Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Can't get IPV6 to receive an address
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't get IPV6 to receive an address
Hello All,
I'm trying to get IPV6 working on my fortigate 60D.
The ISP i have is KPN, which is a dutch provider which uses PPPOE, dhcp-pd and SLAAC for the ipv6 side.
As i understand the process on this provider (i found some setup-guides for different devices) i should create a pppoe connection for and IPV4 address and request a /48 subnet and ipv6 address using dhcp on the same connection.
When i configure ipv6 as DHCP it doesn't receive an address, and when i configure it as a PPPOE connection it only gets a link-local address.
The strange thing is that the host systems in my internal network do seem to get a proper ipv6 address however are unable to connect to the internet, as it appears that the fortinet doesn't know what the next hop in the network is.
I can not ping external ipv6 addresses from the host systems or from the fortinet cli.
Am i missing something in my config, or did i do something wrong?
Gateway # diag ipv6 address list dev=26 devname=ppp1 flag=P scope=253 prefix=10 addr=fe80::a5b:e6f:fffe:387c dev=23 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 dev=21 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 dev=16 devname=root flag=P scope=254 prefix=128 addr=::1 dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe6f:387c dev=7 devname=internal1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe6f:387a dev=7 devname=internal1 flag= scope=0 prefix=64 addr=2a02:XXXX:XXXX::1 preferred=102405 valid=188805
Gateway # show system interface wan1 config system interface edit "wan1" set vdom "root" set mode pppoe set allowaccess ping set vlanforward enable set type physical set spillover-threshold 12500 set estimated-upstream-bandwidth 100000 set estimated-downstream-bandwidth 100000 set role wan set snmp-index 2 config ipv6 set ip6-mode pppoe set ip6-allowaccess ping set dhcp6-prefix-delegation enable set dhcp6-prefix-hint ::/48 set autoconf enable end set username "XXX@direct-adsl" set password ENC next end
Gateway # show system interface internal1 config system interface edit "internal1" set vdom "root" set ip 10.9.28.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct capwap set vlanforward enable set type physical set alias "Local Lan" set device-identification enable set device-identification-active-scan enable set role lan set snmp-index 1 config ipv6 set ip6-mode delegated set ip6-allowaccess ping https ssh snmp set ip6-send-adv enable set ip6-manage-flag enable disable set ip6-upstream-interface "wan1" set ip6-subnet ::1/64 config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end next end
Gateway # show firewall policy6 config firewall policy6 edit 3 set name "local-ipv6" set uuid 2a82ad84-20b2-51e8-17ee-c356f376f04a set srcintf "internal1" set dstintf "wan1" set srcaddr "local ipv6 subnet" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 1 set name "Default out" set uuid 113d6d60-2089-51e8-8f23-04ae3c89a6f1 set srcintf "internal1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 2 set name "Allow ICMP in" set uuid 11852786-2089-51e8-28cc-df82a34d651a set srcintf "wan1" set dstintf "internal1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL_ICMP6" set logtraffic all next end
Gateway # show router static6 3 config router static6 edit 3 set device "wan1" next end
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had exactly the same behavior, and all the example where people had working IPv6 on pppoe, they didn't have an accompanying IPv4 configuration. For example: https://cjdwyer.com/2018/11/15/enabling-ipv6/
Reading into various KBs, I'm reading that the same interface can't get a secondary IP. While I assume this means the same family. i.e. can't get two IPv4 addresses, I thought I would try creating a virtual pppoe address for the IPv6 addressing with my IPv4 pppoe on my WAN connection. For example from what I found here:
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/682734/system-pppoe-interface
However after checking my IPv6 routes, address list and neighbor cache there is a disconnect between them, and don't seem to align. So it seems I need to understand further how the provider is sending out the IPv6 network info on my wan and go from there. Also I'll have to keep in mind any changes may require an interface reset or FGT reboot. Did you have any luck with your configuration?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is pppoe working for ipv4 family ? I would run that and ensure it' working and correctly before doing deeper diagnostic into ipv6 .
e.g
dia debug enable dia debug application ppp -1 dia debug applicaiton pppoe -1
get router info routing all
If IPV4 is working & correctly, than you need to do a packet on ppp0 or whatever is the interface for icmp6 or ip6 datagrams
e.g
diag sniffer packet ppp0 "icmp6"
or
diag sniffer packet ppp0 "ip6"
What do you see? BTW I never seen issues pppoe and with KPN. Have you check that ipv6-pd is working with a 3rd party item ( i.e linux ) .
