domain :
    dhcp6-prefix-hint : ::/60
    dhcp6-prefix-hint-plt: 604800
    dhcp6-prefix-hint-vlt: 2592000
    vrrp-virtual-mac6 : disable
    vrip6_link_local : ::
    ip6-dns-server-override: enable 

 

Here you can see the prefix delegation details etc.

 

Please let me know if there is something else or this was the right solution you are looking for.

 

Best regards,

Vasil

Fortinet Technical Team Lead
NSE 1-4,7 Certified
SJFriedl
New Contributor II

My customer who has the questionable configuration won't be back until next week, but I'd be disappointed if FortiGate reported the *actual* prefix as a "hint", which is what I think you're suggesting. We'll find out in a day or two.