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeremy,
Strangely I have been discussing this topic at some lenght this week- after someone PM'd me with a similar question.
Since 5.6 GA I have been running the config that you are after.
From what I can see you are missing some config on the WAN side.
Basically when I looked at this in 5.6 GA I was told that you have to create a "pppoe" interface on the physical WAN port.
Prompted by my discussions this week I have also checked with support and they confirm this is still the best approach- even under the lastest 6.4.1 release.
The way I am configured is that I have only physical config on the WAN interface. So it looks like this:- config system interface edit "wan1" set vdom "root" set ip 0.0.0.0 255.255.255.255 set type physical set lldp-reception disable set lldp-transmission disable set role wan set snmp-index 1 config ipv6 set ip6-send-adv enable set ip6-manage-flag enable set ip6-other-flag enable end set mtu-override enable set mtu 1492 The PPPOE interface contains all the ISP related config. That sets my IPv4 address (via the PPPOE session) and the IPv6 address (via the DCHPv6 CP delegation). So that looks like this:- edit "wan1 pppoe" set vdom "root" set mode pppoe set type tunnel set estimated-upstream-bandwidth XXXXXX set estimated-downstream-bandwidth XXXXXX set monitor-bandwidth enable set role wan set snmp-index 12 config ipv6 set ip6-mode dhcp set dhcp6-prefix-delegation enable set ip6-dns-server-override disable end set dns-server-override disable set interface "wan1" next And then finally I have the "system pppoe-interface" like this:- config system pppoe-interface edit "wan1 pppoe" set ipv6 enable set device "wan1" set username "XXXXXXXX" set password ENC JwyVMXAiFeo500qfevgbJj2+XXXXXXXXhVUZgEJkqT/e1S0Yg4ecx+y+rgkc5lgDyRXNTbBo/GtHMfmIR+X5GykaQ9VhMs5JYXB1zyy+e210fDDdycyz5ohXXXXXXXXXXXX/7VVefHkEN/G4PkQ2xRZQ0RegdXXXXXXXXXXXXXXXXXX282G7zYrxBnHS49Xn1J0sDS2g== next end
You will need an IPv4 and IPv6 static route towards the "wan1 pppoe" interface.
Then all of my traffic routes via that PPPOE interface.
When I went through this 3 years or so back I had similar issues to what you are seeing- this was the resolution so I hope it helps you too. All my traffic polices routes via the "wan1 pppoe" interface in my case and I never reference the "wan1" interface.
Good luck- and if there is anything else I can do to help please let me know.
Kind Regards,
Andy.
Labels
-
FortiGate
9,399 -
FortiClient
1,908 -
5.2
801 -
FortiManager
797 -
5.4
639 -
FortiAnalyzer
608 -
FortiSwitch
514 -
FortiAP
507 -
FortiClient EMS
473 -
6.0
416 -
5.6
362 -
FortiMail
339 -
SSL-VPN
302 -
IPsec
277 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
226 -
FortiNAC
222 -
5.0
196 -
FortiGuard
150 -
SD-WAN
143 -
FortiAuthenticator
133 -
6.4
128 -
Firewall policy
106 -
FortiGateCloud
105 -
FortiSIEM
103 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
Routing
58 -
ZTNA
58 -
FortiADC
57 -
VLAN
56 -
DNS
55 -
BGP
53 -
RADIUS
49 -
SAML
49 -
Authentication
49 -
FortiGate-VM
48 -
LDAP
48 -
FortiSandbox
47 -
FortiExtender
46 -
NAT
46 -
Certificate
44 -
SSO
43 -
FortiDNS
42 -
FortiGate v5.4
35 -
VDOM
35 -
FortiSwitch v6.4
34 -
FortiLink
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
31 -
FortiWAN
28 -
Virtual IP
28 -
Web profile
28 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
25 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Automation
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
Fortisoar
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Port policy
10 -
Web rating
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Users
9 -
Traffic shaping profile
9 -
Fabric connector
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
DoS policy
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2061 | |
| 1175 | |
| 770 | |
| 448 | |
| 343 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.